WordPress has a database repair and optimization mode that can be activated by setting WP_ALLOW_REPAIR to true in the configuration.

If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the authentication mechanism might not work.

Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.

Ask Yourself Whether

• The database is not currently corrupted.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

It’s recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the database issue is resolved.

Noncompliant Code Example

define( 'WP_ALLOW_REPAIR', true ); // Sensitive

Compliant Solution

// The default value is false, so the value does not have to be expilicitly set.
define( 'WP_ALLOW_REPAIR', false );

See

• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• wordpress.org - Automatic Database Optimizing
• OWASP Top 10 2017 Category A6 - Security Misconfiguration