Marcus Downing
Forum Replies Created
-
Forum: Plugins
In reply to: [WP Activity Log] Accurate timestampsThat’s good to know, thanks. Has it changed the database format?
I noticed that the database format changed a few times since we started using this plugin. Are there plans to change it further? It would be good to stabilise, so that external tools can read the database reliably.
Forum: Plugins
In reply to: [Link Badges] bugs (PHP notices, udefined variables/indexes)I’ve taken care of many of these warnings, if not all of them.
Forum: Plugins
In reply to: [Third Column] Still Broken!…I apologise for the delay. I’ve published a major new version of this that should work on new versions of WordPress.
Because WordPress doesn’t naturally support this functionality, this plugin has to fiddle with some very messy internals to do its job. Sadly that means it’s vulnerable to changes within the WordPress code.
Let me know if the new version works for you.
Forum: Plugins
In reply to: [Site PIN] Worked great with older WP but not 3.8.1.I’ve updated this to work with WordPress 3.8+
+1
+1 to enforcing strong passwords for custom roles. It would be easiest if strong passwords were enforced for everyone, regardless of role.
I disagree on letting administrators define what constitutes a strong password. There’s scientific research on what makes a better password, and very few laymen understand the issues or know how to pick good passwords. It’s better for the plugin to make that decision.
I just spotted this in the code, in
inc/secure.phpline1090:foreach ( $userInfo->roles as $capability ) { if ( $availableRoles[$capability] < $availableRoles[$minRole] ) { $enforce = false;If somebody has two roles, one of which is above the threshold and the other below, they’ll be excluded from requiring a strong password. This seems the wrong way round to me, a user with two roles should be held to the higher standard.
Forum: Plugins
In reply to: [Disable XML-RPC] Doesn't work any moreApologies, I didn’t look into the issue in detail. I simply switched the plugin on and saw that XML-RPC was still reachable. I only got as far as the “XML-RPC server accepts POST requests only” message, while I think the
xmlrpc_enabledfilter is checked further down the line.There are indeed plenty of ways to block XML-RPC, and there’s no reason why your plugin should have to limit itself to just one of them. Here’s some code (go ahead and use it for free) for blocking that file with WordPress’ .htaccess, using activation hooks to make sure it’s applied with the plugin.
add_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules'); function noxmlrpc_mod_rewrite_rules($rules) { $insert = "RewriteRule xmlrpc\.php$ - [F,L]"; $rules = preg_replace('!RewriteRule!', "$insert\n\nRewriteRule", $rules, 1); return $rules; } register_activation_hook(__FILE__, 'noxmlrpc_htaccess_activate'); function noxmlrpc_htaccess_activate() { flush_rewrite_rules(true); } register_deactivation_hook(__FILE__, 'noxmlrpc_htaccess_deactivate'); function noxmlrpc_htaccess_deactivate() { remove_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules'); flush_rewrite_rules(true); }Forum: Plugins
In reply to: [Upload Scanner] Installing php-clamav on UbuntuThanks. That streamlines the installation of
php-clamav, but not the need to install a non-Aptitude version of ClamAV to be compatible with it.Forum: Plugins
In reply to: [Upload Scanner] Installing php-clamav on UbuntuInstructions that approximately work:
http://askubuntu.com/questions/166280/how-do-i-install-the-clamav-extension-for-php-5-on-11-04
It’s messy though, and involves installing your own version of ClamAV. I’m left wondering why there isn’t a neat way of doing this.
Forum: Plugins
In reply to: [Upload Scanner] Installing php-clamav on UbuntuCalling the command line version of
clamscaninstead works, and with the right options can remove or quarantine files.clamscan --remove "$UPLOAD_SCANNER_ORIG_TEMPNAME"However, since the Upload Scanner treats it as just another command line, it doesn’t get any information from the results. So at best you give the person who uploaded the file an error message because the file was deleted, rather than alerting them that the file is infected.
Forum: Plugins
In reply to: [WP Activity Log] Not logging failed loginsForum: Plugins
In reply to: [WP Activity Log] Not logging failed logins(marking as resolved since it’s the fault lies elsewhere)
Forum: Plugins
In reply to: [WP Activity Log] Accurate timestampsWe’re looking at the possibility of using your plugin to satisfy some UK government requirements for audit logging on a site. The logs of important events like logins will be collected straight from the database.
Having spoken to the company providing the log collection software, millisecond accuracy isn’t as necessary as I thought, since they can use the
EventNumberfield to guarantee no log messages are missed by their collector. So it isn’t a strict requirement for us after all.Still, an event time stored in date/time format is potentially subject to issues with time zones, incorrectly set clocks etc. So for reliable timekeeping, a raw timestamp seems like a good idea. You can get PHP’s highest accuracy with the
microtimefunction. On my machine here it’s only accurate down to about 0.1 milliseconds rather than the promised microseconds, but that’s as good as it gets. It’s well supported across platforms since PHP 4.Forum: Plugins
In reply to: [WP Activity Log] Not logging failed loginsFurther investigation shows that the “Better WP Security” plugin intercepts and replaces the
wp_authenticatemethod. If BWPS has the “Login limits” option turned on (to protect against brute force attacks), then it doesn’t fire thewp_login_failedaction, instead sending it only to its own log (bwps_secure->logevent).So as far as I’m concerned this is a bug in Better WP Security, not in WP Security Audit Log at all.
Forum: Plugins
In reply to: [WP UI - Tabs, Accordions, Sliders] Cannot read property 'msie' of undefinedI’m getting this as well. The lazy workaround worked, but I’d prefer a real fix.