WordPress.org
Get WordPress

Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

User:MDAWaffe/Security Week

Introduction

WordPress has always taken security very seriously. When identifiable security risks have been found, the developers and community at large have always stepped up to the plate to address the issue.

Recently, a non-critical (though significant) security risk was brought to our attention. A potential solution has been proposed, but it's novel enough that we'd like to get as many people as possible to review it and make sure it's up to WordPress' high security standards.

But why stop with just one cog in the machine? This week, we'd like to step back and make sure everything is still up to snuff, so we're calling all you security minded folk out to help us ensure that the WordPress code is at its best.

Method

We're asking people to assign themselves one (or multiple!) files to audit.

You'll need to go through the file (yup, line by line) to find any potential security holes. Of course, most of WordPress' files reference other files (either directly or through function calls), so you'll need to see how your file talks to others and how other files talk to yours. Sounds awesome, doesn't it? We like to think of it as "Spring Break, WordPress!"

So sign up below by putting your name in parentheses next to the file you'll be working on. If you think everything's hunky-dory, check it off by writing down an "OK".

If you spot a hole or come across something you'd like to discuss, create a new ticket on http://trac.wordpress.org and site the ticket here in your parentheses. Make sure the ticket name and description are well thought out and please tag your ticket with "security-week".

Ideally, each file below will have several people looking it over.

Get testing!

Example

  • wp-config-sample.php (JohnDoe OK) (JaneDoe #1)

Files

A list of all non image files.

wordpress:

  • index.php
  • license.txt
  • readme.html
  • wp-atom.php
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-commentsrss2.php
  • wp-config-sample.php
  • wp-feed.php
  • wp-links-opml.php
  • wp-login.php
  • wp-mail.php
  • wp-pass.php
  • wp-rdf.php
  • wp-register.php
  • wp-rss.php
  • wp-rss2.php
  • wp-settings.php
  • wp-trackback.php
  • xmlrpc.php

wordpress/wp-admin:

  • admin-db.php
  • admin-footer.php
  • admin-functions.php
  • admin-header.php
  • admin.php
  • bookmarklet.php
  • cat-js.php
  • categories.php
  • edit-comments.php
  • edit-form-advanced.php
  • edit-form-ajax-cat.php
  • edit-form-comment.php
  • edit-form.php
  • edit-link-form.php
  • edit-page-form.php
  • edit-pages.php
  • edit.php
  • execute-pings.php
  • import.php
  • index.php
  • inline-uploading.php
  • install-helper.php
  • install.php
  • link-add.php
  • link-categories.php
  • link-import.php
  • link-manager.php
  • link-parse-opml.php
  • list-manipulation.js
  • list-manipulation.php
  • menu-header.php
  • menu.php
  • moderation.php
  • options-discussion.php
  • options-general.php
  • options-head.php
  • options-misc.php
  • options-permalink.php
  • options-reading.php
  • options-writing.php
  • options.php
  • page-new.php
  • plugin-editor.php
  • plugins.php
  • post.php
  • profile-update.php
  • profile.php
  • setup-config.php
  • sidebar.php
  • templates.php
  • theme-editor.php
  • themes.php
  • update-links.php
  • upgrade-functions.php
  • upgrade-schema.php
  • upgrade.php
  • user-edit.php
  • users.php
  • wp-admin.css
  • xfn.js

wordpress/wp-admin/images: wordpress/wp-admin/import:

  • b2.php
  • blogger.php
  • dotclear.php
  • greymatter.php
  • livejournal.php
  • mt.php
  • rss.php
  • textpattern.php

wordpress/wp-content:

  • index.php

wordpress/wp-content/plugins:

  • hello.php
  • wp-db-backup.php

wordpress/wp-content/plugins/akismet:

  • akismet.php

wordpress/wp-content/themes: wordpress/wp-content/themes/classic:

  • comments-popup.php
  • comments.php
  • footer.php
  • header.php
  • index.php
  • sidebar.php
  • style.css

wordpress/wp-content/themes/default:

  • 404.php
  • archive.php
  • archives.php
  • attachment.php
  • comments-popup.php
  • comments.php
  • footer.php
  • functions.php
  • header.php
  • index.php
  • links.php
  • page.php
  • search.php
  • searchform.php
  • sidebar.php
  • single.php
  • style.css

wordpress/wp-content/themes/default/images:

