WordPress has a database repair and optimization mode that can be activated by setting WP_ALLOW_REPAIR to true in the
configuration.
If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the
authentication mechanism might not work.
Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.
Ask Yourself Whether
- The database is not currently corrupted.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
It’s recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the
database issue is resolved.
Sensitive Code Example
define( 'WP_ALLOW_REPAIR', true ); // Sensitive
Compliant Solution
// The default value is false, so the value does not have to be expilicitly set.
define( 'WP_ALLOW_REPAIR', false );
See
