Malicious code? Can I prepare?

  • erik987

    (@erik987)


    6 years, 1 month ago

    Hi, I’m setting up a wordpress site where I will have a ton of different editors that I don’t know very well, who will be able to edit their specific page.

    I don’t mind so much, if one of the pages end up being unproffessional or downright embarassing.

    But I am curious about if what they do with one page, can affect the rest of site.

    For instance, if I let you get unrestricted access to edit the page mywebsite.com/NewYork – can you from there insert code that can jeopardise the security of the site as a whole?

    • This topic was modified 6 years, 1 month ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic
Viewing 3 replies - 1 through 3 (of 3 total)
  • Malcolm Peralty

    (@phoenixfireball)

    6 years, 1 month ago

    Any time you give someone access to the WordPress admin, you are opening yourself up for that kind of issue. There have been exploits before where people were able to increase their permissions to a site and do bad things. You might want to change how you have it set-up and look at more secure options of doing what you want. Even creating custom roles using a role management plugin.

    Thread Starter erik987

    (@erik987)

    6 years, 1 month ago

    Yes, this is exactly what I’m doing.

    I’m using this:
    https://sv.ww.wp.xz.cn/plugins/user-role-editor/

    To make sure the role can only change pages that they themselves are the author of. And I can change who is the author of a page.

    Now, they can still do whatever they want, basically, to that page -code-wise.

    So, is that safe? Is the page a bit like a sandboxed environment?

    Moderator bcworkz

    (@bcworkz)

    6 years, 1 month ago

    Post content like that entered in the WP post editor cannot contain executable code under default conditions. Content is validated and sanitized to prevent any added code from executing. It’s feasible for themes and plugins to bypass the usual security features. There are plugins that explicitly allow one to enter executable PHP code in post content. This obviously severely diminishes site security.

    You can be extra sure users cannot do anything dangerous by being sure their role does not include the “unfiltered_html” capability. Unless your site is in a completely default state, I could not say with certainty your site will be safe.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Malicious code? Can I prepare?’ is closed to new replies.