I’ve just upgraded to v1.1.1 and I’ve found that NinjaFirewall is still showing its error messages (eg. installation errors) publicly on the internet-facing webpages, for the whole world to see. This is a really big security risk because it tells everyone that the firewall is disabled, which gives the impression that the website might be insecure (which is very bad for our customers), and also invites would-be hackers to try to hack the website if they think it might be insecure.
In addition, it looks very unprofessional to have such an error message on the public webpages.
I would really like to see this plugin NOT show any error messages on the public webpages, but only show the errors in the WordPress Admin area, where I will actually see them there.
NinjaFirewall is of course a security plugin (and a very good one!) so it seems counter-productive for it to be creating a new security risk by exposing these error messages to the public.
- The topic ‘Security risk: NinjaFirewall still exposes errors publically!’ is closed to new replies.