sawtoothid
commented
5 years ago You do understand that this is not a WP plugin, yes? It has no access to WP functions; it doesn't even run WP.
Closed nylen closed 4 years ago
sawtoothid
commented
5 years ago You do understand that this is not a WP plugin, yes? It has no access to WP functions; it doesn't even run WP.
nylen
commented
5 years ago It has no access to WP functions
Of course it does, if it detects WP and chooses to use its data for authentication:
if ( file_exists( 'wp-load.php' ) ) {
require_once 'wp-load.php';
// now we have access to WP functions
// require authentication of an admin user stored in WP database
}Note, I've edited the original issue to clarify this, I originally mentioned allowing access through wp-admin but this makes more sense.
gianluigi-icit
commented
4 years ago This is a feature we considered, we will work on it probably after v4 is released.
From https://interconnectit.com/products/search-and-replace-for-wordpress-databases/:
This is raising red flags for me. "be really careful" is not a solution for making this script accessible via the public web, especially for "naive users who don't really understand the risks".
I know this script is intended for use with more than just WordPress, but since this is probably the most common use case, one idea would be to make the default configuration of this script try to detect the WordPress settings, and if they are found, only allow access via the login of an administrative user on the WP site.
Failing that, what solutions are you working out to protect users further?