[wp-trac] [WordPress Trac] #50590: .htaccess deny from all auto-blocker if plugin got deactivated + WordPress internal firewall
WordPress Trac
noreply at wordpress.org
Tue Jul 7 11:53:52 UTC 2020
#50590: .htaccess deny from all auto-blocker if plugin got deactivated + WordPress
internal firewall
-----------------------------+-------------------------------
Reporter: KestutisIT | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.4.2
Severity: normal | Resolution:
Keywords: | Focuses: coding-standards
-----------------------------+-------------------------------
Comment (by jdembowski):
Replying to [ticket:50590 KestutisIT]:
> So, from discussion in forums, it appears,
> that website may also be hacked via deactivated plugin. So I suggest,
> that after a plugin has been deactivated, WordPress would automatically
create .htaccess file in plugin's folder with "deny from all" content.
That would prevent from non-updated deactivated plugin vulnerability, as
often people believes, that they are safe if they got deactivated
suspicions plugin, of they tested something and left that plugin on the
server as deactivated for years.
> Also, there should be WordPress internal firewall, that should show BIG
RED WARNING in all WP Admin that WordPress was not able to create
.htaccess blocker for some plugin, and that user has to create that file
with that content manually.
>
> This would boost WordPress security level to next class.
This does not sound like a good proposal as it's not effective for a
significant proportion of WordPress installations.
What about the many WordPress installations that use nginx or others that
completely ignore .htaccess files? That's just not a comprehensive
solution.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50590#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list