yorman
Forum Replies Created
-
if we block php in upload, will this plugin work properly?
Yes, the plugin will work properly.
The PHP files stored in
/wp-content/uploads/sucuri/are used to store data, not to render content. The plugin can read the files even with the hardening in place. The hardening is only preventing people from accessing this file using a web browser, but the plugin can still access these files from the server itself.secondly how to whitelist this sucuri folder in whitlist section
You don’t need to whitelist the directory.
@ycampo using the
SUCURI_DATA_STORAGEconstant will not fix the issue reported by this user. The plugin has/uploads/sucurihardcoded here [1] so even if they use that constant to configure a custom location for the plugin files, the directory will still be created, which is what the user doesn’t wants.[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/d7acfc6/src/base.lib.php#L268-L294
Hello @worldless the errors from the first comment are produced by the PHP interpreter when the file is not fully read. There is no bug in the code that would cause this problem. I believe your web server, for some reason, was not able to read the entire file and when it passed it to the PHP interpreter the code was incomplete, that’s why it says “[…] unexpected end of file”.
The second error is not produced by this plugin. That error is talking about packet loss in a SQL query. The plugin doesn’t make use of the database at all. You may want to investigate how much data is your website requesting from the data and/or increase the value of your
max_allowed_packetsetting.I think both errors are produced by a misconfiguration of some settings in your web server and database engine. I encourage you to pass this information to your hosting provider and see if they can do something to help.
Forum: Reviews
In reply to: [Sucuri Security - Auditing, Malware Scanner and Security Hardening] Not Free@starmckel your comment is completely wrong.
The plugin is free, otherwise you wouldn’t be able to install it and use it.
There one single feature that is premium, and this is already explained in the description before the installation process starts. I believe you read the description of every plugin install, right? Are you installing random extensions without knowing what do they do? Of course not, that would open security holes in your website.
In the description of the page you can see this Website Firewall (premium).
And in the FAQ you can find this What is the website firewall (premium).
This is not included as a free option of the plugin, but is integrated so that if purchased you are able to activate. If you prefer to leverage the Sucuri Firewall product by itself, you have the option to operate the Website Firewall WordPress Security plugin in standalone mode.
You can still use the other features without paying for the firewall.
Generating an API for the plugin, not for the firewall, is completely free.
@mariette-jackson a new version of the plugin was released yesterday.
An option to exercise the right of visibility was added [1].
No more options were added to exercise other rights (erasure, portability, rectification, objection or restriction). The development team has no word on legal matters, because of this I encourage you to send your enquires directly to the GDPR team at gdpr@sucuri.net
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/56
The release was coordinated with the GDPR team.
You can submit your enquires directly to them at gdpr@sucuri.net
Version 1.8.6 simply added a checkbox in the API key generation form to ask the user for consent to store some data in the Sucuri servers, it was also used to update the copyright information as you can see here [1]. This release didn’t implement any additional feature to comply with the GDPR laws like the right of erasure, portability, rectification, objection or restriction.
Sucuri lawyers, reachable via that email above, are the only ones that can answer the questions of “Why are these features not implemented?”. Answering these and other GDPR-related questions as a developer may create liability, that’s why I suggest you to contact the GDPR team directly.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/56
Yes, the fix was merged 3 hours ago [1].
It is now up to the project manager to decide when to release it. I believe they are preparing some other changes to make the plugin comply with the GDPR law [2] so I predict that there will be an update before May 25, 2018. This update will include this fix as well.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/57
[2] https://en.wikipedia.org/wiki/General_Data_Protection_RegulationThank you for reporting this warning
In the settings page, under the panel with the list of files marked as fixed from the WordPress Integrity tool, there is a button to reset the list. The button is part of a form that is supposed to send a POST parameter named
"sucuriscan_ corefile_path"as an array, the plugin walks through the array and removes the files marked as fixed from the cache. However, when the request is missing the parameter, the plugin fails to process the request because the iterator is expecting an array but is receiving a"null".I just sent a fix a couple of minutes ago [1].
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/57/commits/f6d3eea
It’s quite possible that the web API service is rejecting the keys.
Please contact support once again and ask them to confirm that the key is allowed to authenticate with the remote service. Even if the key is valid, the server where the service is running may be rejecting it for unknown reasons to me. I would check this for you, but I do not have access to that server for security reasons.
@jarrodwhitley0518 yes, I review comments in “resolved” threads.
I apologize for not responding to your request sooner.
I replied to the other ticket [1], lets see if my suggestion solves your problem.
[1] https://wordpress.org/support/topic/alert-spam-event-post-update/
The post-type is hinted in the message “Page was updated…”.
This message comes from this code [1] where the word before “was” is the post-type, in this case “Page”. However, the other two lines in the code show that the notification is controlled by the event
post_publication, so please try unchecking that one and see if it reduces the number of alerts in your inbox.[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/07ee911/src/hook.lib.php#L787-L794
The logs are stored in this file [1].
However, the plugin syncs these logs with a remote web API service. If the logs are not in this file, you will not be able to delete them because they are already stored in our servers. You can opt to delete your API key and generate a new one to start from scratch in case that you don’t want to see the old logs anymore.
[1]
/wp-content/uploads/sucuri/sucuri-auditlogs.phpThe code is open-source here [1].
Feel free to inspect it and if you find any piece of code that allows us to inject malware into your website, I will personally flight to whatever country you are and give you all my salary for one year. In fact, if anyone is able to find a backdoor in our code I will give the same prize.
I removed the option to log passwords during a failed login here [1].
This feature, added some time ago after multiple requests from the
WordPress community, has been reviewed again this year by our security
team and we determined that the benefits of knowing the password using
during a failed login attempt are not enough to justify having such a
dangerous logging mechanism.The scenario used to justify the existence of this feature was that, if
a malicious user was trying to brute force the account of one of the
administrators, one of them could take a look at the logs and determine
if the malicious user was getting close or not to the real password, in
which case would decide to change it.However, after the security review, we found that knowing the password
used during a failed login attempt is not really useful and on the
contrary opens a hole in the application as a legit admin user could
mistakingly type the semi-correct password in the login form, the plugin
will log the wrong credentials, and if the API key has been leaked, a
malicious user could take this information to access the admin dashboard
by making educated guesses over the mistyped password.We have no plans to reimplement this option in the near future.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/301c81b
@weepie — I just sent you an e-mail to that address.