[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures
    WordPress Trac 
    noreply at wordpress.org
       
    Fri Dec 20 22:20:26 UTC 2024
    
    
  
#36177: default htaccess should include security measures
-------------------------+------------------------------
 Reporter:  lelutin      |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:
-------------------------+------------------------------
Comment (by azaozz):
 Replying to [https://core.trac.wordpress.org/ticket/62724#comment:3
 swissspidy]:
 > it looks like this ticket is more about unnecessary error logging rather
 than a path disclosure. Still, blocking direct access to the files in
 question using the web server configuration file should resolve the issue
 for now, until any changes are implemented in core.
 Right, it seems #62724 is not about "security hardening". However having
 accessible `.php` files that would throw PHP fatal errors when accessed
 still means some poorly written code? Generally all WP files should either
 bootstrap WP or not contain any "loose" PHP code, right? However it seems
 there are a lot of files that do not comply with that requirement.
 A somewhat cumbersome way to fix this would be to check whether ABSPATH is
 set in all of these files. This seems generally expected for plugins, but
 not for core. Why not? Yea, I agree checking ABSPATH is not an elegant
 solution, but all of these files are non-compliant with the basic
 standards already?
-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/36177#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
    
    
More information about the wp-trac
mailing list