Opened 3 years ago
Closed 3 years ago
#43478 closed defect (bug) (duplicate)
Add ability to disable the password protected posts feature
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.9.4 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
This functionality is not secure in the slightest. The password is stored as plain text. The fact that the password is meant to be shared among multiple people means that it's hard to change, it's liable to stop being a secret, it'll probably be very easy to guess if people are expected to remember it or write it down. The password entry also doesn't support any of the hooks from wp-login.php so a plugin which blocks brute force login attempts will allow post passwords to be brute forced.
It doesn't really belong in core - if somebody proposed it today they'd be told to write a plugin instead.
But if it can't be removed entirely, it should at least be possible to disable the functionality either with a constant or with remove_theme_support(...). This would allow hosts/maintainers of sites to protect their clients by forcing them to use more secure alternatives.
Change History (5)
#2
@
3 years ago
- Summary changed from Remove password protected post functionality, or make it possible to be disabled to Add ability to disable the password protected posts feature
#3
@
3 years ago
+1
I never use this feature, and I don't want clients to try using it. Common/shared, post based "passwords" are not a thing to use. Would be fine to be able to disable it cleanly by a hook.
#4
@
3 years ago
Perhaps also worth mentioning #9559 here, which was only fixed for non-logged in users.
This feature may provide sufficient protection for many users' needs, but it is anything but secure. Maybe it could be moved into a plugin, like Press This was, or at least disabled by default on new installs.
I somewhat agree with one of the suggestions here. Due to how authentication works within Core, I agree that a flag to disable this on a per site basis seems like a sensible way to go. I will note though that the password in plain text part of this doesn't seem like too much of an issue to me personally because if you're writing a post, it is somewhat public anyway.
Long story, short; yeah let's get this behind a flag so it can be turned off if you wish but not through a theme support function as themes shouldn't be removing functionality at all.
wp-configor via a plugin is the best way for backwards compatibility.