WP Sanitize WordPress plugin review

WP Sanitize or Simple Optimization - who's the author

WP Sanitize or Simple Optimization

I’m interesting in WordPress security plugins. Recently, going through WordPress plugins repository I found one which looked promising. “WP Sanitize checks for potential security vulnerabilities and keeps your WordPress database optimized”, – this is quote from its description. I decided to test it.

Author: Mr. Vibe
Version: 1.0
Download link : wordpress.org/extend/plugins/wp-sanitize/

I thought, how’s that possible with size 2 Kb only to check security vulnerabilities? May be it uses some web service for that? What critical data plugin sends to external site then in order to make security test? So I went through the code and discovered that there is no any real or potential vulnerabilities checking in the current version of plugin. May be WP Sanitize plugin is still in developement? According to its site vibethemes.com author plans to add some new features for this plugin. If such, plugin description should include this information. Not all WordPress blog owners can look inside PHP code and check the real plugin functionality.

For this moment there are just a few security enhancement related options in this plugin:

1) Remove RSD (Really Simple Discovery) link from your WordPress blog pages header. What is it?
According to Wiki article:

Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by blog, or other web software, discoverable by client software.
It is a way to reduce the information required to set up editing/blogging software to three well known elements:
Username
Password
Homepage URL
Any other critical settings should either be defined in the RSD file related to the blog, or discoverable using the information provided.

Thus, such option allows to exclude the link like this:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://yourblog.com/xmlrpc.php?rsd" />

from your pages. What information you can hide removing this link?

<rsd version="1.0">
<service>
<engineName>WordPress</engineName>
<engineLink>http://wordpress.org/</engineLink>
<homePageLink>http://yourblog.com</homePageLink>
<apis>
<api name="WordPress" blogID="1" preferred="true" apiLink="http://yourblog.com/xmlrpc.php"/>
<api name="Movable Type" blogID="1" preferred="false" apiLink="http://yourblog.com/xmlrpc.php"/>
<api name="MetaWeblog" blogID="1" preferred="false" apiLink="http://yourblog.com/xmlrpc.php"/>
<api name="Blogger" blogID="1" preferred="false" apiLink="http://yourblog.com/xmlrpc.php"/>
<api name="Atom" blogID="" preferred="false" apiLink="http://yourblog.com/wp-app.php/service"/>
</apis>
</service>
</rsd>

Question: Why publication of this information is security related problem? It mentions WordPress as the engine and tells to hackers that you use WordPress that way? Open your WordPress managed blog home page HTML source code. Look at it. There are a lot of other ways to discover what engine do you use and you can not exclude that information from your pages code. What do you say about those related to plugins links to CSS, JavaScript, which all includes ‘/wp-content/plugin/bla-bla’? Add here themes related links, e.g. ‘/wp-content/themes/twentyten/style.css’, etc. There are many other ways to know what engine do we use. Look on the standard set of div IDs or CSS tags which WordPress uses. Look at apiLink value in the code fragment above. The most of them are “http://yourblog.com/xmlrpc.php”. So just call it directly with needed parameters.
That was one side.
The other side is that there are a lot of stupid low level software bots which surfs Internet and searches easy victims. So in case you are the only user of your blog that’s more secure to hide as much information as possible. In this case this option could be useful.

2) Remove Windows Live Writer link.
What this is about? It hides this link from you blog pages header:

<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://yourblog.com/wp-includes/wlwmanifest.xml" />

wlwmanifest.xml file contains this data:

<manifest>
<options>
<clientType>WordPress</clientType>
<supportsKeywords>Yes</supportsKeywords>
<supportsGetTags>Yes</supportsGetTags>
</options>
<weblog>
<serviceName>WordPress</serviceName>
<imageUrl>images/wlw/wp-icon.png</imageUrl>
<watermarkImageUrl>images/wlw/wp-watermark.png</watermarkImageUrl>
<homepageLinkText>View site</homepageLinkText>
<adminLinkText>Dashboard</adminLinkText>
<adminUrl> 
	{blog-postapi-url}/../wp-admin/ 
</adminUrl>
<postEditingUrl> 
	{blog-postapi-url}/../wp-admin/post.php?action=edit post={post-id} 
</postEditingUrl>
</weblog>
<buttons>
<button>
<id>0</id>
<text>Manage Comments</text>
<imageUrl>images/wlw/wp-comments.png</imageUrl>
<clickUrl> 
	{blog-postapi-url}/../wp-admin/edit-comments.php
</clickUrl>
</button>
</buttons>
</manifest>

