If I have multiple WP installations in let’s say /var/www. Can a plugin be developed to access files outside its own directory?
I want to host multiple installations for different customers in the same chroot. But those customers will have admin access to their instance. Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?
For example, can the WP located at /var/www/wordpress-customer-1 access files located at /var/www/wordpress-customer-2 ?
Thanks!
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?
Yes.
If your folders are owned by the same user, run as the same user in Apache/Nginx or have read/write access to each other, then it’s possible.
Your installations are sandboxed at the server/host level, not the WP level.If your users have the ability to upload plugins or edit PHP, then they can easily upload a version of the emergency.php targeted at the other installs and reset the admin password. Likewise they could insert a PHP shell, or read the wp-config.php of the other install.
It’s also much worse, if one of those sites gets hacked, all of them could be infected. You also have a more difficult time with backups
If you are concerned for security, you should fix this immediately. How you would fix that is server specific and not in the scope of this site. Consider asking on ServerFault
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0