[wp-hackers] Is disabling remote client access a good idea?

Ryan McCue ryanmccue at cubegames.net
Wed Jun 25 10:02:36 GMT 2008


DD32 wrote:
> The way they've been more vulnerable in the past has not been checking 
> the username/password, but rather, if the user could perform the 
> action AFAIK.
> (Eg, A Subscriber signs up, can pass the user login stage, Next is 
> checking that the user has all the permissions to do a certain action, 
> In the admin section, this is pretty complicated, Then you need to 
> duplicate all the security checks in XMLRPC.. etc)

In my opinion, this just means that we need more regression testing, 
especially for XML-RPC. If we had automated regression testing, then 
this would not be a factor.

Thanks,
Ryan.


More information about the wp-hackers mailing list