[wp-hackers] protecting wp-content/plugins ?
Sam Bauers
sam at viveka.net.au
Wed Aug 22 00:51:54 GMT 2007
You are absolutely right that using a properly made plugin is the
best security technique. But the point of the method I wrote up was
to hide the files existence to stop it from being detected by some
sort of scanning technique. Returning a 404 is the way to do this,
the good plugin coding practices you mention will secure any direct
exploit (if one might exist) from calling the file directly, but it
will still return an HTTP status of 200, so if I'm an attacker, I
know it is there. This *may* be helpful down the track, when a
seemingly well written and secure plugin becomes insecure for some
reason. So appending that conditional to the start of a plugin will
help in that it will slow down an attackers detection of available
exploits. It is also a lot easier than auditing the code in every
plugin you install.
Sam
On 22/08/2007, at 4:23 AM, Otto wrote:
> So the utility of a method like yours (check for ABSPATH) is limited
> in scope, since a properly made plugin would never need such a check
> in the first place. It's generally a fine way to partially secure a
> plugin after the fact, by the end user though.
--------------------------------------------------------------
Sam Bauers
sam at viveka.net.au
--------------------------------------------------------------
More information about the wp-hackers
mailing list