This plugin creates security risks and spams code

  • Resolved ozzWANTED

    (@ozzwanted)


    11 years ago

    I owe even a pro version, but I still see my source code (HTML output code) spammed.
    This also exposes security risk for hackers, who will search for vunerable version or plugins all over the internet.

    This is the notes how to manually remove the spam and security risk from your plugin:

    1. Edit this file:
    \wp-content\plugins\all-in-one-seo-pack-pro\aioseop_class.php

    2. FIND: “<!– All in One SEO Pack Pro” code, and replace the section with the following:

    // GOOD DEVELOPER EDIT: COMMENT THE SPAM & VULNERABILY EXPOSURE OUT
/*echo "\n<!-- All in One SEO Pack Pro $this->version by Michael Torbert of Semper Fi Web Design";
if ( $this->ob_start_detected )
	echo "ob_start_detected ";
echo "[$this->title_start,$this->title_end] ";
echo "-->\n";
echo "<!-- " . __( "Debug String", 'all_in_one_seo_pack' ) . ": " . $aioseop_update_checker->get_verification_code() . " -->\n";
*/

    3. Find the ‘<!– /all in one seo pack pro’ code part, and replace the section with the bellow:

    // GOOD DEVELOPER EDIT: COMMENT THE SPAM & VULNERABILY EXPOSURE OUT
//echo "<!-- /all in one seo pack pro -->\n";

    4. Now your WordPress website in spam-aware and more secure.

    5. If you don’t do this (steps 1 to 4), you will see this spam and security risk in your website HTML OUTPUT CODE:

    <!-- All in One SEO Pack Pro 2.3.6.1 by Michael Torbert of Semper Fi Web Design[{DOWNLOADS-COUNT}] -->
<!-- Debug String: {PREMIUM-PURCHASE-CODE} -->
<meta name="description" itemprop="description" content="{SOME RANDOM WORDS}" />
<link rel="canonical" href="http://{DOMAIN_URL}/" />
<!-- /all in one seo pack pro -->

    6.If you do the steps 1 to 4, then you will have the clean HTML code in same place, and HTML will only outputs these lines:

    <meta name="description" itemprop="description" content="{SOME RANDOM WORDS}" />
<link rel="canonical" href="http://{DOMAIN_URL}/" />

    Have a good use :).

    https://wordpress.org/plugins/all-in-one-seo-pack/

Viewing 1 replies (of 1 total)
  • Peter Baylies

    (@pbaylies)

    11 years ago

    Hi ozzWANTED,

    I would not recommend editing the plugin in general; any changes you make will be reverted when you upgrade and will need to be applied again. If you must change the output of the plugin, then I suggest using output buffering for this instead of making edits to the plugin.

    Also note that security through obscurity is not a defense against attackers; many attackers will try attacking your site without even checking the version numbers advertised – and why would they, they can’t trust that those numbers are correct. I would suggest focusing on preventing the attacks themselves; as far as version numbers are concerned, this can be more readily accomplished by upgrading to the latest version of the plugin.

Viewing 1 replies (of 1 total)

The topic ‘This plugin creates security risks and spams code’ is closed to new replies.