[wp-hackers] protecting wp-content/plugins ?

Tom Barta tbarta at gmail.com
Sat Aug 18 15:09:54 GMT 2007


On 8/18/07, James Davis <james at freecharity.org.uk> wrote:
>
> Omry Yadan wrote:
>
> > covering wp-content and wp-themes will make the life of an attacker much
> > harder.
> > there is a huge difference because those are guarantied to be there.
>
> The problem is a server wide one and should be fixed at that level if
> you really care about it. Placing an index file in the directory only
> masks the problem for a single application.


The problems is that those files have no place being subdirectories of the
Document Root in the first place.  I'm guessing they're placed there for
configuration simplicity (just unzip/untar wordpress in this directory and
it works), but couldn't there be a rather easy way to say "modify your PHP
include path, then move these directories somewhere else"?  I think anyone
with .htaccess can do this, and it's a heck of a lot better than the index
hack we're talking about.

Though, if those files are placed in the Document Root in the first place,
and since Wordpress as a whole has clearly prioritized ease-of-use even in
bad server environments, it makes sense that a blank index.{html,php} should
be sitting in any of those directories by default, since 1) it hurts
nothing, and 2) it reduces a potential attacker's knowledge about the
system.


More information about the wp-hackers mailing list