admin管理员组

文章数量:1122832

I'm looking to restrict access to a specific file within a default wordpress install. This is referring to CVE-2018-6389 so I'm attempting to disable anyone from exploiting this. The file in question is

wordpress/wp-admin/load-scripts.php

I know of a paid plugin that can make this work but looking for another option. Perhaps changes to the .htaccess or the Apache virtual host file.

I'm looking to restrict access to a specific file within a default wordpress install. This is referring to CVE-2018-6389 so I'm attempting to disable anyone from exploiting this. The file in question is

wordpress/wp-admin/load-scripts.php

I know of a paid plugin that can make this work but looking for another option. Perhaps changes to the .htaccess or the Apache virtual host file.

  • php
  • wp-admin
  • apache
  • virtual-hosts
Share Improve this question asked May 10, 2023 at 17:19 ScivicScivic 1
Add a comment  | 

2 Answers 2

Reset to default 1

The file in question (load-scripts.php) is part of WordPress's admin interface. It's generally used to improve the performance of the admin panel by combining multiple JavaScript files into a single request. That being said, access to this file should be restricted to logged-in users only, as it could potentially be misused in a DoS attack as described in CVE-2018-6389.

However, it's important to note that WordPress has addressed this issue in their newer versions. If your WordPress installation is updated, you should be fine.

But if you still want to restrict access to this file for everyone except logged-in users, you can do it using the .htaccess file.

Here is an example of a rule you could add to your .htaccess file:

<Files load-scripts.php>
    Order Deny,Allow
    Deny from all
    Allow from localhost
</Files>

This rule will block access to load-scripts.php from all IP addresses except localhost.

Please note that this solution is not perfect, as it does not technically limit access to logged-in users, but rather to requests originating from the same server. This means that it would not prevent an attack from another script running on the same server.

A more secure, but complex, solution would involve modifying your WordPress installation to add an authentication check inside the load-scripts.php file. This would require PHP coding knowledge and would be more involved, but it would provide a more robust solution to this issue.

Also, make sure to always keep your WordPress updated to the latest version to benefit from the latest security patches and improvements.

  1. This had been resolved in 4.9.3

  2. A logged in user is not a safe user by default. If you have any non admin users, you probably can't trust them. And a logged in user can be tricked to execute a script.

so the real answer is to fix the security issue, trying to restrict access is more of a security theater than an actual fix.

本文标签: phpRestricting access to a file for everyone except logged in users

版权声明:本文标题:php - Restricting access to a file for everyone except logged in users 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736282684a1926723.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。