[wp-hackers] protecting wp-content/plugins ?

Rob Miller r at robm.me.uk
Mon Aug 20 16:16:13 GMT 2007

jacobsantos at branson.com wrote:
> Yes, the PLUGIN_DIR would work, expect for that pesky function that 
> looks for wp-content/plugins to test for plugin filename. I'm not 
> exactly sure what would happen then. I'm sure this has been tested and 
> known to work. In fact, I was contemplating trying it myself, since I 
> have access outside of web root.
> I'll get back with my results. I think it might also be possible to 
> move wp-includes, but I'm not sure what impact it would have on the js 
> folders which must remain in www root.
> In this sense, it is completely up to the administrator to take proper 
> action to avoid hackers. With as much as someone can do on their own, 
> it can't be blamed on WordPress (but actually it can), it is just 
> easier to just download and go. Not every host allows for folder 
> access outside of www root, Dreamhost does, GoDaddy does not.
> Jacob Santos
There's also the potential to break lots of plugins, both ones that 
hardcode `wp-content/plugins` and ones that reference web-accessible 
stuff from their directories (images, form actions, etc.).

The former is perhaps bad practice, but I don't see how you can avoid 
the latter.

Rob Miller

More information about the wp-hackers mailing list