[resolved] Possible security flaw: plugin directory publicly available (8 posts)

  1. maerk
    Posted 10 years ago #

    I just discovered that the plugin directory is accesible by anyone if they just browse to the right PHP file. For instance, if you have akismet, you can get to via: example.com/wp-content/plugins/akismet/akismet.php.

    Granted the script won't run, but what about scripts that do not rely on plugin hooks?

    Is there something in WordPress that can be changed, or is it up to plugin authors to ensure that direct access of the plugin files is safe.

  2. Samuel B

    Posted 10 years ago #

    Hmmm.. and your files are CHMOD 644?

    Here's what happens on my domain:
    Fatal error: Call to undefined function: add_action() in /home/mydomain/public_html/blog/wp-content/plugins/akismet/akismet.php on line 11
    and similar files.
    I get a 404 on others.

  3. maerk
    Posted 10 years ago #

    Yeah, most plugins will fail to run becuase they make use of plugin hooks.

    But some plugins don't use plugin hooks, they insert another page to the admin area, so it's conceivable that they could function properly on their own. If the plugin made calls to the database, that could represent a serious risk to someone's site's security -- it's not hard to insert your own database query if you know what you're doing (including deleting tables, or even the whole database).

  4. forceagainstsomething
    Posted 10 years ago #

    If you're using Apache, just pop a .htaccess file into the /plugins directory with this inside:

    <Files ~ "\.php$">
    Order allow,deny
    Deny from all

    Problem solved.

    - Sean

  5. maerk
    Posted 10 years ago #

    Yeah, that would work, but what if a plugin required you to have access to a php file within the plugins directory?

    I guess, ultimately, it's up to the plugin author to make sure everything's safe.

  6. forceagainstsomething
    Posted 10 years ago #

    Oh, and plugin developers could add extra security by putting this at the top of their scripts:

    if (!defined('DB_NAME')) die('NO ACCESS');

    The script with die with the message NO ACCESS if it's being accessed outside of WP.

    - Sean

  7. maerk
    Posted 10 years ago #

    Ooh, good idea!

  8. forceagainstsomething
    Posted 10 years ago #

    Something similar is used with Joomla. The index.php starts with something like:

    define('__MOS__', true);

    And then every other script in the whole package starts with

    if (!defined('__MOS__')) die();

    It's a great idea... simple and secure.

    - Sean

Topic Closed

This topic has been closed to new replies.

About this Topic