lovingboth
Forum Replies Created
-
Forum: Requests and Feedback
In reply to: No site preview of URLs in the spam comments folder, pleasePersonally, I’d like the ‘hover over = preview’ feature removed entirely and replaced by a ‘right click to preview’ or similar.
But a plugin would be the start of the process to get this into core.
Forum: Requests and Feedback
In reply to: Built-in brute force protectionI’ve just looked at https://wordpress.org/about/stats/
When fewer than half of the live installs are running any version of 4.7, no-one should be able to say ‘get users to install a plugin to solve this security problem’ with a straight face.
Forum: Requests and Feedback
In reply to: Built-in brute force protectionYes, ensuring strong passwords would help, but basically this is excuses and those were not good enough a decade ago.
You can have a centralised system – one of the first scripts to stop bots trying to bruteforce SSH logins had the option to share IP addresses that it had banned on your server and get the ones that other people had banned. I can’t remember just how it did it, but it wasn’t particularly problematic at the time (now, half the work is stopping it being gamed by the baddies).
But you don’t need to have a centralised system. Yes, that will allow some networks to use multiple IP addresses more easily, but looking at the logs for about sixty sites, I do not see one million attempts each from one IP address to get to wp-login, I see far fewer IP addresses, most of which are making multiple attempts in a couple of seconds before something on the server bans them.
However the ability to do that is limited to those who can run something like fail2ban on the server their WP runs on.
Besides if an admin isnβt bothered about security they are probably not bothered about keeping Linux, PHP, or WordPress up to date
I suspect most users don’t get a say in the first two (and, finally, WP now makes an attempt to keep itself up to date).
As in the days when WP insisted you have an admin user called ‘Admin’, why should they expect what WP does to be wrong?
Forum: Requests and Feedback
In reply to: Built-in brute force protectionPeople, including me, have been asking for this for years.
The last time I think the arguments against were ‘install a plugin’ – but we know that millions of people don’t even enable the anti-spam plugin that’s bundled with WP and end up spammed – and ‘we don’t want to lock out people who can’t remember / get their browser or password manager to remember their password’.
But it is a disgrace that in 2017 an out of the box installation will allow an attacker as many login attempts as they want, as fast as they want, without doing anything about it or even notifying the owner that it’s happening.
(Oh, unless you use a mobile app to update your site(s), install a plugin to disable xmlrpc. If you must use JetPack, one of those plugins whitelists IP addresses used by it.)
Forum: Themes and Templates
In reply to: [Accessible OneTwo] Menu wont expand on mobileIt works on one site, but not four others here.
The one it works on has a much smaller menu and no submenu items.
Yes. It needs to be ‘just under’ the admin ribbon.
Thank you for the plugin! When changes between Apache 2.2 and 2.4 meant my previous way of doing a simple banner stopped working, this was just what I was looking for.
Forum: Requests and Feedback
In reply to: Limiting what attackers can do via xmlrpc.phpAh, great! I did do several searches but didn’t find it.
Only a year after the problem was originally mentioned too π
Now, about the lack of bruteforce prevention on wp-login.php … π
Forum: Requests and Feedback
In reply to: Limiting what attackers can do via xmlrpc.phpAutomattic is not WordPress (and vice versa) but..
a) It is highly privileged within WordPress – its very good anti-spam plugin is in every WP installation; when you go to install a new plugin, three of the six you’re shown are Automattic’s (and two of the others are projects started by guess who); and their icon system is on by default.
b) When the people running the largest installation of WordPress think something is a good idea… it might be.
Again, what legitimate use is there for the system.multicall method?
Forum: Requests and Feedback
In reply to: Limiting what attackers can do via xmlrpc.phpThanks. You were, of course, the person who said it wasn’t a big deal a year ago.
1. Yes, absolutely. I said that.
1b. Well, there’s nothing to stop people using the browser interface away from home.
1c. That’s great… for those using such services. One rule is easy: limit the rate at which something can access it.
