WordPress.org
Get WordPress

Making WordPress.org

Opened 2 months ago

Closed 8 weeks ago

Last modified 7 weeks ago

#7960 closed defect (bug) (fixed)

Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php

Reported by: kimjiwoon's profile kimjiwoon Owned by:
Milestone: Priority: low
Component: Support Forums Keywords:
Cc:

Description

Rosetta Sites and WordPress.org Sub-sites: Access Behavior of /wp-admin/about.php

Author: Jiwoon Kim (Meta Translation Editor, Korean Locale)
Date Reported: April 21, 2025
Priority: Low (Not a security issue)
Scope: Various Rosetta sites and related WordPress.org sub-sites

I am a Meta Translation Editor (PTE) for the Korean WordPress team. With PTE permissions, I can access the backend at https://ko.wordpress.org/wp-admin/. However, I discovered several cases where /wp-admin/about.php is accessible even without proper permissions. While this does not seem to be a security issue, I am reporting it here for documentation and potential review.

---

### Korean Rosetta Site (/team/, /support/)

Since https://ko.wordpress.org/wp-admin/index.php is accessible, it's understandable that
https://ko.wordpress.org/wp-admin/about.php is also accessible.

  • Accessing https://ko.wordpress.org/team/wp-admin/about.php redirects to the user profile at https://profiles.wordpress.org/kimjiwoon/.
  • Attempting to access https://ko.wordpress.org/support/wp-admin/ shows the error:

    "You tried to access the 'Korean Support' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'Korean Support' dashboard, please contact the network administrator."

However, https://ko.wordpress.org/support/wp-admin/about.php is accessible without permissions.

---

### Japanese Rosetta Site

  • Accessing https://ja.wordpress.org/wp-admin/about.php redirects to https://profiles.wordpress.org/kimjiwoon/.
  • https://ja.wordpress.org/support/wp-admin/about.php is accessible without permissions.

---

### WordPress.org Forums

  • Accessing https://wordpress.org/support/wp-admin/ returns the following error:

    "You tried to access the 'WordPress.org Forums' dashboard, but you do not currently have access to this site. If you believe you should be able to access the 'WordPress.org Forums' dashboard, please contact the network administrator."

However, https://wordpress.org/support/wp-admin/about.php is accessible.

---

### bbPress.org

  • https://bbpress.org/wp-admin/ shows:

    "Sorry, you are not allowed to access this page."

However, https://bbpress.org/wp-admin/about.php is accessible (displayed in English even if the site language is Korean).

---

### BuddyPress.org

  • Accessing https://buddypress.org/wp-admin/about.php redirects to the site front page https://buddypress.org/.

---

### GPT Analysis

about.php is a core admin file in WordPress, typically gated behind login and capability checks like wp-admin/index.php. On multisite installations, if sub-sites are not fully configured or capability checks are not enforced for specific files, access to /about.php may be inadvertently allowed.

The about.php file primarily contains read-only release notes and update information (e.g. “What’s New”), and is intended to be informational rather than administrative — hence, it's likely that explicit access restrictions were not enforced on purpose.

Some sub-sites, even within a multisite environment, do not redirect properly or display profile pages instead of denying access.

---

🧩 What does this suggest?
There appears to be a consistent pattern where the about.php file is accessible *only* on sites based on bbPress, which is not expected behavior.

In a typical WordPress Multisite setup, accessing wp-admin/about.php on a subsite should be restricted by user capabilities. However, bbPress may be bypassing or missing this permission check.

The fact that about.php is also accessible on bbPress.org itself suggests a possible omission or inconsistency in how bbPress handles admin templates or hooks.

---

🛠 Likely Cause Candidates
The about.php file is a static PHP file located directly under the /wp-admin/ directory in WordPress Core. It doesn't include its own capability check internally.

Normally, access restrictions are handled globally via admin.php or admin_init hooks in WordPress. But in bbPress, these checks might be missing for specific files like about.php, or filters may be malfunctioning before the file is loaded.

Alternatively, it’s possible that about.php was intentionally left open as a "read-only public info page." Even so, the fact that only bbPress-related sites allow access while others block it raises concerns about inconsistency in permission enforcement.

---

### Security Considerations

This is not a security vulnerability. The about.php file does not allow administrative actions or access to sensitive data — it only displays release information.

However, unauthenticated access to /wp-admin/ paths, even for read-only pages, could cause UX confusion or indicate a lack of consistent policy enforcement across the network. If unintended, this behavior might be worth reviewing and improving.

---

### Additional Observation: Version Display Inconsistency

At the bottom of /wp-admin/ pages, the WordPress version string sometimes changes between reloads:

Example:

  • Initially: Version 6.9-alpha-60170
  • After refresh: Version 6.9-alpha-60172

This could be due to version metadata being served from different build caches or CDN nodes, especially within a Trunk development environment. When servers or caches are not fully synchronized, minor inconsistencies in version strings can occur.

