[wp-trac] Re: [WordPress Trac] #1038: Limit access to php files

WordPress Trac wp-trac at lists.automattic.com
Sun Apr 16 14:07:09 GMT 2006

#1038: Limit access to php files
       Id:  1038      |      Status:  assigned                
Component:  Security  |    Modified:  Sun Apr 16 14:07:09 2006
 Severity:  trivial   |   Milestone:  2.1                     
 Priority:  lowest    |     Version:  2.0.2                   
    Owner:  matt      |    Reporter:  anonymousbugger         
Comment (by szepter):

 ''On many hosts, the include files could then be easily moved outside of
 webspace altogether, along with the database passwords from wp-config.''

 Most hosting providers don't allow accessing files or writing to files
 outside of the docroot, which is the "webspace" in most cases.

 Altogether I would say these nice security advice to WP users would make
 things more complicated ("You should place files there or there and modify
 the paths there and there ... otherwise things can go wrong ..." and so on
 ...). Well, these advice are really nice, but not for users who are new to

 If Apache stops parsing PHP files under some improbable circumstance,
 these files wouldn't be executed, the code is served raw, nothing can
 happen, except that you can read the source code, but that's something you
 can do much easier by downloading the latest WP version from the website.

 I think it's no use overloading code for providing a non-trivial
 protection system that only works under Apache or under specific

Ticket URL: <http://trac.wordpress.org/ticket/1038>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list