24 Apr

Security Tip for Developers: .htaccess Based Protection Won’t Work on All WordPress Websites

One of the ways we see plugin developers try to stop improper access to files generated by their WordPress plugin is to restrict direct access to the files over the Internet through the use of access restrictions placed in a .htaccess file (as the was the case with a vulnerability we disclosed last week). The problem with this is that this only works if the website is hosted on a web server that utilizes .htaccess files. While they are used by the most popular web server Apache, they are not used by the Nginx, which along with Apache is recommended for use with WordPress, or Microsoft’s IIS, which WordPress supports with its own release of WordPress.

[Read more]