WordPress.org

Ready to get started?Download WordPress

Forums

BBQ: Block Bad Queries
[resolved] Is this necessary with WP ver 3.9.x ??? (12 posts)

  1. mountainguy2
    Member
    Posted 9 months ago #

    The eternal dilemma, as they "improve" WordPress with the seemingly infinite new versions and different shades of grey in the admin, do they fix any of this stuff so we don't need dozens of plugins to secure our websites? Specifically, are recent versions of WP (e.g., 3.9.x) vulnerable to bad queries?

    For those of us who are not computer programmers, the issue of WordPress security has taken a confusing turn. When I browse the web, I find hundreds of recommendations on how to harden WordPress, but little in the way of info about what is current and what is just legacy stuff that would be a time waster to kludge my way through as a non-expert.

    The answer "doesn't hurt, it's a lightweight plugin" doesn't help. Every plugin has a cost. Every tweak to .htaccess takes time out of a person's allotted minutes on the planet -- time we might use to actually write a blog post instead of keeping our blog software running...

    Help appreciated. Thanks, MTN

    https://wordpress.org/plugins/block-bad-queries/

  2. esmi
    Forum Moderator
    Posted 9 months ago #

    do they fix any of this stuff so we don't need dozens of plugins to secure our websites?

    All confirmed security issues in WordPress core are fixed asap.

    Specifically, are recent versions of WP (e.g., 3.9.x) vulnerable to bad queries?

    There are no known issues with the current version of WordPress. whether there are issues with your theme or any of your plugins, I couldn't say.

    When I browse the web, I find hundreds of recommendations on how to harden WordPress, but little in the way of info about what is current and what is just legacy stuff that would be a time waster to kludge my way through as a non-expert.

    Stick to Hardening_WordPress.

  3. Julio Potier
    Member
    Plugin Contributor

    Posted 9 months ago #

    Hello guys

    In fact, this plugin does not patch anything for WordPress, but as esmi said, it depends on plugins.

    Let's imagine you install a plugin you need, a famous one, like a Jetpack or another huge downloaded plugin.
    A day or another, a vulnerability is discovered by someone, a hacker, a black hat.
    He won't tell anyone about this and will try to hack websites.
    Let's imagine he needs to call a specific URL on you site like :
    - "?param=../../wp-config.php" to download your config file.
    - Or he needs to perform a SQL injection like "?param=1 or UNION SELECT..."
    - Or why not a RCE with a "?param=eval(0xfoobar)..."

    Whatever, this plugin protects you from strange and considered harmful queries on your website. This kind of script can be use on any website and any CMS.
    This version is just a WordPress plugin one.

    Thank you for reading :)

    Julio - Web Security Consultant - WordPress Expert - BBQ Co-author.

  4. mountainguy2
    Member
    Posted 9 months ago #

    Julio and esmi, thanks so much for clarifying. So, this is essentially a website security thing... Apologies for disparaging WordPress alone. And sounds like every person with a website should be doing this. Rather surprising, really, after how many years? But whatever, I'll do it regardless of WordPress version etc.
    Thanks, MTN

  5. mountainguy2
    Member
    Posted 9 months ago #

    "All confirmed security issues in WordPress core are fixed asap."

    So then, why does the WordPress website even have the Hardening WordPress page? This seems to be a contradiction. When a person installs WordPress, it should automatically implement all known hardening routines and methods. There should be no need to go in and do anything manually. For example, if I install software, perhaps Google Chrome, do I have to go to a "Hardening Google Chrome" website and spend hours doing mods on Google Chrome, some of which require access to core files?

    http://codex.wordpress.org/Hardening_WordPress

    'best, MTN

  6. Julio Potier
    Member
    Plugin Contributor

    Posted 9 months ago #

    Please, read the page.
    You have to read it to understand why this page exists and why all this can not be included in WordPress.

  7. mountainguy2
    Member
    Posted 9 months ago #

    Hi Julio, yes, there are things on that page that require user intervention. Thanks for pointing that out. On the other hand, WordPress could and should install:

    1. With file editing disabled from the start.

    2. Without the Readme file in root that displays version number to the world.

    3. With a login URL designated by user, instead of the standard wp-login.php.

    4. With PHP file execution disabled in appropriate folders such as Uploads, using .htaccess.

    5. With the version number set to be obscured, overall.

    6. With an initial "Admin" account with user name chosen by installer, never "Admin" or anything else standardized.

    7. Button option to turn OFF automatic updates.

    8. Password reset disabled, with option to enable.

    9. Login attempt limiter, built into core, preset to strict settings.

    10. Strong passwords default enforced, option to turn of enforcement.

    I could make a list of probably 20 things that could be done during the install to increase security. They are not done in my opinion because of a fundamental flaw in web developer culture, e.g., hobby developers who are more concerned with the colors and menu structure on the admin theme than they are with serious matters. And now with 20% of the web created by WordPress, we wait for the first hack of the automatic updates.

  8. Julio Potier
    Member
    Plugin Contributor

    Posted 9 months ago #

    I love your list (almost), tell me more it's really good ideas.

  9. mountainguy2
    Member
    Posted 9 months ago #

    Yeah, probably some stuff on there that's wrong. But then, I'm just a writer who spends more time trying to make WordPress work well than I do writing (groan).

    Number 11 would be built-in 2-part authentication for logins, with on/off button in admin. I'm sick of plugins that half the time don't work. Build it into the core, so we know it works and we can move on to bigger and more important things -- like actually writing a blog post now and then.

    Seriously, once I've been studying WordPress security the situation looks like a vaudeville amature hour. Sure, the developers are volunteers, but even volunteers should seek excellence. For example, we don't expect our volunteer firefighters to be incompetent.

    Thanks, MTN

  10. Julio Potier
    Member
    Plugin Contributor

    Posted 9 months ago #

    "I'm just a writer who spends more time trying to make WordPress work well than I do writing"
    yeah, this is the way of life of every WP dev i think x)

    Do not hesitate to open a ticket and submit a core patch!

    See you

  11. mountainguy2
    Member
    Posted 9 months ago #

    Well, I'm looking forward to new colors in the admin, anyway.

    Thanks for the conversation and infos.

    MTN

  12. Jeff Starr
    Member
    Plugin Author

    Posted 5 months ago #

    Gonna go ahead and close this thread. Feel free to follow-up with any new infos.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.