redsand
Forum Replies Created
-
@pasmith: Sorry to hear man. One suggestion: Use the WP-Rollback Plugin, and roll WordFence back to version 6.0.25. We did that and we’re on 4.5. If that doesn’t work, then export your settings (the bottom of the WordFence options page), save that API somewhere safe, and uninstall/reinstall the plugin from scratch. Then import the API key in with your settings. (Unless you have a DB backup from yesterday or so…that would be best.)
Even with WP 4.5 we’re not thrilled with the whole new WAF, and how it takes over the admin with no way to make the nags go away (even once you deactivate). I love WF but this whole WAF feature needs a bit of tweaking before it’s ready for primetime.
Hope that helps! π
Oh man…that sucks. I’m really sorry to hear that. I don’t know why they would ever do that. They should have never hacked the core…even if there is functionality that can’t be done by an existing plugin, you can create a child theme and put it in the functions.php file. Then you’re 100% upgradable.
Being that the risk is so high with running 3.9, I would say that at some point though I think it’s worth finding a new developer to upgrade it for you and migrate the functionality by transferring the extra code to equivalent plugins and a functions.php file. Just friendly advice. Your call though. As a plugin developer I can tell you that not too many plugins will be supporting anything below 4.0 for much longer.
equal bad practice and recipe for disaster. It will get a lot messy in long run.
Seriously! True story.
Forum: Plugins
In reply to: [RS Head Cleaner Lite] home page content issues varies by themeHey Toni,
I’m glad you had a positive experience in the past. We’ll be happy to help again. π
One thing to keep in mind, is that with any JS/CSS minification & caching plugin, it’s important to test, test, test. Because of the type of plugin it is, this plugin may not work for every site out there, but that does not mean the plugin is broken.
That being said, we do want to make it as compatible as possible. π
Also, keep in mind that backbone was updated in WordPress 4.5, so make sure that isn’t involved. https://make.wordpress.org/core/2016/02/17/backbone-and-underscore-updated-to-latest-versions/
Plugins or themes that rely on the bundled Backbone and/or Underscore libraries should carefully check functionality with the latest versions and run any available unit tests to ensure compatibility.
I will need some additional info, and need to email back and forth with you, so please head on over to the WordPress Plugin Support page, and submit a support request.
– Scott
Why not just upgrade WordPress to the latest version? 3.9 is an extremely out of date version (2 years old) and has 23 known vulnerabilities. There really is no point to using a security plugin if you don’t keep your WordPress install up to date. You still need to use good security practices.
Forum: Plugins
In reply to: [RS Head Cleaner Lite] error while deinstallingHey Presskopp,
Great to hear from you again. π
Yeah, you’re not really supposed to use them at the same time, lol. That’s what caused the issue. We’re making some upgrades that will allow you to use both versions from one plugin.
We’ll make some fixes in the meantime to prevent the issue you’re reporting. Thanks for letting me know.
Thank you for the positive feedback both about security and the plugin. π
Feel free to get in touch via our site’s contact form. It would be great to email back and forth with you on some of those topics.
– Scott
@jeff: Right on. Will do. π
Forum: Plugins
In reply to: [RS Head Cleaner Lite] error while deinstallingHey Presskopp,
Great to hear from you again. π
Yeah, you’re not really supposed to use them at the same time, lol. That’s what caused the issue. We’re making some upgrades that will allow you to use both versions from one plugin.
We’ll make some fixes in the meantime to prevent the issue you’re reporting. Thanks for letting me know.
Thank you for the positive feedback both about security and the plugin. π
Feel free to get in touch via our site’s contact form. It would be great to email back and forth with you on some of those topics.
– Scott
Forum: Fixing WordPress
In reply to: WP 4.3.1 still allows visibility of admin usernames@jan Good discussion on Twitter. You all missed out on some good debate. π Turns out we’re not so opposed, lol.
Forum: Fixing WordPress
In reply to: WP 4.3.1 still allows visibility of admin usernames@jan Dembowski: Revealing usernames actually is a security risk, and those saying that it’s 50% of what a hacker needs to access to access your site (at least that particular entry point) are 100% correct.
I’ve had to address this issue a lot lately, so here I go again. I apologize in advance if any of this offends you. Just know that I don’t mean any of it personally.
Security is not binary. It is not on or off, black or white.
Security is about reducing risk and lowering the statistical probability of a successful attack. You can never eliminate risk fully, and there is no such thing as 100% impenetrable security, even with the best measures in place.
It should never, ever be said, “that’s not a security risk,” because anything, when leveraged properly, can be a security risk.
