WordPress.org

Ready to get started?Download WordPress

Forums

NinjaFirewall (WP edition)
[resolved] Security risk: NinjaFirewall still exposes errors publically! (7 posts)

  1. GermanKiwi
    Member
    Posted 10 months ago #

    Hi nintechnet,

    I've just upgraded to v1.1.1 and I've found that NinjaFirewall is still showing its error messages (eg. installation errors) publicly on the internet-facing webpages, for the whole world to see. This is a really big security risk because it tells everyone that the firewall is disabled, which gives the impression that the website might be insecure (which is very bad for our customers), and also invites would-be hackers to try to hack the website if they think it might be insecure.

    In addition, it looks very unprofessional to have such an error message on the public webpages.

    I would really like to see this plugin NOT show any error messages on the public webpages, but only show the errors in the WordPress Admin area, where I will actually see them there.

    NinjaFirewall is of course a security plugin (and a very good one!) so it seems counter-productive for it to be creating a new security risk by exposing these error messages to the public.

    Thanks!

    http://wordpress.org/plugins/ninjafirewall/

  2. nintechnet
    Member
    Plugin Author

    Posted 10 months ago #

    Can you tell me which message?
    "NinjaFirewall cannot find WordPress configuration file" was patched in 1.1.1 so that it works whatever your WP_CONTENT_DIR.
    I tested it, by renaming "wp-content" to "wp" and to "wp-content12345".

    If you still get that same message, there is another issue with your config but that seems very strange to me.

  3. GermanKiwi
    Member
    Posted 10 months ago #

    Hi nintechnet,

    I'm not referring to any one specific error, but to all of the errors. The actual error itself is not the issue that I'm making in this thread. :)

    I'm just referring to the fact that whenever there is an error, NinjaFirewall displays the error not only in the Admin area (which is good) but also on the public webpages where the customers can see it too, which is really, really bad - it's very unprofessional, and it is also a security risk because it exposes this information to the public including any potential hackers who can read it. No error message from any plugin should be displayed publicly on the front-end webpages.

    Therefore I'm just asking if you can please stop the errors from displaying on the front-end pages, and only keep the errors in the Admin area. The Admin area is where I will see them, because I am the administrator.

    Does that make sense? :)

  4. GermanKiwi
    Member
    Posted 10 months ago #

    ...The risk here, is that even if I fix the cause of a current NinjaFirewall error today (eg. configuration files or whatever), there might be a new error that appears in the future, due to some other, unknown reason. Maybe something else changes in the future, or there's some problem with the database, or who knows.

    So I don't want there to be any risk of any NinjaFirewall errors being displayed publicly on the front-end webpages where the public can see them. These errors should only be displayed to me in the Admin area. This is also the behaviour that every other security plugin has - they only display their error messages in the Admin area alone.

  5. nintechnet
    Member
    Plugin Author

    Posted 10 months ago #

    Unlike other plugins, errors are triggered before WordPress is called.
    We'll see if we can find a way to forward them to the backend instead in the next v1.1.2.

  6. GermanKiwi
    Member
    Posted 10 months ago #

    Thanks, I appreciate that! I do understand that the errors themselves would be triggered before WP is called - that makes sense to me. But I assume that the plugin still needs to "insert" the error itself into the WP page (including the HTML markup of the error, and it's location on the page - this obviously involves interacting with WordPress, because the WordPress pages are created dynamically from the database) - so it therefore should, I think, be possible to limit the error to only the Admin pages and not the front end public pages.

    Thanks for looking into it!

  7. GermanKiwi
    Member
    Posted 10 months ago #

    I've just installed 1.1.2 and I can confirm that the error message only appears in the Admin area now, and not on the public website - thanks so much for changing this!! :)

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.