due to the insistance of a colleague, I installed wordpress on our intranet for him to use for presentation of his results. I am considering also using wordpress since it has a lot of features that I haven't (yet) built into my own home-brew php code for database access.
However, looking at the way WordPress is structured, it is very different from the way I would have coded things, and I have some concerns regarding security. Maybe someone can comment on this?
Firstly, I write all my code such that only short files containing basically require directives only are located in the http document tree, so no accident on my part should result in my php code being dumped to a browser, and the chances of my php scripts being overwritten by a hacker without my noticing it remain small. My php code is located away from the doc tree with appropriate safe permissions set so it would be hard to overwrite or directly see them. To do this, I generally have only one URL that accesses an entire database-site, and use a hidden variable to determine which part of the code the user is going to on the next request. But WordPress does not appear to be developed with this in mind. I am wondering how difficult it would be to move most of the code off the document tree. Has anyone tried this?
Another thing is that WordPress does not appear to be using SESSION variables, and carries all the session identification in a cookie, including the md5 encrypted password. In my case, we authenticate against a Windows server, and the function I use for that needs the password un-encrypted (but it sends it over to the server in its own encrypted form for verification) - I am using smb_validate. So in order to use WordPress, I need to remove the password check after log-in, because I cannot verify using the md5 encrypted password stored in the cookie, and it would be a big no-no to pass around an unencrypted password there. I'm concerned about the security of my modification - of course I left the cookie itself intact, but haven't looked into yet how much else is checked. I am also concerned about how secure this way of doing things are anyway - my colleague tells me that if he reopens a closed browser without logging out, he is still logged in (bad for shared computers!). In my code, my cookie is tied to that and only that browser window - close the window and you are effectively logged out.
Any comments on this would be welcome!