chesio
commented
1 year ago Resolution: from a security standpoint, it does not make sense to implement such check on its own. Even without the option of uploading custom plugins via zip file, there are ways how to include custom PHP code on the website when access to Plugins Directory is kept unrestricted.
A strictly secured website would have DISALLOW_FILE_MODS constant set. This is however not a case for a typical WordPress website without "external" dependency management in place.
This is something that I need to think over and research a bit more.
A properly managed and secured WordPress website does not need to upload plugins or themes as zip file from WordPress dashboard. This functionality is however very useful for any attacker who manages to take over an admin account, especially when editation of plugin and theme files is disabled via
DISALLOW_FILE_EDIT.Therefore it only makes sense to disable upload of plugins and themes via a zip file. Unfortunately, it cannot be done from within BC Security plugin as simply deactivating the plugin would be enough to reactivate the upload functionality.
So it has to be set up in a different way: most likely via must-use plugin as preliminary research suggests there is no constant to turn this functionality off (akin to
DISALLOW_FILE_EDIT).