[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 15:09:52 GMT 2006

I'm not in agreement either way, but here's a proposed solution for 
getting rid of the GET delete requests:

Drop the buttons for "Delete" completely and make checkboxes for each, 
with a "Delete Posts" submit button on the bottom of the page?  We 
already do this on the Manage Bookmarks page and it's actually more 
user-friendly because you can delete multiple posts/pages at once.  
Plus, it slightly curbs people with Javascript disabled or JS problems 
from accidentally clicking the "Delete" button and with no confirmation 
popup from "poof" post gone, sorry.  And that would also remove the need 
for the AJAX list management code, or we could still use AJAX for the 
form submit...

As for approving comments from emails, either do what Ryan Duff is 

    What about a hash appended to the link that is generated when the
    email is sent? To delete it via a single click it would require the
    hash to match. The other POST method could be used in the admin
    interface for security there.

    The only person that would get the hash would be the email
    recipient, removing the risk of anybody being able to craft a link
    and cause you to delete something with a single click.

Or, we don't allow approving comments from emails, but we provide a link 
to WP Admin where you can (using a POST).  I don't know, I'm all about 
the aesthetically pleasing GUI, but this seems a little trivial for 
something that can be accomplished with REST and still be aesthetically 
pleasing with checkboxes.

Ryan Scheuermann

Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com

More information about the wp-hackers mailing list