[wp-hackers] protecting wp-content/plugins ?

Sam Bauers sam at viveka.net.au
Wed Aug 22 00:51:54 GMT 2007

You are absolutely right that using a properly made plugin is the  
best security technique. But the point of the method I wrote up was  
to hide the files existence to stop it from being detected by some  
sort of scanning technique. Returning a 404 is the way to do this,  
the good plugin coding practices you mention will secure any direct  
exploit (if one might exist) from calling the file directly, but it  
will still return an HTTP status of 200, so if I'm an attacker, I  
know it is there. This *may* be helpful down the track, when a  
seemingly well written and secure plugin becomes insecure for some  
reason. So appending that conditional to the start of a plugin will  
help in that it will slow down an attackers detection of available  
exploits. It is also a lot easier than auditing the code in every  
plugin you install.


On 22/08/2007, at 4:23 AM, Otto wrote:

> So the utility of a method like yours (check for ABSPATH) is limited
> in scope, since a properly made plugin would never need such a check
> in the first place. It's generally a fine way to partially secure a
> plugin after the fact, by the end user though.

  Sam Bauers

  sam at viveka.net.au

More information about the wp-hackers mailing list