tags:

views:

94

answers:

1
+1  Q: 

Securing Plugin Data in WordPress From Access by Other Plugins?

There probably is some solution to this, whether it involves code running on just the wordpress installation or a combination of a wordpress installation and a master server I am not sure yet, but please remember not to have tunnel vision and consider any and all possible solutions:

The scenario is this: A WordPress plugin (plugin-A) that manages some sort of valuable data (something that the admin would not want stolen), lets say, lead data with user's name and email addresses, the plugin uses its own db tables.

Other than the obvious (which is the admin installing plugin-B, not knowing its malicious intent), what is to prevent another WordPress plugin (plugin-B) from accessing plugin-A data or hacking plugin-A files to circumvent security.

+2  A: 

Trouble is, you'll be trying to protect the system from something that is running within it - the very nature of a WordPress plugin is that it has;

  • Database name, username and password, along with...
  • An active database connnection, with which it could easily query to find all tables and their structures, no matter how obscure
  • It is running inside the WordPress script, and has access to all globals, functions and classes

If the data you're working with is that sensitive, or you simply don't want to run the risk, don't allow plugins (at least not without checking the source code first).

TheDeadMedic  2010-06-10 10:29:32
ya, kinda what i figured ... all the scenarios i ran in my head ended up with the rogue plugin-B simply overwriting plugin-A source code...
farinspace  2010-06-10 17:06:18
is it possible to lock via server configuration ? so no access from a folder a plugin into another folder of pluggin (via htdoc or something). every server request has its referrer is it ?
justjoe  2010-06-10 23:09:32
Yeah, if you're running *nix you could lock down file permissions, but his database is still wide open.
TheDeadMedic  2010-06-10 23:12:47
even using file perms on *nix might not work, doesn't it all depend on what user the PHP process is running as?
farinspace  2010-06-11 19:48:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases