[wp-hackers] protecting wp-content/plugins ?

jacobsantos at branson.com jacobsantos at branson.com
Mon Aug 20 18:04:18 GMT 2007

I sometimes wonder if it is worth working on WordPress, and this kind of 
stuff explains why. Of course, the alternative is to spend a couple of 
years building a system from the ground up, so the choice remains to 
continue with WordPress.

Whatever solution, but security through obscurity isn't a bad solution, 
it justs gets a bad name because that is the only *security* implemented 
(lack of validation, sanitizing, etc). I think the easiest solution, 
with notes on codex is best, in my opinion.

Jacob Santos

Rob Miller wrote:
> jacobsantos at branson.com wrote:
>> Yes, the PLUGIN_DIR would work, expect for that pesky function that 
>> looks for wp-content/plugins to test for plugin filename. I'm not 
>> exactly sure what would happen then. I'm sure this has been tested 
>> and known to work. In fact, I was contemplating trying it myself, 
>> since I have access outside of web root.
>> I'll get back with my results. I think it might also be possible to 
>> move wp-includes, but I'm not sure what impact it would have on the 
>> js folders which must remain in www root.
>> In this sense, it is completely up to the administrator to take 
>> proper action to avoid hackers. With as much as someone can do on 
>> their own, it can't be blamed on WordPress (but actually it can), it 
>> is just easier to just download and go. Not every host allows for 
>> folder access outside of www root, Dreamhost does, GoDaddy does not.
>> Jacob Santos
> There's also the potential to break lots of plugins, both ones that 
> hardcode `wp-content/plugins` and ones that reference web-accessible 
> stuff from their directories (images, form actions, etc.).
> The former is perhaps bad practice, but I don't see how you can avoid 
> the latter.

More information about the wp-hackers mailing list