Support » Plugin: Edit Flow » [Plugin: Edit Flow] Should not require /wp-admin/includes/user.php

  • Resolved robbyslaughter


    It appears that edit-flow requires the file /wp-admin/includes/user.php. This is inadvisable because a common security practice is to delete the /wp-admin/ folder entirely on production WordPress installations.

    I believe that this thread provides some insight on how to address the problem.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Mohammad Jangda


    Thanks for your comment @robbyslaughter.

    Moving or deleting the wp-admin folder is not a recommended practice and can have many unwanted side effects. (See this post from Core Developer Andrew Nacin)

    If you secure your blog well enough, you shouldn’t have to worry about the wp-admin at all.

    That being said, I actually commented on that ticket, and while it is a step forward, it does not cover all the use cases that Edit Flow needs when it comes to searching for users. There’s talk of further changes coming in 3.1 and we’ll keep an eye out for that.

    Andrew Nacin


    Lead Developer

    Mo is right… The only thing I would be concerned with here is if WP_User_Search develops a dependency that is outside wp-admin/includes/user.php, thus causing a fatal error. We don’t make guarantees that these files can be included as one-offs from non-admin scope and that things will work. But I’ve certainly done it before, and it’s just something you have to keep in mind for during the beta periods. (Alternatively, you can include wp-admin/includes/admin.php, but that will load a lot of extra stuff and could degrade performance.)

    Indeed, WP_User_Search has been gutted in 3.0, check out WP_User_Query (which is in wp-includes). It’s also been moved, so Edit Flow would break.

    Perhaps there is a better thread to suggest this, but it seems like a reasonable method for securing a blog ought to be removing the components of WordPress that allow administrative access to the blog. Unlike server configuration changes—which require considerable expertise—the ability to simply delete the /wp-admin/ folder seems like an elegant design.

    In any case, it seems like Andrew’s point stands. In simpler terms, we’re probably both using WordPress in a non-recommended fashion. 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Edit Flow] Should not require /wp-admin/includes/user.php’ is closed to new replies.