[wp-hackers] Where Should Plugins Store Files?
Jeremy Clarke
jer at simianuprising.com
Thu Sep 16 17:11:55 UTC 2010
On Tue, Sep 14, 2010 at 3:09 AM, Ryan Bilesky <rbilesky at gmail.com> wrote:
> I don't thing another directory for plugin data is necessary. I personally
> use a sub-dir of uploads. I see no reason why anyone whould have to use
> anythign diffrent.
>
+1
Properly securing even one directory can involve many lines of
Apache/.htaccess config. Also when moving installations around within a
server the permissions can easily get lost and need to be reset. Having as
few deviations as possible from a standard (unwritable) is the best bet for
keeping things simple.
ALSO: On top of Jacob's strategy of having nothing writable except uploads,
it is also a good idea to disable execution of PHP files in that writable
dir. Otherwise if a hacker can manage to upload a php file (maybe disguised
as a .jpg or something) they can use it to exploit other parts of your
system.
The upshot of this is that I hope no one is using their plugins to output
.php files into the writable directories they create, as they wouldn't work
on my site. I don't see any reason why doing so would make sense, but people
will try anything sometimes.
--
Jeremy Clarke | http://jeremyclarke.org
Code and Design | http://globalvoicesonline.org
More information about the wp-hackers
mailing list