@SnorkelZ: That plugin author, with 23 plugins, does not appear to be sketchy: https://profiles.wordpress.org/sudar/
If you have a question about the bulk-move plugin, ask here: https://wordpress.org/support/plugin/bulk-move
That iframe appears to be simply an ad for his plugin.
@songdogtech: Thanks for the reply. Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone’s plugin. I should have anonymized the url. I want to be clear that I am not accusing him or anyone, just performing an evaluation. I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.
The content loaded into that Iframe currently is just an ad. The file being loaded being named the same as a WP template file caught my eye, but I realize now that that is probably just because that file is a sidebar on his own WP site.
I’m not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.
I now see that it would be wise for me to run my development web server in a chroot or something similar, under a limited account even though I am behind a NAT router.
As a learning exercise I will continue to look at the code in the plugins that were loaded at the time and see if I find anything obfuscated.
Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone’s plugin.
That’s a good habit; I do it myself.
I’m not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.
iFrames load html and javascript; neither one has access to underlying file systems and can’t execute code outside of the browser.
I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.
If you’re concerned with security to this degree, don’t run a CMS. There will always be security issues with a complex web app like WordPress and anything similar out there. Run a site with plain html or basic php. I’ve had clients who wanted to stick to plain html or simple php for those reasons.
But half of your security is your knowledge to secure your own server, unrelated to any http, ftp or other services enabled.