[wp-trac] [WordPress Trac] #43478: Remove password protected post functionality, or make it possible to be disabled
WordPress Trac
noreply at wordpress.org
Tue Mar 6 13:40:38 UTC 2018
#43478: Remove password protected post functionality, or make it possible to be
disabled
--------------------------+-----------------------------
Reporter: tomdxw | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.4
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
This functionality is not secure in the slightest. The password is stored
as plain text. The fact that the password is meant to be shared among
multiple people means that it's hard to change, it's liable to stop being
a secret, it'll probably be very easy to guess if people are expected to
remember it or write it down. The password entry also doesn't support any
of the hooks from wp-login.php so a plugin which blocks brute force login
attempts will allow post passwords to be brute forced.
It doesn't really belong in core - if somebody proposed it today they'd be
told to write a plugin instead.
But if it can't be removed entirely, it should at least be possible to
disable the functionality either with a constant or with
`remove_theme_support(...)`. This would allow hosts/maintainers of sites
to protect their clients by forcing them to use more secure alternatives.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43478>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list