[lowercased]

the other aspect is that many compromises in WP come from writeable file systems.

/wp-content/foobar.php wouldn't have a hash because it's not a plugin file, but a file that was a file that written to the filesystem by some other exploited plugin. You'd need to be on the lookout for any files that shouldn't be there, but when you're dealing with media folders where anyone can write anything, you're left guessing as to what 'might' be wrong (although executable PHP in an /images folder is probably suspect from the start).

[Vanderson]

>the other aspect is that many compromises in WP come from writeable file systems.

Yes, which is why I am stunned WP is setup by default this way, it's baffling to me. But I guess it makes it easier to manage?

>You'd need to be on the lookout for any files that shouldn't be there...

Yes, and this is what I did with my system, it's really not hard. Maybe like 10 extra lines of code to list all the current files, compare to a known list of hashes, if it's not listed, then it's a bad file.

All files in any user uploadable areas automatically are not executable. Every web server has a way to do this I am sure. (I don't know all of them)

This seems like such a simple problem to solve with a few basic changes to WP. What am I missing?

[lowercased]

what you're missing is that this is precisely why wp is popular - click buttons and have new files installed automatically, just move any file anywhere and have it execute.

[Vanderson]

I guess I am looking at it from a systems building perspective. If you can control the rules for what files are allowed to run (ie limit them to something like "plugin.php" or a directory like /something/something/plugin) then add access rules to the server (again, by default shouldn't be hard) to limit running files to those rules.

Then you have a lot smaller surface area of potential problems. I am not suggesting it has to be required by WP, but at least "available". This wouldn't cause any sort of popularity concerns or ease of use either.

Any plugin that wants to be more secure just follows some rules outlined by WP parent-corp and add the .htaccess (or whatever) rules and presto, more secure.

I don't run WP anymore than for testing stuff, can you really put a file anywhere by default and it's executable?

[ahje]

In most cases, yes. Most shared hosting providers will execute all PHP files as a default, although it's quite doable to block access using rewrite rules or custom access controls.

Problem is that the majority of WordPress users lack the know-how to do it on their own, as well as the will to pay for someone else to do it for them.

Web hosts aren't interested because supporting it would be a nightmare due to the millions of possible plugin/theme combinations.