Security warning for non-apache webserver users
-
Great plugin, 1 thing. It exposes .sqlite database object cache files on non apache servers without clear warning of this in the setup docs. .ht or .sqlite file extensions MUST be blocked by the server to ensure this is safe. E.g. For NGINX,
location ~.(sql|sql.gz|htaccess|ht|sqlite|sqlite-shm|sqlite-wal)$ {
deny all;
return 444;
}On further look, it does advise about storing the file in some other location than the webroot. But since the default is to store the files in wp-content, I recommend we add some example cfg like this to the docs, would you please consider it?
I think it would save a lot of folks out there.
- The topic ‘Security warning for non-apache webserver users’ is closed to new replies.
