Security and Must Use Plugins

I agree with Wyck’s comment. If I can upload files, game over. If I couldn’t upload to mu-plugins chances are that I could upload, and overwrite, the theme’s functions.php or Core files instead. Any of those options work as well or better than a mu-plugin file would.

The “also modify the database” part is irrelevant because if I can upload files modifying the database is trivial. Just run wp_insert_user or use $wpdb to run SQL to directly alter the database.

In other words, if I can upload files to the server I have already got more substantial control over the server than PHP is able to deal with, more control than PHP is able to put up a barrier against. The ability to upload to the server is a very substantial hack.

I don’t know that activating plugins is so much security as it is convenience. The user can switch plugins on and off, and the developer can use activation and deactivation hooks to run special purpose code.

Related Posts:

  1. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  2. Are WordPress Plugins essential?
  3. I found this in a plugin. What does it do? is it dangerous?
  4. What are the common security flaws I need to look for? [closed]
  5. Disabled plugins are they security holes – rumor or reality?
  6. What could a hacker do with my wp-config.php
  7. How Can I Securely Implement a Password-less Login Feature?
  8. Security and .htaccess
  9. Are there procedures to prevent malicious plugin updates?
  10. Secure WordPress paid plugin
  11. How to make media upload private? [duplicate]
  12. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  13. What does a security risk in a plugin look like?
  14. WordPress Capabilities: edit_user vs edit_users
  15. Should we use plugins that aren’t available from the official WordPress site?
  16. How to check plugins for malicious code?
  17. How to properly secure my WordPress installation?
  18. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  19. Where should my plugin POST to?
  20. Security error WP 4.0 + WP phpBB Bridge [closed]
  21. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  22. Disabled plugins are security holes – rumor or reality?
  23. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  24. Prevent Brute Force Attack
  25. Why users disable the WordPress update?
  26. Will WordPress username displayed somewhere in the site?
  27. Upgrading WordPress 4.0 asks for FTP password
  28. Is revealing just the AUTH_KEY a security issue?
  29. When is it useful to use wp_verify_nonce
  30. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  31. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  32. How to expire all wordpress user passwords instantly?
  33. Weird problems after recovery from security breach
  34. How can we deal with unmaintained plugins with vulnerabilities?
  35. Security checking in meta_box save is reluctant?
  36. Escape when echoed
  37. Should you escape hardcoded URLs?
  38. Preventing BFA in WordPress without using a plugin
  39. How can I make uploaded images in the editor load with HTTPS?
  40. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  41. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  42. WordPress filter that hook after each action/filter hook
  43. How to delete Passwrd Protected posts cookies when a user logged out from the site
  44. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  45. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  46. Headers Content-Security-Policy CSP Major Issue
  47. How to block plugin activations with no known user or coming from unknown IP address range?
  48. Check for security updates
  49. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  50. Why can’t I access my Intranet LDAPS with NADI?
  51. Malicious File Upload [closed]
  52. Stop Plugin Enumeration [closed]
  53. Malware installation during plugin update?
  54. Hack-Proof OR Security in WordPress — is it real?
  55. I should enable automatic updates?
  56. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  57. Is Timthumb still broken? What security measures should be taken?
  58. Prevent direct access to WordPress plugin assets?
  59. Is it safe to use admin-ajax.php in the frontend?
  60. How to protect WordPress from security scanner [closed]
  61. Specific way to allow WordPress users to view their current password? And edit it?
  62. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  63. How to prevent plugins from sniffing/stealing other plugins’ options?
  64. Website show Google Ads when we have no Google Ads linked to our website
  65. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  66. How to deal with Slow HTTP POST (slowloris) vulnerability
  67. Running multiple security plugins
  68. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  69. Regarding plugin security
  70. How do I determine if the user who registered is not spam?
  71. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  72. WP Insert Post If user refreshes override new post
  73. 404 errors when updating options in admin dashboard
  74. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  75. WordPress search shows protected content
  76. Can I disable xml-rpc by setting it to false?
  77. How can I disable new plugin and theme install, but allow updates?
  78. Help to Create a Simple Plugin to make a post
  79. Validating ajax search
  80. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  81. WordPress disable direct access of files in WordPress installation path
  82. Asking help regarding potential malware
  83. “Fire Secure” menu item
  84. https rewrite not working for All in one security Brute force > rename login url
  85. Redux framework somehow added to my site, can’t locate in plugins
  86. Being hacked. Is there a list of WordPress security holes I can check against?
  87. wp_verify_nonce fails always
  88. Validating values using Settings API?
  89. using .htaccess only for wordpress security no plugins
  90. Unwanted Links and Spam WordPress Pages and Posts
  91. Problem with permissions in wp-content/plugins
  92. File permissions for wp-minify plugin
  93. What is the recommended way to be notified of security updates to my plugins? [closed]
  94. My WP site and password was hacked, what to do? [closed]
  95. How to resolve these findings from security audit
  96. How I can hide my wp folders from Inspect Element (Developer Tools)
  97. How to Find WordPress site has backdoor login Codes
  98. How to delete Password Protected posts cookies when a user logged out from the site
  99. How to rename files during upload to a random string?
  100. Stop the user if login from the cookies