[wp-hackers] Disabling Tools->Export

Doug Stewart zamoose at gmail.com
Wed Jun 27 13:30:50 UTC 2012


Get more trustworthy users?

*grin*

On Wed, Jun 27, 2012 at 9:24 AM, Harry Metcalfe <harry at dxw.com> wrote:
> It's not so much that I'm concerned that it would happen maliciously -
> clearly, if they can install plugins, we're already screwed. It's more that
> a plugin we want to install might re-add the capability without us knowing.
>
> It is certainly not a major risk, but it is also not much work to mitigate
> it completely -- 3 lines of code and a paragraph on the codex.
>
> It just seems a bit fragile to use a plugin to enforce something that any
> other plugin could simply remove.
>
>
>
> On 27/06/12 14:19, Mike Little wrote:
>>
>> Also Harry, if someone has the ability to load and activate plugins, they
>> have the ability to extract the DB credentials from wp-config.php and
>> write
>> their own DB dump code. So no flag in the core of WordPress would prevent
>> that.
>>
>> Put your code to disable the functionality (and hide the menu if it helps)
>> in a must use plugin (wp-content/mu-plugins), and make it non-writable by
>> any users of the system (apache or any ftp users) -- I usually make the
>> file owned by root and read only.
>>
>> And don't allow any no-trusted users the ability to install plugins, by
>> any
>> means.
>>
>>
>> Mike
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



-- 
-Doug


More information about the wp-hackers mailing list