I alerted the Forum crew that the wp-db-backup plugin bundled with the
forthcoming WordPress 2.0 requires that /wp-content/ be writable. The
reason it requires write access is to create a non-obvious backup
directory in which to store the temporary file(s) (it appends the last
five characters of the md5 hash of the password in wp-config.php).
I opened a ticket about this:
http://trac.wordpress.org/ticket/1934
which Matt closed. I'm less than thrilled, but ultimately don't care
enough to push further.
A few forum folks were taken aback by the requirement for /wp-content/
to be writable:
http://comox.textdrive.com/pipermail/wp-forums/2005-December/001027.html
http://comox.textdrive.com/pipermail/wp-forums/2005-December/001029.html
This goes against the recommended file permissions defined in the
"Hardening WordPress" Codex guide (disclaimer: I wrote the recommended
file permissions for that page):
http://codex.wordpress.org/Hardening_WordPress#File_permissions
I understand why this change was made, and I don't necessarily disagree
with it. But it does substantially complicate support without providing
significantly improved security. The current mechanism is still
susceptible to brute-force attacks to determine the specific characters
that make up the suffix for the backup directory.
I think one way to ease support, while simultaneously protecting the
backup directory, would be to stick an empty index.php inside the
/backup/ directory, and drop the use of the suffix.
I asked in #wordpress whether this is something I should bring to the
hackers list, to elicit more participation in the discussion, so here I am.
Do you all find it acceptable to require all of /wp-content/ to be
writable by the webserver (with the caveat that those that don't like it
don't need to use this plugin)?
Are there alternatives you might suggest?
Thanks,
Scott
