Posts Tagged ‘Security’

Custom User Roles and WordPress Core Code Compatibility Issues

Tuesday, September 14th, 2010

Custom User Roles

Custom User Roles

WordPress has good built-in users level/capabilities/roles system. Standard roles are administrator, editor, author, contributor, subscriber. This roles set is enough in the most cases for the most needs. But from time to time you need something special, something yours only. In such cases you can use User Role Editor WordPress plugin and build your own custom user role. But you should do it carefully and make thorough testing for new created user role as:

  • 1st, you could create some breaches in WordPress security system;
  • 2nd, you can loose some useful WordPress functionality.

One example of lost WordPress functionality for custom user role is described here:

Read the rest of this entry

Silence is Golden Guard WordPress plugin v. 1.5 update

Sunday, May 9th, 2010

Silence is golden guard plugin is updated

SIG GUARD Updated

Next update v.1.5 is available for Silence is Golden Guard WordPress plugin. With the help of plugin users incompatibility with WP Super Cache plugin was discovered and fixed. The problem was that blog with WP Super Cache plugin active becomes unavailable after activating of SIG plugin. Analysis showed that index.php file with redirection directive in the wp-super-cache/plugins directory results in the endless redirection loop which block the blog front-end and admin back-end access. From version 1.5 SIG plugin checks if WP Super Cache is active and create then empty index.php file for the wp-super-cache/plugins directory without redirection directive. The incompatibility issue is resolved this way.

Read the rest of this entry

How to block WordPress admin menu item

Friday, April 23rd, 2010

Remove Admin Menu Item

Remove Admin Menu Item

Suppose you don’t wish your blog registered users see some menu items in WordPress admin back-end and it is not the user role capabilities management subject. That is no such capability exists which you can use. For example, if you need to block just user profile editor and nothing more. It can be useful if you wish to allow for the group of volunteers to use the only user budget for all of them to make some task at your blog. In this case it is important that no one from that users group can edit user password and other user profile details. So you should to block WordPress admin menu items and URLs related to the user profile editor execution.
I will show you how to make it in this post. We just add a little piece of code to your theme functions.php file. Let’s go.

Read the rest of this entry

Silence is Golden Guard Plugin v. 1.3 is available

Monday, April 12th, 2010

Silence is golden guard plugin is updated

SIG GUARD Updated

Next update v.1.3 is available for Silence is Golden Guard WordPress plugin. It may now redirect every directory listing request to the site root, rebuild all SIG created dummy index.php file according to format selected (redirection to the root or just empty page), remove unused (garbage like) files from plugins folders, such as readme.txt, screenshot-*.gif, screenshot-*.png, screenshot-*.jpg. Those files are put into plugin setup package for wordpress.org to show information at the plugin page, and 1st – not used at your blog, 2nd – might expose plugin version to the potential attacker easy. He can see them in his browser. In case you use some plugin version with known vulnerability – it can be dangerous and it makes attackers life easier. We don’t want that, right?
If you have ideas to propose as addition to this plugin functionality, you are welcome! What staff from installed WordPress or its plugins is too promptness for the potential attackers? I will add an option to remove it to the next SIG Guard plugin version. [nothankyou]

User Role Editor WordPress plugin – Change roles easily

Saturday, March 20th, 2010

User Role Editor - plugin for WordPress

User Role Editor

User Role Editor WordPress plugin allows you to change standard WordPress user roles capabilities with easiness of a few mouse clicks. Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes. That’s done. Add and tune your own custom roles which you can assign to the users then. You can create new role as a copy of existing one. Delete self-made roles. Change defaul user role.
Multi-site support is provided.

Why it could be necessary? Let’s suppose you wish that your multi-authored blog contributors upload their own graphics to use in their posts. WordPress “contributor” role has no such capability by default. In such situation you have needed to change user role capabilities manually using SQL client as I described at “How to change wordpress user role capabilities” post, if you have enough knowledge in that field. But what to do if you have not?

Read the rest of this entry

MyEasyBackup plugin security update

Monday, March 1st, 2010

WordPress plugin security fix

WordPress plugin security fix

I’m glad to inform you that the MyEasyBackup WordPress plugin security issue I reported yesterday for 0.0.2 version is fixed with 0.0.3 version. It is perfect. Wonderfully! Thanks to Ugo Grandolini aka “camaleo” for so fast reaction and reliable security update.

MyEasyBackup WordPress plugin is useful for those who wish to get blog backup copies on a regular base and doesn’t familiar with tar, gzip, mysqldump, linux shell, etc. or just doesn’t have SSH access to his/her blog. User friendly interface lets you make full blog backup really easy. So “MyEasyBackup” confirms its name by its functionality.

Read the rest of this entry

MyEasyBackup plugin breaks WordPress security

Sunday, February 28th, 2010

WP breaked by plugin

WP breaked by plugin

MyEasyBackup WordPress plugin can make your life easier simplifying WordPress files and MySQL data backup operation. But be aware when installing its version 0.0.2 as this version simplifies the life to the intruders also. It is a new, just published plugin. WordPress.org Stats page shows 280 downloads already at the moment I write this post. This plugin can become popular. But plugin author Ugo Grandolini needs to make security fix to his code ASAP as plugin gives access to the critical blog data to any curious intruder. Do you wish to check it yourself?

Read the rest of this entry