[wp-hackers] Is WP_INSTALLING constant here to stay?

Andrew Nacin wp at andrewnacin.com
Tue Jan 22 17:29:18 UTC 2013

On Tue, Jan 22, 2013 at 12:07 PM, Dino Termini <dino at duechiacchiere.it>wrote:

> you are correct, I didn't elaborate enough on what I'm trying to do, and I
> understand the confusion. My plugin includes a file that is called via
> Ajax, and performs some basic tasks depending on the data it receives. For
> most tasks I don't need to load WP, as I can take care of that directly,
> thus avoiding to increase the load on people's servers (like your post
> says). In some specific cases, I need WP, and that's when I load it. My
> 'mistake' was to do the include inside the method, this messing up the
> scope of WP's variables. It's fixed now.

I would avoid this. Here's but five reasons why:

1) I doubt it will be very clean to structure this file in such a way that
you are able to globally including wp-load.php, and still benefit from
having all of your Ajax handlers (those that need WP and those that do not)
in one place. Wouldn't separating the two make more sense?

2) If you don't need to load WP, do you even need PHP? Is JavaScript
sufficient for processing your data? Just curious.

3) I would generally discourage directly accessing a plugin's PHP files via
HTTP. One security measure sometimes deployed is to blacklist such files
from external access. A plugin following core WP's architecture for Ajax
requests will be unaffected.

4) WordPress core's Ajax handler prevents aggressive browser caching,
blocks UTF-7 and content type sniffing vulnerabilities, side-steps robot
crawling, allows cross-domain usage, lets other plugins interface with your
plugin, and enables you to properly identify both authorization (access
bypass vulnerabilities) and intention (cross-site request forgeries) using
core API. Is your self-built Ajax handler equipped for any of these?

5) If for some reason you do this, how are you actually locating
wp-load.php? That's one of the most fundamental problems here. If you start
to blindly traverse directories, you are ignoring that wp-content/plugins
can be moved to pretty much anywhere else on the filesystem without issue.
If you start doing things like ../wp-load.php, ../../wp-load.php,
../wordpress/wp-load.php, *you are doing it wrong*.


More information about the wp-hackers mailing list