[wp-trac] [WordPress Trac] #26273: Deactivated plugins and themes should not execute

WordPress Trac noreply at wordpress.org
Tue Jul 7 13:09:32 UTC 2020 

#26273: Deactivated plugins and themes should not execute
----------------------------+----------------------
 Reporter:  kirrus          |       Owner:  (none)
     Type:  enhancement     |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  normal          |  Resolution:  wontfix
 Keywords:                  |     Focuses:
----------------------------+----------------------

Comment (by KestutisIT):

 .htaccess deny from all auto-blocker if plugin got deactivated + WordPress
 internal firewall:
 --------
 So, from discussion in forums, it appears,
 that website may also be hacked via deactivated plugin. So after a plugin
 has been deactivated, I suggest the following:

 ----


 **FOR APACHE SERVERS:**
 WordPress would automatically create .htaccess file in plugin's folder
 with "deny from all" content. That would prevent from non-updated
 deactivated plugin vulnerability, as often people believes, that they are
 safe if they got deactivated suspicions plugin, of they tested something
 and left that plugin on the server as deactivated for years.
 Also, there should be WordPress internal firewall, that should show BIG
 RED WARNING in all WP Admin that WordPress was not able to create
 .htaccess blocker for some plugin, and that user has to create that file
 with that content manually.

 **FOR NGIX SERVERS:**
 There is Apache to NGIX converter. Maybe there has to be IF/ELSE case. In
 case A - .htaccess file is created, on case B - NGIX directive has been
 created.

 There is Apache's .htaccess to NGIX directives converer:
 https://winginx.com/en/htaccess#:~:text=About%20the%20htaccess%20to%20nginx,ported%20from%20Apache%20to%20nginx.
 It gives 'deny all' directive for NGIX.

 With PHP script you can check if you have access to that 'X' folder or
 not.
 If you still have it, and you see it's NGIX, you put a red warning text
 saying:

 ''Please immediately contact your server administrator to add this NGIX
 directive:

 {{{
 /../x-user/.../.../x-plugin/ deny all
 }}}
 ''


 ----

 This would boost WordPress security level to next class.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/26273#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list