The only way security could ever be binary, on or off, black or white, was if there were truly only one entry/exit control point, and you could devise a perfectly secure system. That will never exist. ANYTHING can be broken into…ANYTHING can be hacked. There is always someone out there with the skills to beat your best defenses. It is extremely important for system administrators, web developers, and security experts to humbly admit that.
While I was deployed, we had to be keenly aware of that fact as our lives depended on it. If we ever forgot that, or started to adopt an attitude of hubris, it would have been game over. The unit that replaced us when we came home adopted that exact attitude of hubris and ignored what we taught them, and they lost a lot of guys in the first few weeks they were there. Physical security, communications security, and IT security require understanding the exact same principles and require the same kind of vigilance.
I’ve personally discovered and reported major security flaws in tons of “secure” systems. In the last two weeks alone, 2 of those were web hosting companies.
Because it is about reducing risk, security is more accurately measured in percentages. Because it’s not possible to ever hit 100%, no system should ever be labeled “secure”.
It’s not a security flaw and has never been one.
That is absolutely incorrect, and saying it doesn’t simply make it true. If you’re going to say things like that, then you need to back it up with some references, quote some security experts with a proven track record. (And they can’t be associated with WordPRess…no cheating.) If you can find something to back that up , I will gladly eat my words and send you a case of your favorite beer. π You won’t find it though.
Think of username and password as two individual keys that are needed to access a site, because that’s exactly what they are. You have to have both to enter.
- Can you enter if you only have the password? No
- Can you enter if you only have the username? No
It’s mathematical and has to do with the probability I mentioned above.
If an attacker were trying to brute-force your site, they would have to try a nearly infinite combination of usernames and passwords. Even though there are only two keys needed, there are additional variables of each key that can change that increase the difficulty.
For one, the attacker does not know the length of the username key or the length of the password key. With each additional character added to the length, the difficulty is increased exponentially because the number of combinations to test is increased exponentially. The difficulty is also affected by what character sets are used. For example, does it use only lowercase, lowercase and uppercase, numbers, symbols, alternate alphabets and character encodings?
Without the username, it has a low probability of success, and would require too much bandwidth and time, so it’s not practical. Most brute password attempts are not doing this though. They test a combination of commonly used default usernames, and then when WordPress gives them the feedback that they hit the right one (because it does reveal this), then they go to work on the password. If it isn’t any of those, they will move on.
Once the attacker has the correct username, the difficulty has been reduced exponentially, and the likelihood of success has increased exponentially. So in reality, getting the username is closer to having 75% of what is needed to be successful.
The other thing to keep in mind is that whether in real life or the digital world, the longer an attack takes, its likelihood of success drops exponentially over time. Attackers have to get it done quick before they get discovered, blocked, caught, etc…or before it becomes too expensive (bandwidth, etc) to be practical.
Any reputable security person would tell you that the items you cannot protect have nothing to do with security.
I’m not sure what “reputable” security people you’ve been talking to, but that isn’t even close to accurate. There are no items you cannot protect. If it’s in your possession, you can protect it.
Again, if you back up a statement like that with references, please do.
Zero, that’s like arguing that your company’s address is half of letting people in the front door.
Yes and no. Technically, it is absolutely correct that limiting knowledge of a location would reduce the possibility of an attack. (I’m a combat veteran, and know what I speak of here.) Where your analogy falls short is that having an address does not provide access where username/password combos do provide access. Unless you have an unusual setup at your building, the key and door is a single key entry system. That would be like a site that required a password, but no username. (One key)
It’s the doors with locks that keep them out.
This also is a false security idea. A lock is a single key, so it is weak security. Saying that your building is secure because it is locked, makes an assumption that: 1) The door is the only way in, and 2) that the attacker is too polite to kick your door in. There are a million ways into a building (windows, conduits, etc), and attackers are never polite (whether thieves or hackers).
You don’t think a company publishing their street address is a risk, do you?
Again yes and no. When you consider that security involves probability, then technically it IS a risk, because limiting knowledge of the address would reduce the likelihood of a successful attack. But there is an opportunity cost associated with that…it would do more harm than benefit to your business because no one would know where to find you to buy your excellent wares or services. Same thing with a website. Keeping your site address secret would only harm your business, so that’s not practical. So it’s not that publishing your street address is NOT a risk, but rather, acknowledging that it IS a risk (however potentially low), deciding whether risks outweigh benefits or vice versa and then figuring out ways to mitigate that risk.
If you want to hide the author slugs and URLs then you can. But not hiding them doesn’t make anyone’s installation less secure.
Again, this is simply not true. Security best practices require preventing data leakage and limiting information to those who need it.
I realize I’ll probably get banned and exiled to the equivalent of WordPress.org Siberia, but this all needs to be said. No offense is meant.
