[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.
WordPress Trac
noreply at wordpress.org
Mon Dec 2 15:56:56 UTC 2013
#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+----------------------
Reporter: kirrus | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution: wontfix
Keywords: |
----------------------------+----------------------
Comment (by kirrus):
As a shared webhost's techy, I would far far prefer to have the odd
customer contact me because they couldn't reactivate their plugins on
their own, than have the situation we found this morning where around 3
separate customers contacted me because their sites were hacked, with what
seems to have been a remote sql injection attack through outdated core
code. Not totally applicable for this ticket, but reducing remote attack
surface area available is always beneficial.
I can pretty much guarantee that for those 3, there will be at least 5
customers who haven't noticed their site is compromised yet, and we'll
pick it up when our scans starts detecting malware in their homedirs, or
unusual quantities of email outbound from their sites.
Woulds it be possible to modify the .htaccess rules dropped by the
permalinks system to deny access to the plugins folder? Also, can you
confirm that no plugin file should be accessible remotely? If so, we'll
look at changing the settings on our servers to globally enforce that.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list