[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures
WordPress Trac
noreply at wordpress.org
Wed Mar 9 16:40:29 UTC 2016
#36177: default htaccess should include security measures
-------------------------+------------------------------
Reporter: lelutin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by SergeyBiryukov):
> blocking php evaluation for all files in wp-content would only affect
direct php file access through a URL, not inclusion of code by other php
files. This means that only direct access to files would get blocked for
some plugins, but plugins should not require users to load plugin-specific
php files directly in the first place: those files should get included
through wordpress itself.
This seems like it would break plugins that submit AJAX requests to their
own files.
Admittedly, they should have used `admin-ajax.php` instead, but not
everyone does.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36177#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list