[wp-hackers] Forum Post: Security

Scott Merrill skippy at skippy.net
Fri Jun 24 19:43:24 GMT 2005

David House wrote:
> On 6/24/05, Scott Merrill <skippy at skippy.net> wrote:
>>Asking them to find the "random string of letters" makes it
>>time-consuming for us to provide clear instructions on how to gain
>>access to their database.
>>What if I install three blogs, each with a randomly generated prefix.
>>How will I know which one is the one I want to modify?
> How about if we store the prefix in the options table? Then it's only
> a SELECT away.

What if the user is locked out of their blog in some way?  How can they
select data about the database if they need that data to find their

/me slaps forehead.
Even if the prefix is randomly generated, it still needs to be recorded
in wp-config.php.  So we can just tell people to read that file, and
find the prefix.

I stil vastly prefer allowing people to select their own prefix.
Perhaps, if this system gets rolled out, the installer can supply a
randomly generated prefix in text field, and the user can elect to keep
it or replace it, as they see fit.

The installer will then need to be updated to check whether it has write
permission on the WP root.  If not, an explanation needs to be given to
the user to make the directory writable.  The installer creates
wp-config.php, then asks the user to remove write permission on WP root.

The /wp-admin/ pages may want to check write permissions on all
directories EXCEPT /wp-content/, and complain if things are writable.

skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the wp-hackers mailing list