[Plugin: Admin Log] unsecure (3 posts)

  1. 2046
    Posted 7 years ago #

    do not use this plugin unless the log will be saved on more secure place then simple admin_log.txt file which is visible to anyone on the internet.

    if you do not believe me, try google inurl:admin_log.txt


  2. gwycon
    Posted 7 years ago #

    I don't think this is a major issue. The only information logged are admin pages a registered users has accessed. There is no sensitive WordPress information recorded as far as I am aware? The query strings sent along with some admin pages cannot be used maliciously?

    But if you have any other comments as to how admin pages accessed can be used to hack a site then please let me know.

    Also, if a user wishes they can password protect the folder the text file is stored in.

  3. 2046
    Posted 6 years ago #

    depends, if you know the name of user, for example if they let the default admin user active, then you know half of the key.

    I know many people don't mind, and don't really have to, but if you you run heavy loaded site with sensitive data then simple try if this file exist gives you many informations.

    I know I'm exaggerating but if you know a bit the group you want to attack from forum or any other discussion where people let their log, or passwords or any other outputs, plus if you know their name under which they can log in....

    Frankly I do not believe many users mind to change their visible name so that it's not same as the one they use for acces (visible for instance in discussion), but that's their problem... and consequently yours as the site owner too.

    The only thing I wanted to say is that this file is the easiest way how to fetch many interesting informations in one place...not only for good guys/girls.

Topic Closed

This topic has been closed to new replies.

About this Topic