[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.

WordPress Trac noreply at wordpress.org
Mon Dec 2 17:34:38 UTC 2013


#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+----------------------
 Reporter:  kirrus          |       Owner:
     Type:  enhancement     |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  minor           |  Resolution:  wontfix
 Keywords:                  |
----------------------------+----------------------

Comment (by SergeyBiryukov):

 Replying to [comment:6 kirrus]:
 > Woulds it be possible to modify the .htaccess rules dropped by the
 permalinks system to deny access to the plugins folder? Also, can you
 confirm that no plugin file should be accessible remotely?

 No. Plugins can post HTTP requests to their own files. Most of the time,
 they should have used [http://codex.wordpress.org/AJAX_in_Plugins
 wp_ajax_* actions] instead, however some might arguably have a valid
 reason for that.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list