WordPress.org

Forums

Possible to "hack" or "destroy" WP network? (7 posts)

  1. kongen
    Member
    Posted 4 years ago #

    If I have WP 3.0 with network enabled (multi-user) and allows users to add their own themes - is it possible for a user to "destroy" the whole WP installation by adding some suspect code to the theme that he installs (since the suspect code now can run on the WP server)?

  2. David Sader
    Member
    Posted 4 years ago #

    Yes. Sure, they can unlink any file, or delete any data. Heck, with the right couple lines of code in their theme's functions.php, every subscriber of their blog could be promoted to SuperAdmin of the entire network.

    Safe(er) alternative: http://wordpress.org/extend/plugins/safecss/

  3. tdjcbe
    Member
    Posted 4 years ago #

    This is why also running the unfiltered html plugin is a bad idea on an open system.

  4. kongen
    Member
    Posted 4 years ago #

    Am I secure if I am "superadministrator" on the WP network and all other users become "administrator" when the create their usernames and a blogs?

    Does the role "administrator" get priveliges to upload/edit anything that can put suspect code somewhere into my WP installation? Or should I let them just become an "editor" of their own blogs and upload themes by myself?

  5. David Sader
    Member
    Posted 4 years ago #

    Normally, only SuperAdmins can upload or edit themes and plugins - unless you have done something or installed a plugin to alter that behaviour.

    "Out of the box", WP3 multisite requires no additional security to make it safe. The capabilities which cause worry(editing themes/deleting users etc) are automatically removed from Administrators and reserved for SuperAdmins when activating the Network.

    Still, be wary what themes you do install, beware those that allow unfiltered html/php to be saved in theme options.

  6. roshan.george2010
    Member
    Posted 4 years ago #

    Normally, only SuperAdmins can upload or edit themes and plugins - unless you have done something or installed a plugin to alter that behaviour.

    "Out of the box", WP3 multisite requires no additional security to make it safe. The capabilities which cause worry(editing themes/deleting users etc) are automatically removed from Administrators and reserved for SuperAdmins when activating the Network.

    Still, be wary what themes you do install, beware those that allow unfiltered html/php to be saved in theme options.

    So I have a question. When installing WordPress MS, we create an admin account. Is this the superadmin?

  7. The admin of the original single WP blog becomes the SuperAdmin by default.

    Yes, you can add more Super Admins after, but the administrator of a site is *not* a super admin.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags