[wp-hackers] protecting wp-content/plugins ?

Alan J Castonguay alan at verselogic.net
Mon Aug 20 17:29:06 GMT 2007

> Now if you add to this a well configured .htaccess file, the file  
> becomes practically invisible.

Returning 404 for direct plugin access does nothing to actually  
protect against detection of a known exploitable plugin. It's classic  
security through obscurity. In the unlikely case that the plugin is  
not dependent on add_action/filter() to bootstrap, but runs code  
directly in the global namespace on every page request, then there  
could be an exploit in this fashion.

If an attacker knows the common name for an exploitable plugin file  
and how it hooks into the public website (given, as the source is  
probably available) and that it keys off certain non-validated cookie/ 
get/post parameters, then all they have to do is construct the URI to  
wordpress' index.php and request it.

The best way to protect against this is for the plugin to validate  
all access (like to http://example/wp-content/plugins/badplugin.php)  
and input (like /index.php?unvalidatedsql=...), and deny anything  
that is not specifically desired.

With respect to "knowing the plugins installed is a security risk",  
sometimes bloggers make posts like http://www.douglaskarr.com/ 
2007/04/12/wordpress-what-plugins-am-i-running/ or use plugins like  
http://wordpress.org/extend/plugins/wp-pluginsused/ . This knowledge,  
together with source should not be sufficient to perform a remote- 

More information about the wp-hackers mailing list