[wp-trac] [WordPress Trac] #32373: Allow For execution of code before login processing

Fri Jun 25 06:15:06 UTC 2021

#32373: Allow For execution of code before login processing
-------------------------+----------------------
 Reporter:  Another Guy  |       Owner:  (none)
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  Security     |     Version:  4.3
 Severity:  normal       |  Resolution:  invalid
 Keywords:               |     Focuses:
-------------------------+----------------------

Comment (by leanice):

 The wp-config.php file holds crucial information about your WordPress
 installation, and it’s the most important file in your site’s root
 directory. Protecting it means securing the core of your WordPress blog.
 This tactic makes things difficult for hackers to breach the security of
 your site, since the wp-config.php file becomes inaccessible to them. As a
 bonus, the protection process is really easy. Just take your wp-config.php
 file and move it to a higher level than your root directory.
 Now, the question is, if you store it elsewhere, how does the server
 access it? In the current WordPress architecture, the configuration file
 settings are set to the highest on the priority list. So, even if it is
 stored one folder above the root directory, WordPress can still see it.
 Introducing a two-factor authentication (2FA) module on the login page is
 another good security measure. In this case, the user provides login
 details for two different components. The website owner decides what those
 two are. It can be a regular password followed by a secret question, a
 secret code, a set of characters, or more popular, the Google
 Authenticator app, which sends a secret code to your phone. This way, only
 the person with your phone (you) can log in to your site.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/32373#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform