[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures
WordPress Trac
noreply at wordpress.org
Fri Dec 20 22:20:26 UTC 2024
#36177: default htaccess should include security measures
-------------------------+------------------------------
Reporter: lelutin | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by azaozz):
Replying to [https://core.trac.wordpress.org/ticket/62724#comment:3
swissspidy]:
> it looks like this ticket is more about unnecessary error logging rather
than a path disclosure. Still, blocking direct access to the files in
question using the web server configuration file should resolve the issue
for now, until any changes are implemented in core.
Right, it seems #62724 is not about "security hardening". However having
accessible `.php` files that would throw PHP fatal errors when accessed
still means some poorly written code? Generally all WP files should either
bootstrap WP or not contain any "loose" PHP code, right? However it seems
there are a lot of files that do not comply with that requirement.
A somewhat cumbersome way to fix this would be to check whether ABSPATH is
set in all of these files. This seems generally expected for plugins, but
not for core. Why not? Yea, I agree checking ABSPATH is not an elegant
solution, but all of these files are non-compliant with the basic
standards already?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36177#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list