Is it possible to install a plugin in Wordpress even I haven't admin access. This question has been raised in the interview. I responded as No because a CMS can't provide space for security beach.
I am curious to know that is it really possible?
If you had FTP access you could use the activate_plugin() function. There's very little information out there about this function but it looks fairly simple.
Consider using a function like plugin_basename() to get the path you need.
http://codex.wordpress.org/Function_Reference/plugin_basename
activate_plugin( '/path/to/plugin/file' );
You might be able to if you have access to the DB, or/and if you have write access to the filesystem (through FTP for example). But not through the web interface.
Related
many wordpress-uses are not able to auto-update/upgrade their WordPress and plugins to a newer version without providing their FTP connection information. This is a difficult issue - since WordPress can’t write to the /wp-content folder directly.
i am on a root server and the server admin enables me to use sftp-client (like filezilla and WinSCP [no SSH itself ) to do all kinds of upload to the server.
question: untill now i have difficulties to get a auto-update option for themes and plugins – since here we need to have the ftp-credentials (and method): i am looking for a method to keep my WordPress install up-to-date and installing plugins in a hassle-free manner:
since it is not so easy if i server uses SFTP. i need a tool or a method to do this.
are there methods, ways and workaround for doing so – e.g. using phopseclib to remedy these deficiency!?
Well: how to go round this issue? I have tried to read through the documents: Is it correct that
a. one method is to define the FTP details in the wp-config.php file so WordPress will remember it.
b. write-access to /wp-content folder: another way and method is to provide WordPress with write access to the /wp-content folder by accessing the FTP root file and changing the folder file permission (CHMOD)
to 775 rather than the default 755 and 644.
But wait: there is a interesting workaround for doing so: we can do this by defining constant, FS_METHOD in the wp-config.php file. this way bypasses WordPress’s recurring prompts - and doing so we allow the wordpress auto-updates of the files to work.
a. Open /wp-config.php - located at wordpress/wp-config.php
b. Insert FS_METHOD: write the following line of code to the wp-config.php file, just below every other line of code.
define('FS_METHOD','direct');
FS Method
question: untill now i have difficulties to get a auto-update option for themes and plugins – since here we need to have the ftp-credentials (and method): i am looking for a method to keep my WordPress install up-to-date and installing plugins in a hassle-free manner: note: i am on a root server and the server admin enables me to use sftp-client (like filezilla and WinSCP [no SSH itself]!!) to do all kinds of upload to the server.
is this above described method okay to get a alternavive method to auto-update my wordpress-themes and plugins?
update: see the important thread:
What security concerns should I have when setting FS_METHOD to "direct" in wp-config?
https://wordpress.stackexchange.com/questions/189554/what-security-concerns-should-i-have-when-setting-fs-method-to-direct-in-wp-co
What I would like to know is what real concerns should I have around setting FS_METHOD to direct? Are there any other alternatives to installing the plugin? This is what the official documentation has to say:
FS_METHOD forces the filesystem method. It should only be "direct",
"ssh2", "ftpext", or "ftpsockets". Generally, you should only change
this if you are experiencing update problems. If you change it and it
doesn't help, change it back/remove it. Under most circumstances,
setting it to 'ftpsockets' will work if the automatically chosen
method does not.
(Primary Preference) "direct" forces it to use Direct File I/O
requests from within PHP, this is fraught with opening up security
issues on poorly configured hosts, This is chosen automatically when
appropriate.
head over to the answers to this: https://wordpress.stackexchange.com/questions/189554/what-security-concerns-should-i-have-when-setting-fs-method-to-direct-in-wp-co
I have a PHP-mysql application which is running by portable server (i.e.XAMPP). The client buy additional functions (like Chart, report) after using the gerneral app.
However, for example, there are some links need to be linked from general app to additional function after installing. Those links will be disabled when the addtional function hasn't been installed.
My question is how to solve the above scenario? Really appreciate for any help and Thanks in advance.
A simple solution would be to define a constant, for example PLUGIN_CHART, in the plugin and in the main app just check if the constant exists and is true.
If the plugins are actual functions, another way is to use function_exists() to check if it's available.
There are several ways of going about it, here is a simple way:
Have a directory called plugins. Within that directory create a folder for each plugin you have. For each of your client, put only the plugins they will be using.
Now, instead of linking each possible plugin, check to see if the plugin is loaded (or at least if the directory exists), if it does, create a link!
I'm helping a client with their website (it's manually written using a Dreamweaver template and a ton of quadruple-nested table elements for design. Ouch), and I want to offer them a break from using Dreamweaver to write things.
I was thinking of using Wordpress or a similar CMS to do the job, as Wordpress is clean, fast, and really easy to design for. I've done it a few times, and it's almost as easy as just coding pure HTML.
My main concern is that the site has been hacked a few times before, even though it was pure HTML with no server-side code whatsoever. I can setup a manual Linux server for them, because the hosting company they use is one that I've never heard of.
The site owners are completely technologically impaired, so I don't want to scare them off by showing them a dynamic CMS with tons of features, as they think pure HTML is so much safer, they have to go out of their way to work with it.
I know this is a ton of writing, but what would be the most appropriate CMS for such a setup (hard-coding or dynamically generating content) for such a setup? I don't want to keep having the person manually write non-standards compliant quadruple-nested table layouts anymore, but I don't want to be responsible for having their site hacked...
