• If I have WP 3.0 with network enabled (multi-user) and allows users to add their own themes – is it possible for a user to “destroy” the whole WP installation by adding some suspect code to the theme that he installs (since the suspect code now can run on the WP server)?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Yes. Sure, they can unlink any file, or delete any data. Heck, with the right couple lines of code in their theme’s functions.php, every subscriber of their blog could be promoted to SuperAdmin of the entire network.

    Safe(er) alternative: https://www.ads-software.com/extend/plugins/safecss/

    This is why also running the unfiltered html plugin is a bad idea on an open system.

    Thread Starter kongen

    (@kongen)

    Am I secure if I am “superadministrator” on the WP network and all other users become “administrator” when the create their usernames and a blogs?

    Does the role “administrator” get priveliges to upload/edit anything that can put suspect code somewhere into my WP installation? Or should I let them just become an “editor” of their own blogs and upload themes by myself?

    Normally, only SuperAdmins can upload or edit themes and plugins – unless you have done something or installed a plugin to alter that behaviour.

    “Out of the box”, WP3 multisite requires no additional security to make it safe. The capabilities which cause worry(editing themes/deleting users etc) are automatically removed from Administrators and reserved for SuperAdmins when activating the Network.

    Still, be wary what themes you do install, beware those that allow unfiltered html/php to be saved in theme options.

    Normally, only SuperAdmins can upload or edit themes and plugins – unless you have done something or installed a plugin to alter that behaviour.

    “Out of the box”, WP3 multisite requires no additional security to make it safe. The capabilities which cause worry(editing themes/deleting users etc) are automatically removed from Administrators and reserved for SuperAdmins when activating the Network.

    Still, be wary what themes you do install, beware those that allow unfiltered html/php to be saved in theme options.

    So I have a question. When installing WordPress MS, we create an admin account. Is this the superadmin?

    The admin of the original single WP blog becomes the SuperAdmin by default.

    Yes, you can add more Super Admins after, but the administrator of a site is *not* a super admin.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Possible to "hack" or "destroy" WP network?’ is closed to new replies.