Security features for plugin API | WordPress.org

moonman239
(@moonman239)

13 years, 5 months ago

Feature #1: Plugin privileges. Why not give the blog administrator(s) the ability to give a plugin permission to do certain things? So like, when I go to install a plugin, WordPress will then tell me what privileges the plugin will need right out of the box. If the plugin needs any additional privileges later, WordPress will ask me to grant those privileges.

Feature #2: Maybe plugins should have a file extension that does not end in .php*. That way, plugins aren’t compiled directly by the PHP compiler. Instead, WordPress looks at the PHP code and runs it if neither the file nor any associated PHP files appear to be attempting to modify any files belonging to Wordpess.

Viewing 1 replies (of 1 total)

Moderator Ipstenu (Mika Epstein)
(@ipstenu)

🏳️‍🌈 Advisor and Activist

13 years, 5 months ago

#1 You mean permissions on your server? Like chmod etc? The answer there is security. If WordPress had that ability, someone could make an evil plugin and inject a virus or other hack attack on your server. You don’t want that, do you?

#2 May be a bit late for that, but if possible, not a bad idea. That said, you’d really want to watch for ANY file being modified by the commands, and that’s harder to track. You’d have to have something like ‘This plugin wants to modify these files : <foo, bar and baz>. It wants to create these files: <bar, zot and zap>. Please confirm…’

Viewing 1 replies (of 1 total)

The topic ‘Security features for plugin API’ is closed to new replies.

In: Requests and Feedback
1 reply
2 participants
Last reply from: Ipstenu (Mika Epstein)
Last activity: 13 years, 5 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics