I am most unhappy with the manner in which the rss feeds are cached in wp-includes/rss.php.
The cache is stored in the wp_options table. I consider it poor practice to use a semi-permanent table as a cache. One consequence of this poor practice is the necessity of storing a timestamp for the cached record separately from the record itself (with a “_ts” suffix to the field value).
Another consequence is that the cache cannot be properly flushed, since – as far as I can tell – the filename of the cached item must be known in order to call check_cache().
Since the cache is not properly flushed, an unnecessary vulnerability has been built into WordPress. The “rss_XXX” entry in the ‘option_name’ field of the ‘wp_options’ table has been used to hide hacking.
If rss caching is considered desirable, it should be done in a dedicated table that is flushed regularly.
Additionally, it is poor practice to allow non-dedicated functions to access the database directly. There should be a suite of functions that wrap database access which call the database info on the fly from wp-config, to help enforce their exclusive access. This compartmentalization will aid debugging and improve security.
- The topic ‘rss cache should be stored, flushed and accessed properly’ is closed to new replies.