Archive for the ‘Security’ Category

« Older Entries
Newer Entries »

Is unfiltered_html capability deprecated?

Saturday, February 19th, 2011

Is WordPress unfiltered_html capability deprecated

unfiltered_html

Eberle13 (“User Role Editor” plugin user) asked me a question, why ‘unfiltered_html’ user role capabiltiy does not work under WordPress multi-site? I found the reason and posted answer to the eberle13′s question at wordpress.org.
I curiously played with my test WordPress 3.1 Release Candidate 4 multi-site installation. This problem with using ‘unfiltered_html’ capability still exists in it. I decided to make special post about that as it could be interesting someone else. I tried to insert mordern HTML5 tag ‘<video>’ into post without success – it was removed by WordPress every time I saved the post changes inspite of I made that under account with ‘Editor’ role privileges. ‘Editor’ role has ‘unfiltered_html’ capability turned on by default. What is the reason? Why this capability failed to work?
Read the rest of this entry

Tags: capability, Security, User Role, WordPress
Posted in Security, WordPress | No Comments »

Custom User Roles and WordPress Core Code Compatibility Issues

Tuesday, September 14th, 2010

Custom User Roles

Custom User Roles

WordPress has good built-in users level/capabilities/roles system. Standard roles are administrator, editor, author, contributor, subscriber. This roles set is enough in the most cases for the most needs. But from time to time you need something special, something yours only. In such cases you can use User Role Editor WordPress plugin and build your own custom user role. But you should do it carefully and make thorough testing for new created user role as:

  • 1st, you could create some breaches in WordPress security system;
  • 2nd, you can loose some useful WordPress functionality.

One example of lost WordPress functionality for custom user role is described here:

Read the rest of this entry

Tags: Security, User Role, WordPress
Posted in Security, WordPress | 3 Comments »

Silence is Golden Guard WordPress plugin v. 1.5 update

Sunday, May 9th, 2010

Silence is golden guard plugin is updated

SIG GUARD Updated

Next update v.1.5 is available for Silence is Golden Guard WordPress plugin. With the help of plugin users incompatibility with WP Super Cache plugin was discovered and fixed. The problem was that blog with WP Super Cache plugin active becomes unavailable after activating of SIG plugin. Analysis showed that index.php file with redirection directive in the wp-super-cache/plugins directory results in the endless redirection loop which block the blog front-end and admin back-end access. From version 1.5 SIG plugin checks if WP Super Cache is active and create then empty index.php file for the wp-super-cache/plugins directory without redirection directive. The incompatibility issue is resolved this way.
Read the rest of this entry

Tags: plugins, Security, WordPress, wordpress plugin
Posted in Security, ShinePHP plugins news, WordPress | No Comments »

Silence is Golden Guard Plugin v. 1.3 is available

Monday, April 12th, 2010

Silence is golden guard plugin is updated

SIG GUARD Updated

Next update v.1.3 is available for Silence is Golden Guard WordPress plugin. It may now redirect every directory listing request to the site root, rebuild all SIG created dummy index.php file according to format selected (redirection to the root or just empty page), remove unused (garbage like) files from plugins folders, such as readme.txt, screenshot-*.gif, screenshot-*.png, screenshot-*.jpg. Those files are put into plugin setup package for wordpress.org to show information at the plugin page, and 1st – not used at your blog, 2nd – might expose plugin version to the potential attacker easy. He can see them in his browser. In case you use some plugin version with known vulnerability – it can be dangerous and it makes attackers life easier. We don’t want that, right?
If you have ideas to propose as addition to this plugin functionality, you are welcome! What staff from installed WordPress or its plugins is too promptness for the potential attackers? I will add an option to remove it to the next SIG Guard plugin version.

Tags: Security, wordpress plugin
Posted in Security, ShinePHP plugins news, WordPress | No Comments »

User Role Editor WordPress plugin

Saturday, March 20th, 2010

User Role Editor WordPress plugin

User Role Editor

User Role Editor WordPress plugin allows you to change standard WordPress user roles capabilities with easiness of a few mouse clicks. Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes. That’s done. Add and tune your own custom roles which you can assign to the users then. You can create new role as a copy of existing one. Delete self-made roles. Change defaul user role.
Multi-site support is provided.
Why it could be necessary? Let’s suppose you wish that your multi-authored blog contributors upload their own graphics to use in their posts. WordPress “contributor” role has no such capability by default. In such situation you have needed to change user role capabilities manually using SQL client as I described at “How to change wordpress user role capabilities” post, if you have enough knowledge in that field. But what to do if you have not?
Read the rest of this entry

Tags: WordPress, wordpress plugin
Posted in Security, ShinePHP WordPress Plugins, WordPress, WordPress Capabilities | 619 Comments »

Silence is Golden Guard WordPress plugin

Sunday, March 14th, 2010

Silence is Golden Guard

Silence is Golden Guard

Silence is golden guard WordPress plugin prevents your blog directories from listing if visitor types just directory name as the URL,
e.g. http://yourdomain/wp-content/plugins/
Did you see small 30 bytes only index.php files in the folders of WordPress installation? If you don’t know for what reason those files included into WordPress package please read this post “Silence is Golden”.
This plugin can scan your WordPress blog installation subdirectories for the presence of such dummy index.php files and create it if index.php file doesn’t exist in the directory. As the second line of defence against directory listing plugin can add special “-Indexes” option into Apache Web Server .htaccess file placed at the WordPress root directory.
Read the rest of this entry

Tags: WordPress, wordpress plugin
Posted in Security, ShinePHP WordPress Plugins, WordPress | 23 Comments »

MyEasyBackup plugin breaks WordPress security

Sunday, February 28th, 2010

WP breaked by plugin

WP breaked by plugin

MyEasyBackup WordPress plugin can make your life easier simplifying WordPress files and MySQL data backup operation. But be aware when installing its version 0.0.2 as this version simplifies the life to the intruders also. It is a new, just published plugin. WordPress.org Stats page shows 280 downloads already at the moment I write this post. This plugin can become popular. But plugin author Ugo Grandolini needs to make security fix to his code ASAP as plugin gives access to the critical blog data to any curious intruder. Do you wish to check it yourself?
Read the rest of this entry

Tags: Security, WordPress, wordpress plugin, wordpress plugin review
Posted in Security, WordPress | 2 Comments »

« Older Entries
Newer Entries »