[wp-trac] [WordPress Trac] #32373: Allow For execution of code before login processing

WordPress Trac noreply at wordpress.org
Fri May 22 07:33:47 UTC 2015 

#32373: Allow For execution of code before login processing
-------------------------+----------------------
 Reporter:  Another Guy  |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  Security     |     Version:  trunk
 Severity:  normal       |  Resolution:  invalid
 Keywords:               |     Focuses:
-------------------------+----------------------

Comment (by Another Guy):

 "Before the bootstrap is loaded, WordPress's Actions and Hook APIs are not
 available. Which means we can add all the do_actions and add_filter's you
 want there, but they cannot be used"

 I guess I am not making this clear.  I DON'T WANT TO USE WORDPRESS
 FUNCTIONS.   I want to be able to execute code BEFORE wordpress runs, to
 allow for simple hardening and filtering of access to certain areas of an
 installation BEFORE wordpress is even started.

 "The only way for you to do what you're seeking to do is exactly what DD32
 suggested, because the wp-config file is loaded before the bootstrap and
 is not overridden on WordPress updates. That is your one, and your only
 option here."

 And that is a "hack" and not generally supported.   What I am proposing is
 a way to help secure a wordpress installation without having to first
 invoke all that comes with wordpress, at a level where someone with basic
 PHP knowledge can write clear and concise filters to control access to key
 areas of a wordpress installation.   Want to limit logins to a single
 country?  No problem.   Want to limit access to your ISP only?  No
 problem.  Want only allow people using Firefox to login (say that's all
 you use in your office)?  No problem.   Want to keep people from countries
 not using the language of your blog from posting comments?  No problem.
 Want to stop comments from certain countries, or only limit comments to
 your home country?  No problem.

 All of those things are POSSIBLE in htaccess, but require a skill level
 much higher than most people have, and one simple slip up in a regex can
 have the exact opposite effects.

 Heck, Automattic could even get into the game by having code available for
 aksimet which could be added to pre-filter comments before they even have
 to be checked for spam.  Why even let a known spammer have access?

 There are plenty of things you could do.  Sticking it in wp-config may be
 functional, but is a clear hack and not something that would be widely
 supported by wordpress.  Moreover, it still requires that the process of
 starting the bootstrap occurs, which defeats the purpose, and would have
 this code run every time a page is accessed, even if it's NOT for a
 secured area, area of input (comments), and the like.

 I don't have any intention of using wordpress functions.  The entire point
 is to NOT invoke wordpress and not even allow bad actors the chance to get
 to the site unless you permit them.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32373#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list