Support » Plugin: WP Hardening - Fix Your WordPress Security » Good idea but needs improving

  • tinpeas

    (@tinpeas)


    This plugin adds loads of dodgy looking code to your WordPress install, I just saw it and thought I had been hacked. It does turn out that this is WordPress code and there is nothing malicious about it but none the less it is not a great look for your HTML, is there not another way?

    If you have installed this plugin then I suggest you look at your source code and make your own opinions. To me this could potentially harm your sites SEO but I may be wrong.

    The other issue I found is that it adds a blank index.php file to wp-includes which Wordfence then flags as a high severity problem. The file remains if you deactivate the plugin but it can be removed by changing a setting in the plugin, obviously though this also removes the protection. Anyway I understand there is a solution coming for this.

    My last issue with it is that on some sites I noticed I was unable to do a Wordfence manual scan with the plugin activated. This makes me wonder if it also causes problems with the automatic Wordfence scan.

    This plugin is a great idea and does offer your site protection but at the cost of what I have written above.

    It would be a great feature if you could install the plugin, apply the changes and then remove it. The reason I say this is that one of the features disables the WordPress file editor to admins which means a hacker can not inject code into your plugins/themes which is great! But if the hacker has gained access to your install then they can simply toggle this setting off and access the files. If the plugin put define(‘DISALLOW_FILE_EDIT’, true); in the wp-config.php file then the changes would stay, just a thought.

    • This topic was modified 4 months ago by tinpeas.
Viewing 1 replies (of 1 total)
  • Hey @tinpeas,

    Thank you for your suggestions, we are working on fixing the additional WordPress code error, improving the file editor security fixer & the index.php suggestion. The fixes for these would be available in the next update.

    For the index.php suggestion: We’re re-implementing this feature such that directory listing is fixed by adding Options -Indexes to the .htaccess file, rather than creating multiple index.php files.

    For the automatic Wordfence scans you can try the following fix: Can you try to run the WordFence scans, after disabling the ‘Disable WP API JSON’ security fixer within the WP Hardening settings?

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this review.