[wp-hackers] Re: protecting wp-content/plugins ?

Christian Höltje docwhat+list.wp.hackers at gerf.org
Thu Aug 30 14:56:08 GMT 2007

* Otto (otto at ottodestruct.com) [070829 12:33]:
> On 8/23/07, Tom Barta <tbarta at gmail.com> wrote:
> > Sure it does.  If I have a PHP script that is vulnerable when executed
> > directly, but then I move it out of the document root, it can no longer be
> > executed directly (via HTTP requests) and therefore is no longer a real
> > vulnerability (assuming it's secure as a library).
> No, it doesn't. Any plugin that you can exploit directly can also be
> exploited indirectly as well. Plugins are include'd into WordPress.
> They even get globals. Examine wp-settings.php to understand how
> plugins work.

Well, unless the plugin isn't activated.  In which case it isn't
included into Wordpress (except when visiting the admin plugins page).
So there is a small advantage.

I think that it looks unprofessional to have the directory out in the
open.  I'm not sure if index.html/php vs. apache rewrite rules are
better, though.


Handy Latin Phrase #105
	Perscriptio in manibus tabellariorum est.
	(The check is in the mail)

The Doctor What: Ebullient                       http://docwhat.gerf.org/
docwhat *at* gerf *dot* org                                        KF6VNC

More information about the wp-hackers mailing list