[wp-trac] [WordPress Trac] #52544: Removing database tables allows anyone to take over all website files

WordPress Trac noreply at wordpress.org
Sun Mar 28 16:15:56 UTC 2021 

#52544: Removing database tables allows anyone to take over all website files
-----------------------------+------------------------------
 Reporter:  winternetstudio  |       Owner:  (none)
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  5.6.1
 Severity:  major            |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by m0ze):

 Replying to [comment:6 winternetstudio]:
 > That's a different matter - the user is directly removing a security
 measure. Deleting database tables is not a direct security reduction in
 any way. You could in fact argue that a user will think it would improve
 security! Besides, a rogue plugin could do this (which a user installs in
 good faith) - and no user can be blamed for that scenario.

 If you delete tables in a database, then in general you should understand
 what you are doing and why, and what the consequences will be. The same
 goes for the weak password for the administrator account.

 Dropping the tables allows you to restart the installation - this is the
 security degradation due to human factor. I have seen many configurations,
 ranging from a backup database in the configuration file, to the banal
 protection by using a BasicAuth while working with the website. If the
 user himself doesn't know what he's doing with the website and doesn't
 know how it works in general, then all the consequences of his decisions
 are his problem. It's like twisting the keys to an apartment on your
 finger, losing them, and then blaming the door company that you lost the
 keys.

 It is more profitable and easier for a "rogue plugin" to immediately take
 control of the CMS without damaging the regular operation of the site, and
 there is a lot of solutions for this kind of stuff.

 You are trying to see the problem where there is none. More precisely,
 there is a problem - it's a human factor, but it has no direct relation to
 WordPress.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52544#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list