WordPress.org

Ready to get started?Download WordPress

Forums

How secure are password protected directories? (4 posts)

  1. davidbessler
    Member
    Posted 7 years ago #

    In short: Will email addresses and private information visible in plain site on wordpress be well protected by password-protecting (with .htaccess etc...) the entire wordpress directory?

    Detail:
    Problem 1: I needed a quick solution to allow my users (of all authorship levels) to email one another from wordpress based on the current email addresses listed in each person's profile. I also needed to allow them to email multiple people at once using checkboxes. So, one of my wordpress pages has a blatantly-obvious list of a whole bunch of people's email addresses.

    Problem 2: We have sensitive internal company information on wordpress. I password-protected the wordpress directory to prevent public access.

  2. Trent Adams
    Member
    Posted 7 years ago #

    In my experience, password protecting with .htaccess should be enough to keep you directory safe and sound. I am sure that even an experienced hacker could maybe find a workaround, but it won't be because of the .htaccess file....

  3. Kafkaesqui

    Posted 7 years ago #

    P1: http://codex.wordpress.org/Plugins/Spam_Tools#Email_Spam

    Though aimed at spam/email harvesting protection, it's still about email security. For the best protection here you probably want a solution that ties login name to email address internally in a form mail script. Possible a plugin like WP-ContactForm could be modified to do this.

    P2: Agree with Trent; locking a site down through .htaccess is a rather secure measure, dependent on ones server arrangement (a company-owned server would tend to be more secure than a shared hosting environment). WP-based alternatives let you restrict access to WordPress to registered users:

    http://codex.wordpress.org/Plugins/Restriction

  4. davidbessler
    Member
    Posted 7 years ago #

    Thanks for the info.

    One more question. I used to use formmail.cgi where the danger was people executing the script without a form from another server. But with php mail(), this must be different. Besides not having access to any cgi script, what mechanism prevents hackers from sending mail through your php server?

    Also, I have a pretty cool thing going which I put together myself: An email page with an email form with a multiple selection dropdown list for recipients which is drawn from all the users' profiles. It reads the current signed in user's email address and name into the form automatically. I've also reworked the email links all over the site to automatically go to this form and pre-populate the form with the recipient if you click on it.

    Two things I'd like to do:

    1) Generate a list of users' email addresses based on categories they've subscribed to (subscribe2).

    2) Add attachments (played with it, but ran into coding trouble).

    Kafkaesqui, I've seen you around a lot, you seem trustworthy. Would you mind taking a look at my site and code if I gave you the usernames and pws?

Topic Closed

This topic has been closed to new replies.

About this Topic