[wp-trac] [WordPress Trac] #52544: Removing database tables allows anyone to take over all website files
WordPress Trac
noreply at wordpress.org
Sun Mar 28 16:15:56 UTC 2021
#52544: Removing database tables allows anyone to take over all website files
-----------------------------+------------------------------
Reporter: winternetstudio | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.6.1
Severity: major | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by m0ze):
Replying to [comment:6 winternetstudio]:
> That's a different matter - the user is directly removing a security
measure. Deleting database tables is not a direct security reduction in
any way. You could in fact argue that a user will think it would improve
security! Besides, a rogue plugin could do this (which a user installs in
good faith) - and no user can be blamed for that scenario.
If you delete tables in a database, then in general you should understand
what you are doing and why, and what the consequences will be. The same
goes for the weak password for the administrator account.
Dropping the tables allows you to restart the installation - this is the
security degradation due to human factor. I have seen many configurations,
ranging from a backup database in the configuration file, to the banal
protection by using a BasicAuth while working with the website. If the
user himself doesn't know what he's doing with the website and doesn't
know how it works in general, then all the consequences of his decisions
are his problem. It's like twisting the keys to an apartment on your
finger, losing them, and then blaming the door company that you lost the
keys.
It is more profitable and easier for a "rogue plugin" to immediately take
control of the CMS without damaging the regular operation of the site, and
there is a lot of solutions for this kind of stuff.
You are trying to see the problem where there is none. More precisely,
there is a problem - it's a human factor, but it has no direct relation to
WordPress.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52544#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list