Posts Tagged ‘Security’

Security Warning From WordPress Team

Wednesday, June 22nd, 2011

Security Warning From WordPress Team

Security Warning


Hello, dear readers!
Let me to spread the word of WordPress team in case you don’t read the WordPress development blog. June 21th, 2011, Matt Mullenweg published at WordPress development blog post with “Reset Password” title. You can read full copy below or visit its original page.

“Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

Read the rest of this entry

edit_dashboard WordPress capability

Sunday, June 19th, 2011

Edit Dashboard WordPress capability

Edit Dashboard

Since version 2.5 WordPress has “edit_dashboard” (Edit Dashboard) capability in its capabilities system. What is the purpose of this capability? Does it forbid logged-in user to remove some widget from the dashboard if he decides that such widget is unneeded to him and wish to hide it using the “Screen Options” link at the top of dashboard screen? Definitely “No”.
If user has “edit_dashboard” capability he has access to the configuration parameters of widgets which included to his dashboard. If widget has some parameters to tune its work, such user is able to change them. Let’s see. Go to WordPress dashboard and move your mouse pointer to the right top corner of the widget box. Let’s take for example a “WordPress Development Blog” widget which is accessible to all logged-in users. Do you look a small down headed arrow? As you may know already it serves to collapse/expand widget box. Move your mouse to the left of that arrow. If you have “edit_dashboard” capability you will see that “Configure” link appears there.

Read the rest of this entry

Lockdown WP Admin plugin review

Saturday, June 18th, 2011

Lockdown WP Admin plugin review

Lockdown WP Admin


“Lockdown WordPress Admin”
or shortly “Lockdown WP Admin” plugin for WordPress is one of plugins concerned WordPress security enhancement. You can locate it at the WordPress repository. Plugin author is Sean Fisher. Last version available for the moment of writing this review is 1.6.
Lets go and see step by step what this plugin offers to the WordPress adminstrator to make WordPress more secure.
1st, “Lockdown WP admin” hides wp-admin directory from the un-logged-in visitor. Such visitor will get 404 page not found HTTP error in its browser if he requests http://yourblogdomain/wp-admin/ URL.

Read the rest of this entry

User Role Editor 3.1 Beta

Sunday, May 15th, 2011

User Role Editor

User Role Editor


User Role Editor WordPress plugin version 3.1 is ready for beta testing. You are welcome! What new things are added to plugin functionality:
– add new capability box;
– delete unused capability (except core WordPress capabilities) box;
– assign capabilities direct to user additionally to the role assigned to him;
– minor bugs and compatibility with other plugins fixes.
I plan to publish it at wordpress.org plugins repository in a week or two period of beta testing.

Read the rest of this entry

Stealth Login WordPress Plugin Review

Saturday, March 12th, 2011

Stealth Login WordPress Plugin

Stealth Login Plugin

Authors: skullbit, devbit
Plugin version: 1.3
WordPress versions: from 2.3 to 2.7.1 according to author’s information. I made my tests with WordPress 3.1, single.
What this plugin do?
It allows to customize URL for login, logout and register links. For example, it is possible to set login URL to "http://www.yourblog.com/login-wp-1870" instead of standard "/wp-login" one. As especially notable feature I wish to mark the so-called “Stealth mode”, which could be realized with the help of this plugin. It denies direct access to ‘wp-login.php’ script.

Read the rest of this entry

Credit card fraud or hello from “Papal”

Tuesday, March 1st, 2011

Credit Card Fraud

Credit Card Fraud

Everyone met with spam emails. Everyone knows what to do with such noisy kind of mail – recycle bin is the right place for such messages. But some messages we read from time to time. And some of those dangerous messages we can accidentally trust.
My friends, I wish to pay your attention one more time. Again. Do not trust to emails which asks you send somewhere your passwords, credit card numbers, etc. Do not trust them, even if they looking very similar to messages you could receive from well known services.

I received such message this morning and want to show it to you. Just in order you know, how it could be masks.

Read the rest of this entry

Is unfiltered_html capability deprecated?

Saturday, February 19th, 2011

Is WordPress unfiltered_html capability deprecated

unfiltered_html

Eberle13 (“User Role Editor” plugin user) asked me a question, why ‘unfiltered_html’ user role capabiltiy does not work under WordPress multi-site? I found the reason and posted answer to the eberle13’s question at wordpress.org.
I curiously played with my test WordPress 3.1 Release Candidate 4 multi-site installation. This problem with using ‘unfiltered_html’ capability still exists in it. I decided to make special post about that as it could be interesting someone else. I tried to insert mordern HTML5 tag ‘<video>’ into post without success – it was removed by WordPress every time I saved the post changes inspite of I made that under account with ‘Editor’ role privileges. ‘Editor’ role has ‘unfiltered_html’ capability turned on by default. What is the reason? Why this capability failed to work?

Read the rest of this entry