Support » Requests and Feedback » Possible security flaw: plugin directory publicly available

  • Resolved maerk

    (@maerk)


    I just discovered that the plugin directory is accesible by anyone if they just browse to the right PHP file. For instance, if you have akismet, you can get to via: example.com/wp-content/plugins/akismet/akismet.php.

    Granted the script won’t run, but what about scripts that do not rely on plugin hooks?

    Is there something in WordPress that can be changed, or is it up to plugin authors to ensure that direct access of the plugin files is safe.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Hmmm.. and your files are CHMOD 644?

    Here’s what happens on my domain:
    Fatal error: Call to undefined function: add_action() in /home/mydomain/public_html/blog/wp-content/plugins/akismet/akismet.php on line 11
    and similar files.
    I get a 404 on others.

    Yeah, most plugins will fail to run becuase they make use of plugin hooks.

    But some plugins don’t use plugin hooks, they insert another page to the admin area, so it’s conceivable that they could function properly on their own. If the plugin made calls to the database, that could represent a serious risk to someone’s site’s security — it’s not hard to insert your own database query if you know what you’re doing (including deleting tables, or even the whole database).

    If you’re using Apache, just pop a .htaccess file into the /plugins directory with this inside:

    <Files ~ “\.php$”>
    Order allow,deny
    Deny from all
    </Files>

    Problem solved.

    – Sean

    Yeah, that would work, but what if a plugin required you to have access to a php file within the plugins directory?

    I guess, ultimately, it’s up to the plugin author to make sure everything’s safe.

    Oh, and plugin developers could add extra security by putting this at the top of their scripts:

    if (!defined(‘DB_NAME’)) die(‘NO ACCESS’);

    The script with die with the message NO ACCESS if it’s being accessed outside of WP.

    – Sean

    Ooh, good idea!

    Something similar is used with Joomla. The index.php starts with something like:

    define(‘__MOS__’, true);

    And then every other script in the whole package starts with

    if (!defined(‘__MOS__’)) die();

    It’s a great idea… simple and secure.

    – Sean

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Possible security flaw: plugin directory publicly available’ is closed to new replies.