[wp-hackers] Security issues with multi user installation

R.J. Kaplan just.be.happy at gmail.com
Thu Aug 10 18:21:47 GMT 2006

> The themes are a big security risk in WP, considering they are php  
> files (and therefore, can execute any command on a unix level as  
> the server). As a precaution (though offers very little protection)  
> is to setup the multiple blogs to use separate databases (with  
> different db_users and capabilities). This would prevent some blogs  
> from messing around with other people's blogs.
> Also, I would recommend changing all .php files to read only by the  
> server, except wp-content is extremely vulnerable. You could remove  
> write access to wp-content, but users will never be able to upload  
> their own themes.

What user capabilities would be the minimum for wordpress to be  

More information about the wp-hackers mailing list