I just find that too many people associated with WordPress have adopted some really unhealthy and inaccurate security ideas, and are passing them around like they are absolute truth and cannot be challenged.
It would be one thing for you all to keep saying these things if WordPress had a great security track record, but every single version released in the last couple years (with the exception of the very most recent minor releases in each branch) has had major security vulnerabilities discovered within weeks. So you can’t keep saying these things…they are simply not true.
It’s time for the WordPress community to start taking security much more seriously, time for some increased education on security, and time for a dramatic hardening of the WordPress core.
Come to think of it, this thread would probably make an excellent starting point for a blog post.
Forum: Plugins
In reply to: [WP-SpamShield] TypeError: t[s].indexOf is not a functionHi ninacess,
If you haven’t had a chance to yet, please take a few minutes to work through the Troubleshooting Guide and FAQs, as these solve 90% of issues users have.
If those don’t solve the issue for you, we’ll need a bit more info from you on the specifics, and we’ll need to email back and forth, so please head over to the WP-SpamShield Support Form, and take a moment to fill out a support request. That will allow us to take care of this as quickly as possible for you.
– Scott
Please note that the WP-SpamShield Support page is our main support venue, not the WordPress forums here, so that will always be the best way to get a quick response and resolve any tech support issues.
Forum: Plugins
In reply to: [WP-SpamShield] False positiveHi sologne,
We received your support request, and emailed you back.
This plugin does not really have false positives because of the type of system it uses…it gives the user a chance to try again. If someone could not post a comment, no matter what they did, that would be a false positive, and is the very problem many other spam plugins have. (Of course if a true false positive does get reported, it’s usually due to a bug, and we always try to fix it very quickly. We work hard to have zero false positives.)
Please see FAQ 9 for more info: Q: I think a legitimate user or comment may have been blocked. Whatβs going on here and what do I do?
he was told that it was blocked, but the comment disappeared. Since it took him time to wrote it, he didn’t want to do it again. I took time to read some documentation about the plugin, and I was under the assumption that the plugin would give a chance to modify the comment, not to rewrite it from scratch knowing it was blocked.
The issue you’re talking about here is not related to the plugin or WordPress, but rather the web browser itself. When you fill in a form, text is only entered into the form fields in the browser, but it is not saved anywhere…it is not saved in a database or anything like that. You can get browser plugins to save your forms in your browser, but that functionality is completely separate from what happens in a website’s code.
@jeff: Exactly…I hear ya. I’ve looked at a lot of “true IP” scripts and each one I’ve seen has fallen short in some aspect. We’re working on a robust script for true IP address detection (that will fill in the gaps) to use with our WP-SpamShield plugin. Since it’s tough to find good scripts in that category, we’ll be happy to share once it’s finished, and will likely post on GitHub.
@12ax7: Or you could just set a proper User-Agent in wget. Problem solved. π
@jeff: Determining if it’s internal isn’t too hard…usually just checking if the request is from the same IP C-block as the website IP will do the trick. (Given that you’ve got a good IP detection script that gets real IPs in cases of WAFs/proxies/etc.) Let me know if you think of a case where that wouldn’t work, or would cause an issue.
Forum: Plugins
In reply to: [WP-SpamShield] exclude a specific pageYou’re welcome! Outstanding. π
Thank you for the positive feedback!
Forum: Plugins
In reply to: [WP-SpamShield] exclude a specific pageHi sjlevy,
There isn’t a way to exclude specific pages per se, but there are some WP-SpamShield hooks you can use that will help you accomplish essentially the same thing. It will allow you to bypass the Anti-spam for Miscellaneous Forms filter on-demand when you are running a specific function.
If you have added specific code to your functions.php, you can add the following to your theme’s functions.php:
add_filter( 'wpss_misc_form_spam_check_bypass', 'your_custom_function', 10 );You will need to create a function after this with some logic. To bypass the filter, it needs to return a value of
TRUE. Something like this should work:function your_custom_function( $bypass ) { // $bypass is FALSE by default - you need to change it to TRUE to bypass /** * Some logic here * - check if you are on the specific page you want... * - check if the appropriate function is firing... * - ..or any other condition you want to test for... **/ // If conditions are met... return TRUE; // If conditions are not met, and you want things to function as usual... // return FALSE; }That will help you create the custom exclusion you need.
You can rename ‘your_custom_function’ to whatever you like. Just be sure to do it both in the “add_filter()” line and in your actual function. make sure it is unique so it doesn’t break any plugins. Using a unique prefix is usually a good idea to prevent collisions: ‘fh65v_’ or whatever at the beginning of your function name. (Ex: ‘fh65v_your_custom_function’ ).
I hope that helps!
– Scott