2. I don’t use Jetpack. Along with many others, I think it’s bloated, trying to do too much in one plugin, leading to slowing down sites. It has also had its own security problems.
I do allow one client to use it (this is how I know about the plugin that whitelists the Automattic IP addresses… and that it doesn’t work without patching if you’re using Apache 2.4’s access syntax!)
But if Automattic think it’s a good idea to limit this in Jetpack, why on WordPress isn’t it a good idea to do this in core?? (And why is it a good idea to make it optional in Jetpack?)
What legitimate use is there for the system.multicall method? Do the apps use it? If not, stop supporting it or have it off by default! If JetPack needs it, it can enable it…
3. No, it’s not. The password that got me was an long meaningless phrase (involving one non-dictionary word and punctuation too) that – when I look just now – appears nowhere in a Google search and was not used by me anywhere else. Clearly, some weeks of trying hundreds of passwords at a time was enough to get it.
And again, as with the way WordPress allows infinite failed login attempts as fast as the server will manage them without a murmur, this sort of ‘Yes, that’s a problem, it’s fixed in a plugin’ is only ok if people install the plugin. Which they don’t. As Google easily proves, a least a million people haven’t even enabled the Akismet plugin that has come with WordPress for ages.
0. As far as the json-based API goes, a) how long will xmlrpc remain there ‘because legacy’ and b) do you want to accept a bet says there’s a security issue with the new API within six months?
Forum: Plugins
In reply to: [Stop XML-RPC Attack] iOS app is being blockedThis is by design.
As with the Android app, it uses xml-rpc to communicate with your site, but it does so directly rather than via an Automattic server. So its attempt to access xml-rpc.php gets blocked.
Use a browser on your iOS device to work with your site(s)?
Fab, thanks.
Forum: Everything else WordPress
In reply to: What versions are supported, and for how long?Ah, thanks.
So it is a muddle. The official answer is the second one – which is at least consistent – but when something as horrendous as the latest exploit turns up, old versions may or may not be patched.
I’ve edited the ‘supported versions’ page to say this.
It’d help a lot if WP didn’t allow comments by default, but I know this is something the core team have been unwilling to change, despite the multiple problems it causes.
Forum: Plugins
In reply to: [Easy Theme and Plugin Upgrades] Folder already ExistsWhen I go down the ‘deactivate and delete the plugin, then upload the new version’ route – saying “no”, it’s not an upgrade – it works, but I get the following message:
“The Easy Theme and Plugin Upgrades plugin was unable to handle requests for this upgrade. Unfortunately, this setup may be incompatible with the plugin.”
Forum: Plugins
In reply to: [Easy Theme and Plugin Upgrades] Folder already ExistsSame error, this time with a plugin. Say ‘yes’, it is an upgrade, but it fails with the ‘Destination folder already exists’.
Plugin 1.0.4, WP 4.0, webserver can write to the filesystem, so no need for ftp credentials.
Active:
Easy Theme and Plugin Upgrades – Version 1.0.4
Event Espresso – Version 4.4.0.p (it was this I was trying to upgrade)
Maintenance – Version 2.2
Weaver II Theme Extras – Version 2.2.10
wpuntexturize – Version 1.5.1Forum: Plugins
In reply to: [OpenTickets Community Edition] PermalinksThanks, I’ll need to email you anyway as it’s a test site that’s behind a ‘maintenance mode’ plugin so you’ll need an account on it to see it – do you need to be a higher level of user than subscriber?
Versions: the latest ones, downloaded from here yesterday. So that’s WP 4.0, WC 2.2.2 and OT 1.4.0.
While I remember, do you need to use / publish the calendar, rather than having a page that says ‘select one of these, and possibly one or more of these, for each person’? The use case is one event (guess when!) that has a range of prices for the basic ticket plus assorted optional add-ons.
Having to click around a calendar to find the event feels it should be unnecessary.