[wp-trac] [WordPress Trac] #26273: Deactivated plugins and themes should not execute (was: If possible, change file permissions on deactivated plugins so they're not web-accessible.)

[WordPress Trac]

#26273: Deactivated plugins and themes should not execute
----------------------------+-----------------------
 Reporter:  kirrus          |       Owner:
     Type:  enhancement     |      Status:  reopened
 Priority:  normal          |   Milestone:
Component:  Administration  |     Version:
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+-----------------------
Changes (by jsimone):

 * status:  closed => reopened
 * resolution:  maybelater =>


Comment:

 This is a big issue, and it applies to themes as well. If anything, the
 WordPress narrative is half the problem because documentation and the
 community think that if something isn't active, it's safe!

 I find it to be completely unacceptable that and application which touts
 such a secure platform would allow one dumb or malicious theme file to
 hijack a website even when it isn't active.

 The solution might be inconvenient but I think it really needs to be taken
 seriously. If it breaks multi-site, then fix multi-site. I know I'm coming
 in a bit late, but a milestone like 4.0 is really the perfect place to
 address a potentially breaking-change such as this.

 The solution could be as simple as renaming files. Heck, change the file
 extension or package them into an archive.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26273#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform