[wp-trac] [WordPress Trac] #56141: Enhance installer security

WordPress Trac noreply at wordpress.org
Sat Aug 30 21:24:30 UTC 2025 

#56141: Enhance installer security
--------------------------+-----------------------------
 Reporter:  smitka        |       Owner:  (none)
     Type:  enhancement   |      Status:  new
 Priority:  high          |   Milestone:  Future Release
Component:  Security      |     Version:
 Severity:  major         |  Resolution:
 Keywords:  dev-feedback  |     Focuses:
--------------------------+-----------------------------

Comment (by oglekler):

 Sadly, I stumbled upon this half a year ago. It was an issue with the
 deployment process, and as a result, a duplicate of WordPress was
 installed into a project subdirectory called 'wordpress'. The damage was
 significant. It hit me really hard when the newly launched project got
 hacked in a flash... I am preparing a request to DB, validating and
 sanitizing all that is possible, and using nonce if applicableā€¦ I am still
 horrified just to think about what happened. So I would love to see the
 solution. I believe this is very important.

 In the community, we also had some reports on the support forum when
 people were writing like, "I left the setup until the morning, and in the
 morning all my hosting was hacked. I never saw such a leaky system" (I
 cannot recall the exact words, but I saw this).

 I was thinking of locking installation after some time limit - to check
 when WordPress files were created and lock the setup if some time elapsed.
 I was thinking about this because you can add a manual connection to DB
 into the wp-config.php and still not manage to finish the setup, leaving
 it open to bots.

 The key point is that the user cannot realize what 'unfinished setup'
 means (as well as DevOps who are much more into k8s and other 'cool'
 stuff). So, possibly a setup that is just thrown somewhere should not
 install itself at all, and wp-config.php can have a clear warning that the
 absence of its tables in the database is dangerous. I cannot find a better
 solution than to check the time of files and, if there are 15 minutes or
 more, for example, lock setup if connection with the DB is present but
 tables are absent.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56141#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list