[wp-hackers] Security in wordpress

Mike Schinkel mikeschinkel at newclarity.net
Sun May 9 16:11:57 UTC 2010


I thought the only truly safe WordPress install was one on a computer not connected to any network, ever. ;-)

But seriously, do you know if this Apache config items will work in .htaccess, or only httpd.conf?

-Mike

On May 9, 2010, at 10:42 AM, Jeremy Clarke wrote:

> For the record: The only truly safe wordpress install is one where the only
> directories that apache can write to (regardless of whether its through
> chmoding loose enough or giving apache direct access via chown) are the ones
> that ABSOLUTELY MUST be writeable, i.e. */wp-content/uploads/, *and those
> directories can't run any scripts. Any folder that is writeable by the
> server should be *unable to process any scripts especially php.* You can
> achieve this in your apache config using come arcane definitions about php.
> Here's how I do it on a site to get you started, I don't fully understand it
> all any more:
> 
>    <Directory /path/to/site/wp-content/uploads>
>        AllowOverride None
>        php_admin_flag engine off
>        php_admin_value open_basedir none
>    </Directory>
> 
> You may not require absolute security but without these setups then there is
> always a chance that someone could upload a exploit file using a hacked user
> account then access it in the wp-config/uploads/ directory using their
> browser. You need to make those directories inert for scripts, which
> shouldn't be a problem as I don't think anyone expects PHP to be uploaded to
> posts for any reason.
> 
> -- 
> Jeremy Clarke
> Code and Design | globalvoicesonline.org
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list