---

### WordPress.com / Dashboard Access Examples

  • https://wordpress.com/wp-admin/my-sites.php: Access denied.
  • https://wordpress.com/wp-admin/about.php: 403 Forbidden.
  • https://wordpress.com/wp-admin/index.php: Redirects to https://wordpress.com/sites.

---

### dashboard.wordpress.com

  • https://dashboard.wordpress.com/wp-admin/: Accessible.
  • https://dashboard.wordpress.com/wp-admin/index.php?page=my-blogs: Accessible.
  • https://dashboard.wordpress.com/wp-admin/about.php: 403 Forbidden with message:

"Lost? Our server sentries tell us you probably shouldn’t be here. Maybe you’re lost?
If you’re sure this is the place you’re trying to go, please contact us and we’ll be happy to help."

---

### Jetpack-Related Subdomains

  • https://jetpackme.wordpress.com/wp-admin/: Inaccessible.
  • https://koreanjetpack.wordpress.com/wp-admin/: Inaccessible.

*User kimjiwoon96 Cannot Access the Dashboard Requested*
"You are logged in as 'kimjiwoon96' and do not have the necessary privileges to access the dashboard for 'Jetpack — Essential Security & Performance for WordPress'. If you are not 'kimjiwoon96', please log out, and log back in with your username. If you are 'kimjiwoon96' and you need access, please ask an administrator of the site to invite you."

Change History (4)

#1 follow-up: @dd32
8 weeks ago

Hi @kimjiwoon,

This is a little hard to follow, due to the length of the ticket.

I guess this ticket really can be summarised as:

/wp-admin/about.php is accessible to all logged in users.

However, there's a few things worth mentioning:

  • On WordPress.org we have an explicit redirect for user experience that redirects the user away from wp-admin, but that doesn't apply in all cases because:
  • bbPress has a setting where all users are automatically granted a user role, which is probably why the user has access to wp-admin/, but capability checks would prevent access to all pages within (cc @johnjamesjacoby I think bbPress has a variant of this redirect too?)
  • Multisite has a wp-admin/user/ dashboard which should be accessible to most logged in users, and I believe the about page is there too. (It's disabled on w.org)

I've made some changes to that redirect, which should resolve this ticket I think.. If you could test that it now works as you'd expect.

#2 in reply to: ↑ 1 @kimjiwoon
8 weeks ago

Replying to dd32:

Thanks @dd32 — I tested again and can confirm that the redirect now works as expected.

That said, if the page is going to remain accessible anyway, I think it would be reasonable to include a UI element for it on https://ko.wordpress.org/wp-admin/index.php.

  • I've confirmed that the site is running version 6.9-alpha-60178.

From a UX perspective, I’d just like to share one additional thought:

Since accessing URLs like this isn’t a typical user behavior, it’s usually learners like myself — trying to understand the meta structure of WordPress.org — who explore these pages.

This kind of redirection might feel unintuitive to users who are trying to understand the internal multisite structure of WordPress.org — especially contributors or learners analyzing the platform behavior.

For example, WordPress.com provides more explicit responses like:

  1. “You don’t have permission to access this page.”
  2. HTTP 403 Error
  3. A helpful message like: _"You are logged in as 'username' and do not have the necessary privileges to access this dashboard."_

These kinds of messages help clarify that the site is running a multisite setup, and that user roles are intentionally limited.

Just wanted to offer this small UX feedback from the perspective of someone researching how WordPress.org is architected. 🙂

Thanks again for your quick update and support!

#3 @dd32
8 weeks ago

  • Resolution set to fixed
  • Status changed from new to closed

This kind of redirection might feel unintuitive to users who are trying to understand the internal multisite structure of WordPress.org — especially contributors or learners analyzing the platform behavior.

This is a reasonable point to raise, but WordPress.org has many customizations due to the number of logged in users we have, and the general lack of need for wp-admin access for most users (and all visitors).

This is more of a user experience "improvement" even though it's less clear as to why you're being redirected. The experience for the majority of users landing on a WordPress.org page that says "you can't access this" and not knowing what they're accessing has more problems.

You're one of the few users with wp-admin access, and as such you're going to see more wp-admin urls than most, but most users should never see a link to wp-admin anywhere on WordPress.org.

#4 @johnjamesjacoby
7 weeks ago

bbPress has a setting where all users are automatically granted a user role, which is probably why the user has access to wp-admin/, but capability checks would prevent access to all pages within

I just reconfirmed this is working as intended in bbPress 2.6 (and trunk). Admin-area content is limited to users with a Moderator or Keymaster role.

I think bbPress has a variant of this redirect too?

bbPress does not redirect anyone out of wp-admin by default. (Would be a super-easy feature to add.)

Users without caps who try to access bbPress pages will see the "Sorry, you are not allowed to access this page." wp_die() page.

Note: See TracTickets for help on using tickets.