Forums

WordPress › Support » Plugins and Hacks

[resolved] [Plugin: WordPress File Monitor] Creates Potential Security Vulnerability (4 posts)

  1. resourcesforlife
    Member
    Posted 2 years ago #

    The plug-in results in the following alert when a site using the plugin is scanned using Sucuri.net

    WordPress internal path: [exact path description removed]... /wp-content/themes/[theme used]

    I've removed the precise path and theme information for my own site, but you get the idea. The plug-in potentially makes a site more vulnerable to attacks by displaying the literal WordPress path and server information.

    More about the seriousness of this issue can be found on the Sucuri.net website here:
    http://sucuri.net/?page=docs&title=wordpress-hardening

    Please resolve this issue or provide a suggestion to prevent it.

    http://wordpress.org/extend/plugins/wordpress-file-monitor/

  2. mattwalters
    Member
    Posted 2 years ago #

    This plugin creates no links to your theme folder. Sorry, but I believe you might be confusing it with your theme or another plugin.

    Also of note, almost every theme is going to create a link into your themes folder, otherwise it can't serve the stylesheet or images included with the theme. Unless you're running a black text on white background only website :)

    The plugin does add a CSS sheet (which is actually a php file) in its directory but that is necessary to complete the security scan.

    Side note: in the future if you believe you have found a security vulnerability for a piece of software you should contact the developer privately and give them adequate time to respond and work on a fix before posting it publicly. The plugin contains links to my website and there is a easily findable link to my contact form. So you should have been able to easily contact me. :)

  3. Inspired2Write
    Member
    Posted 2 years ago #

    /wp-content/themes/[theme used]

    As Matt mentioned, it looks like it came from your theme. There are lots of themes that may seem legit, but if you scan themes before activating you may find encrypted codes, which may contain malicious codes causing a security concern, or at the very least containing links to bad sites.

    As for the plugin - thanks Matt! I know it's working because it sent an email after I did an upgrade of another plugin. :)

  4. mattwalters
    Member
    Posted 1 year ago #

    I did find an instance where the plugin was causing a PHP error if you tried to hit its scanning URL without some variables loaded in the URL. This has been fixed in the version that should be available for download any moment now.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags