WordPress.org

Ready to get started?Download WordPress

Forums

Total Security
Red 'X' when Secure Hidden Login is not used (8 posts)

  1. GermanKiwi
    Member
    Posted 8 months ago #

    Hi Fabrix,

    I noticed that if I have *not* enabled the "Secure Hidden Login" feature, it gives me a red X on the Vulnerability Scan page, and it also counts towards the little number in the black circle next to the name "Total Security" in the menu.

    However, in my case there is a specific reason that I am not using the Secure Hidden Login feature. It's because I already am using another plugin to provide similar security to the login page, so I don't need to use this one aspect of your plugin. Therefore Secure Hidden Login is disabled.

    But this is not a security risk of course! It's intentional that I am not using this feature. And "Secure Hidden Login" is only a feature, not a security risk. It's optional. Therefore it should not show up as a red X in the Vulnerability Scan, or as the number inside the black circle, because this is misleading - it makes me think something serious is wrong, but really it isn't.

    I think it would be better if it showed as a blue checkmark, which indicates something to pay attention to, but not an actual vulnerability.

    Would you be kind enough to change that, please?

    Thanks!

    http://wordpress.org/plugins/total-security/

  2. GermanKiwi
    Member
    Posted 8 months ago #

    Another related issue for me, is that "Dangerous PHP Functions" also gives me a red X, because there are some PHP functions that are not disabled on my web server.

    However, in my case this is intentional - I am using the very popular WP-DBManager plugin which creates backups of my WordPress database, and this plugin requires the use of the system, exec, and passthru functions. Therefore I cannot disable those, but it means that Total Security gives me a red X and it counts towards the number in the black circle in the sidebar menu. :(

    My suggestion to fix this concern, is to allow the administrator (me) to "dismiss" the vulnerabilities once I have read them and acknowledged them. If I can dismiss it, then the red X could go away (maybe change to another color to indicate it's been acknowledged and dismissed??). I think this would be a really helpful feature of your plugin, because I'm sure there are a number of situations where the administrator actually needs to allow a certain behaviour, which your plugin considers a vulnerability - and the admin doesn't want to seee a red X or the black circle always displayed for something which he actually wants/needs to have!

    I have seen other security plugins also provide the option to "acknowledge and dismiss" a vulnerability, and I think it's an important feature for a security plugin. After all, if the administrator has seen and acknowledged the vulnerability, then your plugin has done its job, and it's then at the risk of the administrator - it's his choice!

    What do you think?

  3. Fabrix Doromo
    Member
    Plugin Author

    Posted 7 months ago #

    ok

  4. GermanKiwi
    Member
    Posted 7 months ago #

    Thanks! :)

  5. Fabrix Doromo
    Member
    Plugin Author

    Posted 5 months ago #

    Thanks...

    * 2.9.4 "Secure Hidden Login" and "Dangerous PHP Functions" change of risk status (Red -> Yellow)

  6. GermanKiwi
    Member
    Posted 5 months ago #

    Nice! Thanks for that! I've just updated and now I don't get the red X for those two items anymore! :)

    I'm actually now thinking about the red X for the up-to-date plugins, themes, and WP core, and wondering if it's really necessary to have a red X for those three items. I wonder if these items would also be more appropriate to just use an orange X instead?

    Because an orange X means "medium security risk", while a red X means "The identified security issues have to be resolved immediately" which sounds very serious and urgent. I think that out-of-date plugins and themes and WP-Core best fit the definition of an orange X there - because there is often a valid reason not to update plugins, themes or core immediately, especially on a big site - you need time to test a new plugin/theme/core update, or check for compatibilities with other plugins, etc etc. Especially with a major plugin update or major core update eg. from 3.6 to 3.7 - there are many things to test and check before rolling out a big new version!

    In my case, my current theme is not up to date because I am still testing the latest version (on another test server) against some of my own customisations. There is no big security risk here though.

    Therefore I think the orange X is the best option for the plugins and themes, for the same reason as before - I don't really want to have a black circle in my WordPress menu next to "Total Security" just because a plugin or theme is not (yet) updated. Especially because I already will have another black circle in the menu next to "Plugins" and also next to "Dashboard->Updates" which also tells me that there is a newer plugin or theme or core update waiting for me - as well as the yellow info-bar along the top of WordPress to tell me there is a new theme or new core update. WordPress already does a great job of informing me about these things with that black circle, so it's redundant when Total Security adds another black circle for it too. Wouldn't you agree? :)

    What do you think?

  7. GermanKiwi
    Member
    Posted 4 months ago #

    Hi Fabrix! Any chance you might implement my suggestion above regarding the plugins, themes, and core checks?! I'd love to hear back from you about it!

    (I'm using 2.9.7 now - it works great).

  8. Fabrix Doromo
    Member
    Plugin Author

    Posted 4 months ago #

    i) Update all the things!

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.