WordPress.org

Forums

iThemes Security (formerly Better WP Security)
[resolved] Support for Infinite WP (15 posts)

  1. chris_c
    Member
    Posted 1 year ago #

    Hi,
    Latest update shows support for InfiniteWP removed. Could you provide any more information here, is there a conflict or concern over security access?

    https://wordpress.org/plugins/better-wp-security/

  2. thefountain
    Member
    Posted 1 year ago #

    Please tell us why the support is removed.

    Best.
    P.

  3. Kevin Gardthausen
    Member
    Posted 1 year ago #

    I too would like to know...

  4. Plippers
    Member
    Posted 1 year ago #

    My guess would be because iThemes now has it's own competitor to Infinite, Manage WP et al?

  5. chris_c
    Member
    Posted 1 year ago #

    And if that's the case it's fine. I'd just like to know whether there is a negative aspect to the removal.

  6. Chris Wiegman
    Member
    Posted 1 year ago #

    We'll have a blog post at iThemes.com later on the issue but for now I have been working with the InfiniteWP folks for a couple of weeks due to a vulnerability found in the way they deliver their data. It uses serialized data pass via a base64 encoded entity to determine if the call is from InfiniteWP. This can be spoofed as the deserialization will in fact run the code without any good safeguards to prevent an XSS vulnerability.

    This will be re-introduced the moment they can get me some updated code. I have been working with their team for a couple of weeks on it and progress was simply not fast enough for this release. It will be put back in as soon as possible (hopefully by the release of 4.0 next week).

  7. chris_c
    Member
    Posted 1 year ago #

    Thanks for the update.

  8. Marcelo Pedra
    Member
    Posted 1 year ago #

    @Chris:
    OK, I got it. But we want to know what will happen with InfiniteWP if we update your plugin. Will InfiniteWP fail to deploy updates? will it be blocked by Better WP Security?
    Please clarify this.
    Thank you!

  9. infinitewp
    Member
    Posted 1 year ago #

    I am David founder at InfiniteWP. There has been few security issues in the integration with BetterWP and InfiniteWP and we will be fixing it in the next release which would be March 1st week.

    InfiniteWP as such is secure and powers around 200,000 sites and being downloaded 400,000 times. We take security seriously.

    If you update your BetterWP plugin it may not bring updates for themes, plugins etc if you had the setting to hide the updates on BetterWP. If you have change the WP-admin path in BetterWP plugin it may also not work and you have to goto "Advanced" and select siteURL to connect in InfiniteWP

    We would recommend not to update if your are an InfiniteWP user till the next release.

  10. Marcelo Pedra
    Member
    Posted 1 year ago #

    infiniteWP's David: thanks for the clarification. We are a lot of people waiting for the fix.

  11. thanks for clarification :-D

  12. karelnet
    Member
    Posted 1 year ago #

    Thank you for working on that. I'll wait for the update(s) !

  13. Chris Wiegman
    Member
    Posted 1 year ago #

    David over at InfiniteWP got me an acceptable solution and InfiniteWP compatibility has been restored in 3.6.5.

    http://ithemes.com/2014/02/25/better-wp-security-3-x-vulnerability/

  14. Marcelo Pedra
    Member
    Posted 1 year ago #

    Excelent news, guys! I can confirm it works under WP 3.8.1 standalone.
    Thank you!!

  15. drazon
    Member
    Posted 1 year ago #

    First of all thank you for this great plugin! I'm asking without knowing much... Latest update triggers a positive in wordfence scan because of the

    base64_decode( $HTTP_RAW_POST_DATA );

    What $HTTP_RAW_POST_DATA contains, is it the data from IWP? Is there any way that somebody can take advantage of better-wp-security\inc\secure.php ? I don't have IWP installed.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.