[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.

WordPress Trac noreply at wordpress.org
Mon Dec 2 15:56:56 UTC 2013


#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+----------------------
 Reporter:  kirrus          |       Owner:
     Type:  enhancement     |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  minor           |  Resolution:  wontfix
 Keywords:                  |
----------------------------+----------------------

Comment (by kirrus):

 As a shared webhost's techy, I would far far prefer to have the odd
 customer contact me because they couldn't reactivate their plugins on
 their own, than have the situation we found this morning where around 3
 separate customers contacted me because their sites were hacked, with what
 seems to have been a remote sql injection attack through outdated core
 code. Not totally applicable for this ticket, but reducing remote attack
 surface area available is always beneficial.

 I can pretty much guarantee that for those 3, there will be at least 5
 customers who haven't noticed their site is compromised yet, and we'll
 pick it up when our scans starts detecting malware in their homedirs, or
 unusual quantities of email outbound from their sites.

 Woulds it be possible to modify the .htaccess rules dropped by the
 permalinks system to deny access to the plugins folder? Also, can you
 confirm that no plugin file should be accessible remotely? If so, we'll
 look at changing the settings on our servers to globally enforce that.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list