How safe is it to install wp-cli within www folder

  • Pepz345

    (@pepz345)


    6 years, 5 months ago

    I have started using wp-cli to make administering my WP install easier, and I like it very much. However, I am concerned about the security.

    The wp-cli guide wp-cli.org states that you should create a new directory within your web document root, download and put the wp-cli.phar file there and start it from there.

    But what is preventing just about anybody from entering the address of the wp-cli file in his webbrowser and calling it directly, maybe passing parameters to it? For example, there is the wp-cli command “wp db clean”, which wipes the entire database…

    Do I have to take precautions against unauthorized access like this, or does wp-cli already do this? I didn find anything in the documentation and would really like to know…

    • This topic was modified 6 years, 5 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    6 years, 5 months ago

    But what is preventing just about anybody from entering the address of the wp-cli file in his webbrowser and calling it directly, maybe passing parameters to it?

    Having that in web root and loading it your browser does not execute it or make it executable. It’s a CLI tool and unless someone has access to the CLI on your web host, it won’t do anything.

    If you can install it outside of your webroot then do that. Make sure it’s in your CLI path so you can run it.

    If you have no choice but to put it in your webroot then that won’t cause any issues either.

    Thread Starter Pepz345

    (@pepz345)

    6 years, 5 months ago

    Thank you for your kind help and clarification! I think I can put the wp-cli phar file outside of the webroot, so it should be ok anyway.

    By the way, I just tested it and noticed that a browser will attempt to download the phar file. So apparently the webserver serves the file instead of executing it, which should not be a problem.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘How safe is it to install wp-cli within www folder’ is closed to new replies.