[wp-hackers] Disabling Tools->Export

Harry Metcalfe harry at dxw.com
Wed Jun 27 13:24:46 UTC 2012


It's not so much that I'm concerned that it would happen maliciously - 
clearly, if they can install plugins, we're already screwed. It's more 
that a plugin we want to install might re-add the capability without us 
knowing.

It is certainly not a major risk, but it is also not much work to 
mitigate it completely -- 3 lines of code and a paragraph on the codex.

It just seems a bit fragile to use a plugin to enforce something that 
any other plugin could simply remove.


On 27/06/12 14:19, Mike Little wrote:
> Also Harry, if someone has the ability to load and activate plugins, they
> have the ability to extract the DB credentials from wp-config.php and write
> their own DB dump code. So no flag in the core of WordPress would prevent
> that.
>
> Put your code to disable the functionality (and hide the menu if it helps)
> in a must use plugin (wp-content/mu-plugins), and make it non-writable by
> any users of the system (apache or any ftp users) -- I usually make the
> file owned by root and read only.
>
> And don't allow any no-trusted users the ability to install plugins, by any
> means.
>
>
> Mike


More information about the wp-hackers mailing list