[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.
WordPress Trac
noreply at wordpress.org
Tue Nov 26 19:56:53 UTC 2013
#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+------------------------------
Reporter: kirrus | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: minor | Resolution:
Keywords: |
----------------------------+------------------------------
Comment (by TobiasBg):
@jeremyfelt: Not necessarily, I think. If the web user is the owner of the
file, it could chmod from 000 to e.g. 644 again, couldn't it?
However, that shows the possible risk: What if the server config/setup is
changed while a plugin is deactivated, and the web user is suddenly not
the owner anymore? Also, this idea might create access rights problems via
FTP, if the FTP user is different from the web user.
So the risks here probably outweigh the possible benefits. A better
approach for those who are concerned about the possibility of such
security issues probably is to use a .htaccess file that restricts access
to /wp-content/plugins/ (except maybe for plugins on a white list that
require external access -- which good plugins don't).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list