Edit Flow
[resolved] Should not require /wp-admin/includes/user.php (4 posts)

  1. robbyslaughter
    Posted 5 years ago #

    It appears that edit-flow requires the file /wp-admin/includes/user.php. This is inadvisable because a common security practice is to delete the /wp-admin/ folder entirely on production WordPress installations.

    I believe that this thread provides some insight on how to address the problem.

  2. Mohammad Jangda
    Plugin Author

    Posted 5 years ago #

    Thanks for your comment @robbyslaughter.

    Moving or deleting the wp-admin folder is not a recommended practice and can have many unwanted side effects. (See this post from Core Developer Andrew Nacin)

    If you secure your blog well enough, you shouldn't have to worry about the wp-admin at all.

    That being said, I actually commented on that ticket, and while it is a step forward, it does not cover all the use cases that Edit Flow needs when it comes to searching for users. There's talk of further changes coming in 3.1 and we'll keep an eye out for that.

  3. Andrew Nacin
    Lead Developer
    Posted 5 years ago #

    Mo is right... The only thing I would be concerned with here is if WP_User_Search develops a dependency that is outside wp-admin/includes/user.php, thus causing a fatal error. We don't make guarantees that these files can be included as one-offs from non-admin scope and that things will work. But I've certainly done it before, and it's just something you have to keep in mind for during the beta periods. (Alternatively, you can include wp-admin/includes/admin.php, but that will load a lot of extra stuff and could degrade performance.)

    Indeed, WP_User_Search has been gutted in 3.0, check out WP_User_Query (which is in wp-includes). It's also been moved, so Edit Flow would break. http://wpdevel.wordpress.com/2010/10/07/wp_user_search-has-been-replaced-by-wp_u/

  4. robbyslaughter
    Posted 5 years ago #

    Perhaps there is a better thread to suggest this, but it seems like a reasonable method for securing a blog ought to be removing the components of WordPress that allow administrative access to the blog. Unlike server configuration changes---which require considerable expertise---the ability to simply delete the /wp-admin/ folder seems like an elegant design.

    In any case, it seems like Andrew's point stands. In simpler terms, we're probably both using WordPress in a non-recommended fashion. :-)

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Edit Flow
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic