• I have a blog with guest authors, and after a recent update to Ninja Firewall WP, they have been unable to upload image files, even though they have file upload permission set in the user role.

    The admin users are able to upload images, so there must be some check for the user role in the Ninja Firewall that specifically allows that.

    I see that there is a Firewall policy that I can uncheck to enable file upload, but I hesitate to uncheck that because uploading files is a common intruder tactic for installing malware, and I really do want to block file uploads from anyone who does not have at least author access and is not logged in.

    I also do not want to give my authors an editor or admin role.

    Is it possible to allow (only) logged-in authors and above to upload (only) image (jpg/png) files? Perhaps disallowing other extensions such as .php or .zip?

    Here is an example of an upload that I would like to allow:

    10/Feb/15 03:33:13 #7977111 critical - xxx.xxx.xxx.xxx POST /wp-admin/async-upload.php - File upload attempt - [breakfast-21707_640.jpg, 31,028 bytes]
    Where xxx.xxx.xxx.xxx is a legitimate logged-in author.

    Here are some examples from my firewall log of malicious upload attempts that were correctly blocked:

    01/Feb/15 01:31:56  #3170698  critical     -  85.214.105.218   POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 3,378 bytes]
    02/Feb/15 19:01:20  #5031456  critical     -  78.85.54.100     POST /wp-admin/admin-post.php - File upload attempt - [Debug.zip, 51,513 bytes]

    Where 85.214.105.218 and 78.85.54.100 are IPs used by script-kiddies.

    P.S. It would be **really great** if an attempt to upload a file by a non-logged-in user would result in automatically adding that IP address to the deny list in my .htaccess file.

    https://wordpress.org/plugins/ninjafirewall/

Viewing 1 replies (of 1 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    In the WP Edition, you have 2 options, in the “Firewall Policies” page:
    -uploads: allow or disallow for all.
    -whitelist the admin: he/she will never be blocked by the polices and upload rules.

    Role-based access control and advanced filtering for uploads are available in the WP+ Edition only.

    You would need to allow uploads, but as long as your site is not vulnerable, you should be fine.
    The blocked malicious attempts you posted in your message are trying to exploit the Revolution Slider vulnerability that affected a lot of WP sites lately. Ensure that, if you have he Revolution Slider plugin or script, it is up to date.

Viewing 1 replies (of 1 total)
  • The topic ‘Author role can't upload photos’ is closed to new replies.