Title: Daniel15's Replies | WordPress.org --- # Daniel15 [ ](https://wordpress.org/support/users/daniel15/) * [Profile](https://wordpress.org/support/users/daniel15/) * [Topics Started](https://wordpress.org/support/users/daniel15/topics/) * [Replies Created](https://wordpress.org/support/users/daniel15/replies/) * [Reviews Written](https://wordpress.org/support/users/daniel15/reviews/) * [Topics Replied To](https://wordpress.org/support/users/daniel15/replied-to/) * [Engagements](https://wordpress.org/support/users/daniel15/engagements/) * [Favorites](https://wordpress.org/support/users/daniel15/favorites/) Search replies: ## Forum Replies Created Viewing 5 replies - 1 through 5 (of 5 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Brute force attacks to XMLRPC](https://wordpress.org/support/topic/brute-force-attacks-to-xmlrpc/) * Thread Starter [Daniel15](https://wordpress.org/support/users/daniel15/) * (@daniel15) * [5 years, 7 months ago](https://wordpress.org/support/topic/brute-force-attacks-to-xmlrpc/#post-13520287) * Hey [@wfpeter](https://wordpress.org/support/users/wfpeter/), thanks for your reply. I did already have the “Disable XML-RPC Authentication” feature enabled, however these brute force attacks were still causing a very heavy load on my server even with that feature disabled. It seems like WordFence doesn’t fully block the requests. I’m not using Apache but I’ll do the equivalent in my Nginx configuration. * Thanks, Daniel * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[YITH WooCommerce Wishlist] new user created](https://wordpress.org/support/topic/new-user-created/) * [Daniel15](https://wordpress.org/support/users/daniel15/) * (@daniel15) * [7 years, 2 months ago](https://wordpress.org/support/topic/new-user-created/#post-11300594) * The WordFence blog has a good writeup on this: [https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/](https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/). It was a security issue in the Abandoned Cart plugin. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[EWWW Image Optimizer] Make bundled binaries optional](https://wordpress.org/support/topic/make-bundled-binaries-optional/) * Thread Starter [Daniel15](https://wordpress.org/support/users/daniel15/) * (@daniel15) * [10 years, 11 months ago](https://wordpress.org/support/topic/make-bundled-binaries-optional/#post-6220773) * The thing is that I installed all the dependencies myself, and don’t even want the bundled third-party binaries on my system. They’re just extra risk. Number of users is not a good measure of trust (see [Hoverzoom](http://www.reddit.com/r/technology/comments/19nzge/hoverzoom_extension_confirmed_as_spyware_sends/), [Hola](http://www.theverge.com/2015/5/29/8685251/hola-vpn-botnet-selling-users-bandwidth)). The bundled binaries are not verifiable; there’s no way to tell if someone has uploaded a plugin update containing malicious versions of the binaries. * What if you made it an optional step after installation? “The required binaries were not detected on your system, click here to automatically install them”. Users that don’t know how to compile them could use the automated version. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] wp_wfHoover is 43GB !!!!](https://wordpress.org/support/topic/wp_wfhoover-is-43gb/) * [Daniel15](https://wordpress.org/support/users/daniel15/) * (@daniel15) * [11 years, 7 months ago](https://wordpress.org/support/topic/wp_wfhoover-is-43gb/#post-5261274) * This happened to me because I did not grant the site’s MySQL user DROP/TRUNCATE permission for security reasons. I saw this in the server’s PHP error log: * `[25-Sep-2014 10:55:37] WARNING: [pool www] child 21991 said into stderr: "NOTICE: PHP message: WordPress database error DROP command denied to user 'username'@'localhost' for table 'wp_wfHoover' for query truncate table wp_wfHoover made by wp_new_comment, wp_allow_comment, apply_filters('pre_comment_approved'), call_user_func_array, wordfence::preCommentApprovedFilter, wfScanEngine->isBadComment, wordfenceURLHoover- >cleanup, wfDB->truncate, wfDB->queryWrite"` * So the `TRUNCATE` command was never actually successful. Is this error caught by Wordfence and displayed in the UI, or is it silently ignored? I don’t really want to grant the TRUNCATE permission to a database user used by a web site. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Jetpack - WP Security, Backup, Speed, & Growth] Photon breaking image URLs](https://wordpress.org/support/topic/photon-breaking-image-urls/) * Thread Starter [Daniel15](https://wordpress.org/support/users/daniel15/) * (@daniel15) * [12 years, 5 months ago](https://wordpress.org/support/topic/photon-breaking-image-urls/#post-4414213) * I’ll have to ask my sister as it’s her site, but as far as I’m aware she’s doing all the resizing in WordPress itself, and is not using an external tool at all. Viewing 5 replies - 1 through 5 (of 5 total)