@stevenmaas Thanks for reporting this, I’ll share this with our development team to further investigate.
Hi @stevenmaas,
The file contains all the plugin information for my website
wpo-plugins-tables-list.json
doesn’t contain any specific information about yours or any website. What it contains is a general and anonymous list of plugins and their associated database tables.
This list is used to compare with your database in order to determine which tables are used by which plugins.
If found by an attacker, the only real information they would get from that file is that WP-Optimize is installed.
Your file has created a blueprint for recent hacking attempts on several of my websites. Server log files determined that these hackers were using plugin information found in the wpo-plugins-tables-list.json to exploit plugins on our websites
Could you explain what makes think the above?
Best regards,
Marc
Marc:
Server logs show attackers accessing the wpo-plugins-tables-list.json file. You should notify your users when you create files that expose this sensitive information.
How do you disable this file from being created?
Why is this file created by your plugin?
You can disable this by using the following filter:
add_filter( 'wpo_update_plugin_json', '__return_false' );
The data is used in the database optimisations in order to determine if tables are used or belong to uninstalled / deactivated plugins.
I’ll reiterate that the data in this file does not contain sensitive information, and none of the information is directly linked to the website the plugin is installed on.
It’s a list of plugins present on WP.org’s repository and their associated database tables. The only information given by this file is that WP-Optimize is installed on your website.
The data is used in the database optimisations in order to determine if tables are used or belong to uninstalled / deactivated plugins.
Can this be achieved without creating the json file for everyone on the internet to see?
I would highly recommend trying to keep a zero WordPress fingerprint on your plugin. I receive thousands of attempts to hack our websites on a monthly basis. This all due to the standardization of the WordPress structure. Over 70% of traffic on all websites is to try and hack WordPress.