[wp-hackers] Any drawbacks in setting WP_CONTENT_DIR (and URL) to DOCUMENT_ROOT?

Otto otto at ottodestruct.com
Fri Jul 13 16:00:48 UTC 2012

On Fri, Jul 13, 2012 at 10:57 AM, Mike Little <wordpress at zed1.com> wrote:
>> > Haven't tested this, but anyone can preview any troubles with this setup
>> in
>> > wp-config.php?
>> > (WordPress installed at the root)
>> >
>> > define( 'WP_CONTENT_URL', 'http://www.example.com' );
> There are discussions around the net the $_SERVER['DOCUMENT_ROOT'] may be
> susceptible to hacking. In which case this is extremely dangerous because
> there are lots of places that require() or include() WP_CONTENT_DIR .
> 'something';

What Mike said.

In general, $_SERVER is not safe. It's a mix of information from the
webserver, some of which can be changed by the web browser connecting
to the server.

There are cases where the content in $_SERVER can be perfectly safe,
but for security purposes, it is better to always treat it as
untrusted data. For this specific case, hardcode the directory.


More information about the wp-hackers mailing list