[wp-hackers] Security: New Password Protect Page Option

Lynne Pope lynne.pope at gmail.com
Sat Apr 18 03:46:12 GMT 2009


In December an associate reported heavy loads on searches on his site. It
appeared they were all querying the same phrase -which was part of content
that he had password protected for people who had subscriptions to his site.


He concluded that one of his permitted users must have disclosed
information. However, after seeing Scott Reilly's new plugin, I am able to
confirm that the password-protected posts were appearing in search results
from the WordPress search. (
http://coffee2code.com/wp-plugins/omit-passworded-posts-from-search/)

This is really concerning and I doubt many people will be aware that the
default WP search returns results from password-protected posts.  I sure
wasn't!

Scott has opened a trac ticket here:
http://core.trac.wordpress.org/ticket/9559

I believe this is a serious privacy issue for some sites and it should be
fixed in the core. The trac ticket is only a couple of days old and I hope
it doesn't get overlooked in the race to get 2.8 completed.

Cheers,
Lynne


More information about the wp-hackers mailing list