Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent direct access to PHP files which are not in the wp-admin directory #79

Closed
markkap opened this Issue Sep 24, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@markkap
Copy link

markkap commented Sep 24, 2018

This is a combination of security and performance.

From a security POV, white listing known "good" file types, prevents attacks trying to exploit security issues found in core PHP files, or accidental programing language file that by mistake was added to a plugin and might be executable on the server.

This also will enable restricting the check for file existence to only those types instead of checking it for all URLs as done in the WordPress htaccess.

wp-admin should in addition allow php file execution.

The uploads directory might need a more complex setup as we want to enable downloads of unsafe files without executing them.

@markkap markkap added this to the 1.0.0 milestone Sep 24, 2018

@markkap markkap changed the title Allow access only to know file types outside of the uploads and wp-admin directories Allow access only to known file types outside of the uploads and wp-admin directories Oct 10, 2018

@markkap

This comment has been minimized.

Copy link
Author

markkap commented Jan 2, 2019

"Downsizing" this to just prevent direct external access to php files. Knowing what is OK to access and what is not seems right now as a task which is hard to achieve, at least in a long-term maintainable way.

@markkap markkap changed the title Allow access only to known file types outside of the uploads and wp-admin directories Prevent direct access to PHP files which are not in the wp-admin directory Jan 3, 2019

markkap added a commit that referenced this issue Jan 3, 2019

@markkap markkap closed this Jan 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.