[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.
WordPress Trac
noreply at wordpress.org
Wed Nov 27 00:51:00 UTC 2013
#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+----------------------
Reporter: kirrus | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution: wontfix
Keywords: |
----------------------------+----------------------
Changes (by dd32):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Basically this isn't possible, and the better option would be for us to
have a default .htaccess that deny's requests directly to .php files in
wp-content/plugins.
In many server configurations, the user doesn't have direct write access
to the WordPress files, and as mentioned above, if the server
configuration changes, WordPress might not be able to change the
permissions back.
Changing the permissions may also result in FTP Servers deciding that the
user doesn't have write-access/delete access to the files (I've seen
worse), which is also not a great UX.
I'm going to have to say that this is a wontfix, it's not something we can
technically do reliably without harming users, and the better method is
simply preventing plugins from being accessed directly in the first place
(since none should be..)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list