[wp-trac] [WordPress Trac] #31779: Warn users before using a built-in file editor for the first time

WordPress Trac noreply at wordpress.org
Tue Apr 7 20:33:12 UTC 2015


#31779: Warn users before using a built-in file editor for the first time
-------------------------+---------------------------------
 Reporter:  helen        |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Editor       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  ui, administration
-------------------------+---------------------------------

Comment (by magicroundabout):

 Hi guys,

 I don't know if this is appropriate here, but I came to trac to see if
 there was a discussion about the idea of making the plugin and theme
 editors off by default and I couldn't find one, but I did find this.

 My opinion is that these shouldn't be removed entirely, but they should be
 disabled - in the config - by default. My reasoning for this is security.
 I've probably worked on about 100 WordPress sites in the last four years
 and had maybe 5 or 6 sites hacked. Every time analysis of the logs has
 shown that after an initial entry (either by brute force or by some
 unknown method) the hacker bots proceeded to inject code using the theme
 editors.

 I now add

 {{{
 define('DISALLOW_FILE_EDIT', true);
 }}}

 to wp-config.php as a matter of course. It's like a nervous tick: install
 WordPress, disable editors.

 YES, I am totally aware that this is not a security risk if other security
 is present and correct: brute force protection, strong passwords, etc. But
 I should add that most of these sites that I'm rescuing are not sites that
 I developed - they are places where I'm bailing out another developer or
 an un-knowing user.

 Is there a good reason why this feature, which seems to me to be a huge
 security issue in WordPress, is not off by default? I would suggest that
 this config option should be ALLOW_FILE_EDIT and it should be false by
 default. I would be quite happy for this to be an option during the
 WordPress install (though I doubt that would be a good idea as the user
 probably wouldn't understand the option in many cases).  It would need to
 be backwards-compatible somehow to prevent an update breaking users'
 installs.

 I'm happy to spin off another ticket to discuss. But this seemed an
 appropriate place to raise it. I hope you don't mind.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31779#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list