[wp-hackers] Possible security patch

Steven Rossi SuperMoonMan at gmail.com
Sun Dec 6 04:35:39 UTC 2009


Could you maybe flesh the name sanitization out a little bit? If you're
thinking of something that will provide positive security (albeit through
obscurity, which you've already mentioned isn't exactly the WordPress
way...) without diminishing functionality, I think it'd be worth an honest
evaluation.

Steven Rossi
http://www.letsmovetothemoon.com
http://www.stevenjrossi.com
http://www.twitter.com/supermoonman

On Sat, Dec 5, 2009 at 11:29 PM, Ian Stewart <ian at themeshaper.com> wrote:

> What I'm proposing would be using an alternate sanitized name in both the
> body_class AND the author URLs. The correct solution probably is to avoid
> using the admin account for posting. I'd argue though that most people do
> use the admin account for posting and will continue to whether or not it is
> the correct solution. Even if they know it's the correct solution. Just
> like
> people choose to use weak passwords, leave their plugins and themes and
> copies of WordPress out of date and do countless other things that aren't
> correct.
>
> That said, I hadn't heard of the user switching plugin before. Thanks for
> that. That'll make doing the correct thing a lot easier. Cheers.
>
> On Sat, Dec 5, 2009 at 2:31 PM, Steven Rossi <SuperMoonMan at gmail.com>
> wrote:
>
> > Yeah, I think the User Switching plugin would be a nice feature to have
> > built-in, but consider how often you use it on your OS. It's really a
> > breeze
> > to use a non-administrator account on a PC (it's easier on a Mac, but
> less
> > relevant because of less threat) and to switch to an administrator
> account
> > when necessary, whether through Fast User Switching or the Run As...
> > right-click function (if that still exists past XP, I'm not sure), but
> who
> > actually does that? Too inconvenient. I'm just not sure having that
> > functionality included in Wordpress would be much more than a "nice
> > feature."
> >
> > Steven Rossi
> > http://www.letsmovetothemoon.com
> > http://www.stevenjrossi.com
> > http://www.twitter.com/supermoonman
> >
> > On Sat, Dec 5, 2009 at 3:12 PM, Matt Mullenweg <m at mullenweg.com> wrote:
> >
> > > On 2009-12-05 11:45 AM, Joost de Valk wrote:
> > >
> > >> Can I vote for rolling the user switching plugin into core?
> > >>
> > >
> > > You can, but it doesn't have anything to do with security.
> > >
> > >
> > > --
> > > Matt Mullenweg
> > > http://ma.tt | http://wordpress.org | http://automattic.com
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Ian Stewart
>
> http://ThemeShaper.com/
> http://twitter.com/iandstewart/
> http://ianstewart.stumbleupon.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list