[wp-hackers] protecting wp-content/plugins ?

Otto otto at ottodestruct.com
Thu Aug 23 15:23:12 GMT 2007


On 8/22/07, Tom Barta <tbarta at gmail.com> wrote:
> Sure, perfectly-written plugins don't have any issues

I'm sorry, but you also missed my point here.

A plugin either a) has an exploit or b) does not. For the "no exploit"
case, this sort of code is wholly unnecessary. For the exploit case,
this sort of code doesn't actually fix the exploitable code.

What Sam was suggesting was a way to prevent "hackers" from "scanning"
for known exploits.

What you are all missing is that "hackers" don't scan for exploits.
There's *no point* in scanning for exploits. It's a web page. Scanning
for an exploit and actually performing the exploit are *the same
thing* from the standpoint of the hacker. It's just a single HTTP
request.

> but most computer security is based around layers of protection.

I agree with this, however this is an invalid layer of protection. It
doesn't solve the exploit. You're still vulnerable with this sort of
code, if the plugin is vulnerable in the first place.

A layer of protection should actually *protect* something. Hiding
something is not protecting it.


More information about the wp-hackers mailing list