[wp-hackers] Using wp-content/uploads to store dynamically created js and CSS

Otto otto at ottodestruct.com
Wed Jan 8 22:34:09 UTC 2014

On Wed, Jan 8, 2014 at 4:02 PM, Nicola Peluchetti
<nicola.peluchetti at gmail.com> wrote:
> We've had a folder under wp-content for a long time where we stored themes
> but that has always been a pain, one time out of three there was no write
> access. In fact we are deprecating that in 2.0.

This is what the WP_Filesystem is for. If you need to write a file,
and you have no direct access, then WP_Filesystem will get credentials
from the user and you can use those to get write access through the
WP_Filesystem object.

> Why do you say it's unsafe?Is there some possibility that malitious users
> could exploit that?I mean is it a safety risk?Because obviously i don't
> care if anyone can access my CSS and JS code.

On some setups, with some configurations, yes, it can be a safety
risk. If I'm on the same server as you (shared hosting), then I could,
in theory, overwrite your files in the uploads folder with contents of
my choosing. Depending on the server configuration, of course.

For images, this doesn't matter so much. For CSS or JS files, I can
write code there which will exploit your site when your site includes
it on the page.


More information about the wp-hackers mailing list