[wp-hackers] Security issues with multi user installation
Francis.Reyes at colorado.edu
Thu Aug 10 03:40:04 GMT 2006
The themes are a big security risk in WP, considering they are php files
(and therefore, can execute any command on a unix level as the server).
As a precaution (though offers very little protection) is to setup the
multiple blogs to use separate databases (with different db_users and
capabilities). This would prevent some blogs from messing around with
other people's blogs.
Also, I would recommend changing all .php files to read only by the
server, except wp-content is extremely vulnerable. You could remove
write access to wp-content, but users will never be able to upload their
R.J. Kaplan wrote:
> I'm setting up a blog hosting site, and I really want the users to be
> able to use their own themes, what are the different security risks
> and implications to this?
> I am NOT using mu, rather a customized WP config file that gets the
> right tables from the database based on the subdomain. currently it's
> set up that the different blogs use different tables in the same
> databse (with no shared tables) but I can seperate them to different
> databases if that helps, though the db user will still be the same.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers