[wp-trac] [WordPress Trac] #52544: Removing database tables allows anyone to take over all website files
WordPress Trac
noreply at wordpress.org
Sun Mar 28 15:57:09 UTC 2021
#52544: Removing database tables allows anyone to take over all website files
-----------------------------+------------------------------
Reporter: winternetstudio | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.6.1
Severity: major | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by winternetstudio):
Replying to [comment:5 m0ze]:
> Replying to [ticket:52544 winternetstudio]:
> > If one by mistake removes the WordPress' database tables but files are
left intact, a hacker or anyone can "install" WordPress again and do
whatever he wants. It's a bad design choice that puts WordPress
installations at additional risk.
>
> If someone deleted the tables in a database and left everything in this
form, then this is a 100% human factor, which has a mediocre relationship
to WordPress.
>
> The same can be said if a user with administrator privileges has the
password like "qwe123", then a hacker can easily gain access to the
administrative panel and take control of the entire site.
That's a different matter - the user is directly removing a security
measure. Deleting database tables is not a direct security reduction in
any way. You could in fact argue that a user will think it would improve
security! Besides, a rogue plugin could do this (which a user installs in
good faith) - and no user can be blamed for that scenario.
So, since is no reason for allowing to install a wordpress installation a
second time, it might as well be removed to fix the very scenario we
experienced.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52544#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list