[wp-hackers] Security at Wordpress
ryan at concept64.com
Mon Apr 24 15:09:52 GMT 2006
I'm not in agreement either way, but here's a proposed solution for
getting rid of the GET delete requests:
Drop the buttons for "Delete" completely and make checkboxes for each,
with a "Delete Posts" submit button on the bottom of the page? We
already do this on the Manage Bookmarks page and it's actually more
user-friendly because you can delete multiple posts/pages at once.
from accidentally clicking the "Delete" button and with no confirmation
popup from "poof" post gone, sorry. And that would also remove the need
for the AJAX list management code, or we could still use AJAX for the
As for approving comments from emails, either do what Ryan Duff is
What about a hash appended to the link that is generated when the
email is sent? To delete it via a single click it would require the
hash to match. The other POST method could be used in the admin
interface for security there.
The only person that would get the hash would be the email
recipient, removing the risk of anybody being able to craft a link
and cause you to delete something with a single click.
Or, we don't allow approving comments from emails, but we provide a link
to WP Admin where you can (using a POST). I don't know, I'm all about
the aesthetically pleasing GUI, but this seems a little trivial for
something that can be accomplished with REST and still be aesthetically
pleasing with checkboxes.
Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com
More information about the wp-hackers