Disallow the creation of a /blog/ site

[ocean90]

Add a check on ms-sites and sign up to disallow the creation of a /blog/ site, because it'S reserved for the main site.

[nacin]

We need to prevent these from being valid, aside from also blocking them in ms-settings:
$reserved_blognames = array( 'page', 'comments', 'blog', 'wp-admin', 'wp-includes', 'wp-content', 'files', 'feed' );

[wpmuguru]

(In [14516]) don't allow blog sub site in folder install, see #13304

[jwriteclub]

Adds an extra check to 'create_empty_blog'

[jwriteclub]

Here's a first whack at it.

It seems to work, but it may not be as robust as necessary

[jwriteclub]

Actually, this should probably use '$sitemetaillegal_names?[]' instead of $reserved_names

[nacin]

We were talking about this in IRC, it should be reserved_blognames for names we must absolutely block, such as blog, files, wp-includes, wp-content, etc. Illegal names can be changed in the admin and they should be for signups only.

Reserved names should be blocked when creating a site in the admin, via signup, and also when trying to query said site in ms-settings (as it is there now).

That said, the array should be filterable.

[jwriteclub]

Well, I left the patch as $reserved_names, but, do we have an existing filter for it? Or do we need to add a new filter to cause it to be called?

[ocean90]

We need a global, filterable array: $reserved_blognames. On each place (sign up, ms sites), where we can create a site, we need this array and check, if the name is allowed.

[wpmuguru]

Replying to nacin:

We were talking about this in IRC, it should be reserved_blognames for names we must absolutely block, such as blog, files, wp-includes, wp-content, etc. Illegal names can be changed in the admin and they should be for signups only.

Reserved names should be blocked when creating a site in the admin, via signup, and also when trying to query said site in ms-settings (as it is there now).

That said, the array should be filterable.

Users are not allowed to sign up with a '-' in the blogname. So, the only ones that need to be blocked are blog & files.

Since we are expecting a basic level of competency in super admins, I am opposed to putting a hard coded block in that prevents super admins from creating wp- conflicting sites.

[wpmuguru]

(In [14681]) block creation of 'files' sub site, see #13304

[ocean90]

/blog/ is now blocked. Not on ms-sites page, but "we are expecting a basic level of competency in super admins". So this is fixed.
blocker: -1

[nacin]

Re-opening after discussion in #13527. I'm expecting a basic level of competency of super admins too, but frankly a "blog" subsite will be the first thing most people create. We need to disallow bad ones everywhere, not just on registration, and control them via a filter.

[mitchoyoshitaka]

As reporter of #13527, let me also redouble nacin here: reading over this thread, I understand the argument that "we are expecting a basic level of competency in super admins" but I see this as only really making sense for the wp- names which everyone knows exists... as an experienced WP user who actually ran into this issue, it's not self-evident why /blog doesn't work.

[jorbin]

I added a patch that checks againgst the array of:

'page', 'comments', 'blog', 'files', 'feed'

both for signups and for admin created blogs. There is a filter that allows it to be overridden. I imagine there might be some ux feedback on my error message so I'm tagging as such. Right now it reads:

blog, comments, page, files and feed are not vaild names and are reserved for use by WordPress

[wpmuguru]

Ensure that those are only blocked in the appropriate version folder or subdomain install. ​http://blog.domain.com is fine. All of these are fine as subdomains:

'page', 'comments', 'blog', 'files', 'feed'

[jorbin]

wpmuguru - both parts check for ! is_subdomain_install() before checking the subdirectory_reserved_names list.

I've updated the wording based on IRC ​https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2010-05-26#m137155

[nacin]

(In [14928]) Prevent super admins from shooting themselves in the foot. props jorbin. Checks blog names against an array (filterable) of reserved keywords for subdirectory installs. fixes #13304.