face,
Did the errors all come from that same plugin? Plugin authors should be using security checks in their code to avoid access from outside the WP environment. For example, the check_admin_referer
function checks if the referrer is accessing the page from the admin site, and has a valid nonce
value (more on WordPress nonces).
I’d suggest posting this topic to the WP-Hackers mailing list as well to see if anyone there has hardened their setup to avoid such random access. Here’s a possibly related thread on that list (from the plugin author’s viewpoint).
Note: there may already be a WordPress plugin that does this type of security check. See http://codex.wordpress.org/Hardening_WordPress.
Here’s another WordPress security tactic that also uses htaccess to limit access: Securing WordPress: A passive method for preventing unauthorized requests to wp-admin and wp-login.php.
Thread Starter
face
(@face)
I agree that plugin authors *should* check to make sure that they are only called within the WP environment. That should be part of the guide to creating plugins (and themes?)
One simple example is this one
PHP Fatal error: Call to undefined function add_action() in /path-to-wordpress/wp-content/plugins/hello.php on line 60
Seems that the simple, demo plugin would be a good place to “show by example”
The biggest “problem” is having to create the .htaccess file with the full path to the source PHP program to be executed.
For the time being I have placed my special .htaccess file in ./wp-content/ and added the line
Options -Indexes
just in case the wordpress blog is located in a directory that would allow Apache to show a list of files in the absence of an index file like index.php or index.html. This particular case is handled by the having “index.php” files in ./wp-content/, ./wp-content/plugins/, ./wp-content/themes/ directories, but that doesn’t solve the problem of the actual themes or plugins.
Another example is
http://myblog/wp-content/themes/default/
which generates this error
PHP Fatal error: Call to undefined function get_header() in /path-to-wordpress/wp-content/themes/default/index.php on line 7