One of the recommended security procedures for protecting WordPress is to password protect the /wp-admin/ directory.
However, if you do that, you break the SWFUpload capability because SWFUpload does not pass along the BASIC_AUTH variable (if set) in the requests or communication.
There is currently a workaround using <Files> with Allow from that exposes async-upload.php, but a cleaner solution would be to have SWFUpload detect when BASIC_AUTH (PHP_AUTH_USER, PHP_AUTH_PW) is set and pass that along through the Flash requests/connections.
Then the /wp-admin/ could be completely protected via htaccess without exposing any files.
- The topic ‘swfupload & wp security’ is closed to new replies.