Support » Plugins » [Plugin: WordPress File Monitor] Creates Potential Security Vulnerability

  • Resolved resourcesforlife


    The plug-in results in the following alert when a site using the plugin is scanned using

    WordPress internal path: [exact path description removed]… /wp-content/themes/[theme used]

    I’ve removed the precise path and theme information for my own site, but you get the idea. The plug-in potentially makes a site more vulnerable to attacks by displaying the literal WordPress path and server information.

    More about the seriousness of this issue can be found on the website here:

    Please resolve this issue or provide a suggestion to prevent it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • This plugin creates no links to your theme folder. Sorry, but I believe you might be confusing it with your theme or another plugin.

    Also of note, almost every theme is going to create a link into your themes folder, otherwise it can’t serve the stylesheet or images included with the theme. Unless you’re running a black text on white background only website 🙂

    The plugin does add a CSS sheet (which is actually a php file) in its directory but that is necessary to complete the security scan.

    Side note: in the future if you believe you have found a security vulnerability for a piece of software you should contact the developer privately and give them adequate time to respond and work on a fix before posting it publicly. The plugin contains links to my website and there is a easily findable link to my contact form. So you should have been able to easily contact me. 🙂

    /wp-content/themes/[theme used]

    As Matt mentioned, it looks like it came from your theme. There are lots of themes that may seem legit, but if you scan themes before activating you may find encrypted codes, which may contain malicious codes causing a security concern, or at the very least containing links to bad sites.

    As for the plugin – thanks Matt! I know it’s working because it sent an email after I did an upgrade of another plugin. 🙂

    I did find an instance where the plugin was causing a PHP error if you tried to hit its scanning URL without some variables loaded in the URL. This has been fixed in the version that should be available for download any moment now.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: WordPress File Monitor] Creates Potential Security Vulnerability’ is closed to new replies.