[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.

WordPress Trac noreply at wordpress.org
Wed Nov 27 00:51:00 UTC 2013


#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+----------------------
 Reporter:  kirrus          |       Owner:
     Type:  enhancement     |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  minor           |  Resolution:  wontfix
 Keywords:                  |
----------------------------+----------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


Comment:

 Basically this isn't possible, and the better option would be for us to
 have a default .htaccess that deny's requests directly to .php files in
 wp-content/plugins.

 In many server configurations, the user doesn't have direct write access
 to the WordPress files, and as mentioned above, if the server
 configuration changes, WordPress might not be able to change the
 permissions back.
 Changing the permissions may also result in FTP Servers deciding that the
 user doesn't have write-access/delete access to the files (I've seen
 worse), which is also not a great UX.

 I'm going to have to say that this is a wontfix, it's not something we can
 technically do reliably without harming users, and the better method is
 simply preventing plugins from being accessed directly in the first place
 (since none should be..)

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list