|
|
|
|
|
|
by ceol
5161 days ago
|
|
|
Wordpress requires a single database user that has CRUD access to the entire thing, so I'm not sure how you could benefit by separating admins and commenters. Could you give an example? I agree with your comment, though. Wordpress has poor coding practices built into the core (arguably like the language it's written in). |
|
|
Here's the way NOT to do it: Bingo Card Creator has a single users table with a role attribute. Setting role to "admin" makes your account into me. This is dangerous because it increases the damage someone can do with other attacks -- if, for example, I was bitten by the (common to Rails applications) vulnerability of letting users' profile pages reassign roles on update due to a mass assignment vulnerability, that would cough up everything my web app can do. WordPress has the same pattern, which means any of the (historically quite common) ways to convince WP that the logged in user is_admin() mean you can go to town on the software. This is made more problematic because, as noted, WordPress gives admins arbitrary code execution.
There are smarter ways to do this for y'alls own software, by the way. Probably the gold standard is:
+ keep the admin functionality in an entirely separate application at admin.example.com rather than example.com/admin/
+ enforce a strict access policy to the admin application at the network level. Probably the most straightforward is firewalling the admin app from the outside world -- the only way to get to it would be e.g. VPNing into the local network.
That would probably not be a viable option for WordPress, but you're free to not have the security of your businesses informed by WordPress' hard requirement that anybody be able to install the software within 5 minutes and have it work magically.