  • header-img.php

wordpress/wp-includes:

  • cache.php
  • capabilities.php
  • class-IXR.php
  • class-pop3.php
  • class-snoopy.php
  • classes.php
  • comment-functions.php
  • default-filters.php
  • feed-functions.php
  • functions-compat.php
  • functions-formatting.php
  • functions-post.php
  • functions.php
  • gettext.php
  • kses.php
  • links.php
  • locale.php
  • pluggable-functions.php
  • registration-functions.php
  • rss-functions.php
  • streams.php
  • template-functions-author.php
  • template-functions-category.php
  • template-functions-general.php
  • template-functions-links.php
  • template-functions-post.php
  • template-loader.php
  • vars.php
  • version.php
  • wp-db.php
  • wp-l10n.php

wordpress/wp-includes/images: wordpress/wp-includes/images/smilies: wordpress/wp-includes/js:

  • colorpicker.js
  • dbx-key.js
  • dbx.js
  • fat.js
  • quicktags.js
  • tw-sack.js

wordpress/wp-includes/js/tinymce:

  • blank.htm
  • license.html
  • license.txt
  • tiny_mce.js
  • tiny_mce_gzip.php
  • tiny_mce_popup.js
  • wp-mce-help.php

wordpress/wp-includes/js/tinymce/langs:

  • en.js

wordpress/wp-includes/js/tinymce/plugins: wordpress/wp-includes/js/tinymce/plugins/autosave:

  • editor_plugin.js
  • editor_plugin_src.js
  • readme.txt

wordpress/wp-includes/js/tinymce/plugins/autosave/langs:

  • cs.js
  • en.js
  • sv.js

wordpress/wp-includes/js/tinymce/plugins/directionality:

  • editor_plugin.js

wordpress/wp-includes/js/tinymce/plugins/directionality/images: wordpress/wp-includes/js/tinymce/plugins/directionality/langs:

  • en.js

wordpress/wp-includes/js/tinymce/plugins/inlinepopups:

  • editor_plugin.js
  • editor_plugin_src.js
  • readme.txt

wordpress/wp-includes/js/tinymce/plugins/inlinepopups/css:

  • inlinepopup.css

wordpress/wp-includes/js/tinymce/plugins/inlinepopups/images: wordpress/wp-includes/js/tinymce/plugins/inlinepopups/jscripts:

  • mcwindows.js

wordpress/wp-includes/js/tinymce/plugins/wordpress:

  • editor_plugin.js
  • wordpress.css

wordpress/wp-includes/js/tinymce/plugins/wordpress/images: wordpress/wp-includes/js/tinymce/plugins/wordpress/langs:

  • en.js

wordpress/wp-includes/js/tinymce/plugins/wphelp:

  • editor_plugin.js

wordpress/wp-includes/js/tinymce/plugins/wphelp/images: wordpress/wp-includes/js/tinymce/plugins/wphelp/langs:

  • en.js

wordpress/wp-includes/js/tinymce/themes: wordpress/wp-includes/js/tinymce/themes/advanced:

  • about.htm
  • anchor.htm
  • charmap.htm
  • color_picker.htm
  • editor_template.js
  • editor_template_src.js
  • image.htm
  • link.htm
  • source_editor.htm

wordpress/wp-includes/js/tinymce/themes/advanced/css:

  • editor_content.css
  • editor_popup.css
  • editor_ui.css

wordpress/wp-includes/js/tinymce/themes/advanced/images: wordpress/wp-includes/js/tinymce/themes/advanced/images/xp: wordpress/wp-includes/js/tinymce/themes/advanced/jscripts:

  • about.js
  • anchor.js
  • charmap.js
  • color_picker.js
  • image.js
  • link.js
  • source_editor.js

wordpress/wp-includes/js/tinymce/themes/advanced/langs:

  • en.js

wordpress/wp-includes/js/tinymce/utils:

  • form_utils.js
  • mctabs.js
  • validate.js
Retrieved from "https://codex.wordpress.org/index.php?title=User:MDAWaffe/Security_Week&oldid=49145"

Codex Resources