A client of mine runs a Buddypress-based site (BP 1.2.6 on WP 3.0.2). We’d like to give users the ability to publish blogs of their own, but we don’t want them to be able to execute PHP code (we make extensive use of the Exec-PHP plugin on the site), activate/deactivate plugins, or basically anything but use the site and publish blogs. How can we lock things down such that only users with “admin” level privileges and higher can execute PHP code, activate/deactivate plugins, manage users, and the like?
Best practices for securing a Buddypress installation?
Kit, I’d say that if you make extensive use of Exec-PHP what you really need is a developer that can make stuff happen without it. In reality, that plugin is a crutch that is easily replaced with proper widgets, plugins and template code. So, the best advice I can give you about securing that plugin is to remove it.
I ran across this plugin the other day.
http://justintadlock.com/archives/2009/09/17/members-wordpress-plugin
It allows you to set the privileges for pretty much every aspect of wordpress.