Thanks!
A solution that allows for local editing, and the uploading of only static HTML files, would be the safest way to go. If it's a high-risk site, I would consider staying on that track.
If a site containing only static HTML was hacked, then most likely through some problem on web server or even operating system level - I am not aware of any exploits concerning static HTML resources. Problems usually come up when dynamic languages are involved.
Whatever you do, don't use Wordpress. It is bound to be subject of exploits and attacks simply due to its popularity.
If the site is pure HTML, then the insecurity is in the server, or the connection made between the server and the client.
I'd look into how to make the server more secure before making changes to the site, although doing both is a good idea. CMS's like WordPress use MySQL databases to store posts, etc, so that means client -> server connections. A way to make transfers of data more secure is to use https:// instead of vanilla http://. You can redirect using a .htaccess file if need be.
To summarise, I'd look at the server side of things for any vulnerabilities.
James
Wordpress has become a pretty wonderful CMS. If the site is high-risk, you might want to shy away from it, but I haven't had a site that I thought was too high-risk for WP myself. The site should keep up with regular updates and regular backups and there are some security tips that you can follow to help keep it more secure and less of a target.
First. Hide WP on the front end
Add this to your functions.php:
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
That will remove default header info that can be searched for by scripts.
Install wp in a directory that will help obscure its location and obscure the admin URL.
Change the name of wp-contents folder to something else and move it outside of the main wp directory. For instance, you could name it "includes" and put it into the root folder. and then links to template files will not have wp-contents in them.
On top of that, use a secure host, lock down your files (especially on shared hosting), and you can look at something like vaultpress, but it seems like if you use a solid backup plugin and a good host, that is unnecessary. You can also look at some of the security audit plugins, but don't keep them running after you get feedback.
This code in your wp-config.php file will help to install in a directory and move wp-contents outside of it into an "includes" folder:
define('WP_HOME', 'http://domain.com');
define('WP_SITEURL', WP_HOME .'/admin');
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/includes');
define('WP_CONTENT_URL', WP_HOME .'/includes');
Wordpress is good for blogs
Typo3 is a good cms but hard to learn at start
Joomla and Drupal can be used as cms
I've been wondering about making a blog hosting site like blogspot as a bit of a hobby. I figure Wordpress would be ideal to use but I'm not 100% on a lot of things related to this. Can I simply create mysql databases and wordpress installs with php functions and keep it secure from possible hacks? Or would the server as a whole need its own software to handle this securely?
Wordpress Mu
is a better choice for such site.
Most hosting packages come with one click install of Wordpress. I used to have a Netfirms plan that I got for $10! Just click and install as many Wordpress sites you need.
Security with Wordpress is very strong. They have been around and the software is mature. You wouldn't be exposing yourself to much danger by templating the site.
You can try Wordpress using the WAMP server.
We created an open source script for this purpose, you can find it here http://buckhill.github.io/linux-package-installer-for-wordpress
We wrote an article on how to use it here: https://www.buckhill.co.uk/blog/how-to-automatically-install-wordpress-plus-plugins/6
If you want to contribute to the project, please go ahead :)
My company is building a platform on top of a heavily extended Drupal core. I have multiple customers who will be using separate instances of this system and will want to customize both the theme and the functionality.
I'm trying to design a system to allow them to add themes and modules, some of which might interact with some of my modules, without giving them access to the actual code. (This isn't open source)
The way that Facebook and Ning do this is to have the developer host their own custom code, and have a callback to it. This won't really work for me, as these sites need the ability to be fully customized, so callbacks for specific integration points don't really work.
One option is to set up a sandbox environment where the custom developers only have access to a couple specific directories to build their themes and custom modules. We could then integrate with git to commit these when they're ready and deploy them with the rest of our code into production. The problem with this setup is that developers have to develop remotely and have to use our source control system.
A more typical setup is to allow the developers to download something to build their custom code against. They can develop locally and use whatever source control practices they already have. As we don't want specific point integrations, I don't think this can be a library that runs against a separate server. The alternative is to download our full core Drupal system and develop locally against that, uploading the custom code when it's ready, but then they would have access to all our code and IP.
Thus the predicament, as I don't think there is any way to effectively obfuscate PHP.
Anyone have any brilliant ideas here?
It sounds like your system is a derivative work of Drupal and thus covered by the GPL. If you distribute the code to your clients they have all of the rights provided by the GPL, Including modifying and redistributing it.
Be aware that distributing obfuscated GPLed code is not allowed. To quote the GPLv2 "The source code for a work means the preferred form of the work for making modifications to it."
Obfuscated code does not comply with this clause of the GPL.
That said, if you really want to provide your clients a way to customize your system you could provide your clients access to the existing Drupal module and theme system but only on your sandbox.
Of course since the modules and themes are PHP and you "don't want specific point integrations" it seems they would have the sort of freedom that would allow them to write a module that reads all of the source code for the rest of your system and then tar it up and send it to themselves.
I think you've painted yourself into a corner by depending on GPL. Keeping your IP private while allowing your clients to extend/customize the system in general ways doesn't really work.
I hope you're aware that Drupal is GPL licensed, be sure to read their licensing FAQ before you start obfuscating.
Why not just create an FTP user for them which can only access /sites/theirsite? What am I missing?