That could be seemed more critical as included link to your ‘wp-admin’ your WordPress blog administrator back-end script location. But again, if you know that this blog uses WordPress, is that a big secret, that the most of WordPress blogs has their administrator back-end script at ‘wp-admin’ directory? Of course, No. Thus, is you have large number of contributors, why limit them from using external clients they prefer to work with your blog?
Again, there is other side. If you the only user, that could be useful to hide as many information about your blog as possible. You never know, what malicious bot will visit you tomorrow, and may be this small security related enhancement escape you that time.

3) Remove the version number.
Do you see this string in your pages header:

<meta name="generator" content="WordPress 3.2.1" />

You can hide it activating this option. Why is it more secure do not show you blog version? Getting WordPress version hacker or software bot could use vulnerabilities known for that version. From other side if most of us always use the latest WordPress version (as it should be), is that a big secret for intruder what WordPress version do we use in this case?
If you are security paranoiac (as me :)) you will hide your WordPress version.

4) Content Curly Quotes
This option turns off WordPress feature which makes some automatic replacements in your posts and comments texts. Simple quotes replacement to curly quotes is one of them. With latest WordPress versions I don’t know why you should wish to turn it off. WordPress don’t changes quotes now inside special tags, e.g.

$no_texturize_tags = apply_filters('no_texturize_tags', array('pre', 'code', 'kbd', 'style', 'script', 'tt'));

And finally, what relation this option has to security?

5) User Profile HTML
This option turns off WordPress built-in control (wp-kses filter) and allows to your blog users input raw HTML code into their profiles.
Warning! This is very insecure to give such capability to untrusted users. There are ways to theft other user WordPress credentials using special JavaScript injections into HTML code. WordPress developers even prohibit unfiltered_html capability for any user (except super admin) under multi-site environment. Read this post “Is unfiltered HTML capability deprecated” if you’re interested.

6) and final option is “Optimize Database”.
I was very curious what does it mean really: “Keeps WordPRess database Optimized”? May be it realizes some functionality similar to WP Optimize WordPress plugin?
When I checked plugin source code I got an answer. It is not WordPress database optimization. It is MySQL database optimization with MySQL “optimize table” command.
According to MySQL documentation:

OPTIMIZE TABLE should be used if you have deleted a large part of a table or if you have made many changes to a table with variable-length rows (tables that have VARCHAR, VARBINARY, BLOB, or TEXT columns). Deleted rows are maintained in a linked list and subsequent INSERT operations reuse old row positions. You can use OPTIMIZE TABLE to reclaim the unused space and to defragment the data file. After extensive changes to a table, this statement may also improve performance of statements that use the table, sometimes significantly.

Is mentioned above “extensive changes to a table” applicable to WordPress? Do you delete large part of WordPress data often? What extensive changes to a table could take place in case of WordPress blog? Any users activity just adds new records to your database. Large post update operation? May be. But if you make one post a week and have less than 1000 records in your wp_posts table, why do you need to execute ‘optimize table’ command for all tables of your WordPress MySQL database on the daily base?
Yes, plugin automatically adds this operation to WordPress scheduler interface with ‘daily’ execution period.
I think, that this has to be an option. Plugin user should decide if he needs scheduled database optimization and how often this operation should be executed.

Finally, digging Internet before make this post I found this article Your First WordPress Plugin: Simple Optimization. It was published at on May 31st 2010. WP Sanitize plugin is published at wordpress.org plugins repository on October 23rd 2011. Compare functionality. Open wp-sanitize.php file in any text editor and compare code snippets with those in article. Very similar?
Options management page is added, SEO related staff is excluded. That’s all. Nothing new and nothing changed.
Yes, we can re-use any code published under GPL license in our work. But I don’t see any mention of the former code author Jonathan Wolfe and primary source site link in the WP Sanitize plugin’s materials. Is that correct? What do you think?

Tags: ,