[wp-trac] [WordPress Trac] #61003: Direct access to .php files in /wp-includes is not protected out of the box

WordPress Trac noreply at wordpress.org
Fri Apr 12 23:49:08 UTC 2024 

#61003: Direct access to .php files in /wp-includes is not protected out of the box
--------------------------+------------------------
 Reporter:  teo8976       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------

Comment (by teo8976):

 > errors like this are a server configuration issue.

 A server configuration issue **in WordPress**. I don't care what prefix
 you put before the word "issue", this is an issue that WordPress is
 responsible for.
 It's not the responsibility of the user to figure out how to configure the
 server in the way that WordPress requires to function properly.

 **The installer** should either create whatever configuration is
 necessary, or instruct the user to do so if it can't. If any such
 configuration is subject to possible user preferences (e.g. 404 vs 403,
 but I don't think that's the case here, this should be a 404), either
 choose a sensible default or ask the user to choose during the
 installation process.

 Wordpress knows what urls correspond to valid pages and therefore it is
 responsible to make sure it doesn't responds with a 200 or show a blank
 page (and execute PHP files that are not supposed to be directly called,
 which is a potential security concern or at the very least could have all
 kinds of side effects), whether it does so from within PHP code, with a
 server configuration file that it makes sure to be in place, or in
 whatever way you see fit.

 Also, note that **I can configure my server to return a 404 response, but
 I cannot configure it to display WordPress's fancy 404 page**.

 I've **never seen** (in recent years) **a framework that doesn't do
 this**. It's unbelievable that I even need to argue that this is an issue.

 > Marking as a duplicate of #36177

 That starts with
 > WordPress has some code that automatically creates a .htaccess file for
 users

 When I installed wordpress, no `.htaccess` file was created at all. It's
 possible that initially I had some directory writing permission
 misconfigured, but I got no warning whatsoever about that, and no message
 was shown telling me that there was an option to create a `.htaccess`
 file, or that I should create one, nothing.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61003#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list