WordPress.org

Ready to get started?Download WordPress

Forums

Security features for plugin API (2 posts)

  1. moonman239
    Member
    Posted 3 years ago #

    Feature #1: Plugin privileges. Why not give the blog administrator(s) the ability to give a plugin permission to do certain things? So like, when I go to install a plugin, WordPress will then tell me what privileges the plugin will need right out of the box. If the plugin needs any additional privileges later, WordPress will ask me to grant those privileges.

    Feature #2: Maybe plugins should have a file extension that does not end in .php*. That way, plugins aren't compiled directly by the PHP compiler. Instead, WordPress looks at the PHP code and runs it if neither the file nor any associated PHP files appear to be attempting to modify any files belonging to Wordpess.

  2. #1 You mean permissions on your server? Like chmod etc? The answer there is security. If WordPress had that ability, someone could make an evil plugin and inject a virus or other hack attack on your server. You don't want that, do you?

    #2 May be a bit late for that, but if possible, not a bad idea. That said, you'd really want to watch for ANY file being modified by the commands, and that's harder to track. You'd have to have something like 'This plugin wants to modify these files : <foo, bar and baz>. It wants to create these files: <bar, zot and zap>. Please confirm...'

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.