[wp-trac] [WordPress Trac] #11306: Option to disable theme/plugin editor
WordPress Trac
wp-trac at lists.automattic.com
Tue Feb 9 03:42:58 UTC 2010
#11306: Option to disable theme/plugin editor
-----------------------------+----------------------------------------------
Reporter: kchrist | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: 3.0
Component: General | Version: 2.9
Severity: normal | Keywords: has-patch
-----------------------------+----------------------------------------------
Comment(by kchrist):
Replying to [comment:25 dd32]:
> That being said, Is there a reason why the file editors should be
disabled for super admins?
Yes, for the same reason that someone would want it disabled on a single-
user site:
> Allowing editing of executable code via a web interface is a potential
security risk.
With code editing enabled, an attacker who compromises a super admin
password will be able to execute arbitrary code on the server, just as
they could by compromising the admin account on a regular, single-site WP
install.
The idea of this isn't to revoke permissions from certain users, as
defined in WP; it's to close a potential attack vector. The option I'm
requesting should override any WP capabilities by flat-out saying ''no''
file editing is enabled, full stop.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11306#comment:29>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list