Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
You’re missing the whole point about collaboration with open source code.
WP Source code tends to give out way too much information.
It really doesn’t and never has. Open source does not mean insecure by default. Code is secure or insecure regardless of whether or not you can actually read the code.
Additionally having that code available means that more people can and do provide updates to improve it.
Limiting factors (like time and resources) often mean we need to prioritize.
While many of us would prefer restricting access to our code, to prevent bad actors from trying to find loopholes, Open Source regularly allows millions of people to build sites at a speed they would never have been able to, relying only on their own knowledge and what they can afford to buy.
Furthermore, relying solely or primarily on security through obscurity, is not a very effective strategy, while there are other ways to mitigate (although not eliminate) the security risks that come with not having a “black box” so to speak.
I understand the benefits of open source software and collaboration, and about the concept of more eyes = more solutions, but that doesn’t absolve potential risks created with highly visible code.
Hence my query of this software package (and another).
I’m keen to know what steps AIO (and others) can take to mitigate this very real risk.
I don’t mind having visible code, but when hitting a .JS or .PHP or .CSS file leaks versioning information, or specifics, it can create a larger attack vector for a nefarious character.
Hence limiting that attack vector size is important (at least to me).
I’d rather spend a short amount of time picking the best plugin for the job, and locking a site down, than several hours restoring a backup and recovering from a malware/injection attack because my code let something out it shouldn’t have.
Hope that explains it better.
Neither Jan nor myself are associated with this plugin or its authors.
We also cannot give recommendations for alternative plugins in any particular plugin’s support forum or in their reviews – because that isn’t cool.
As such, there isn’t much that we can offer in the ways of productive discussion on this thread that has not already been said.
All the best π
All good π That’s why I triggered the discussion on two different plugins forums π
@mhwebdesign, someone asked a similar question a while back regarding the source code. Unfortunately there is no feature available in our plugin to hide the browser source code. Also, as far as I know there are no future plans to implement such a feature in our plugin.
If you require any more help or information, please let me know.
Kind regards
Hi MBRSolution,
Thanks for your reply.
I guess if millions of websites out there have their code exposed, as long as the plugin is helping to shut the door of anyone that might have a look, that’s the main thing.
Can the plugin be used to monitor access to specific directories?
Hi,
Can the plugin be used to monitor access to specific directories?
The File Change Detection scanner can be used to monitor any changes to files and folders in your site. Is this what you are looking for?
Thank you
That should assist part of the way.
It was more to log if someone was directly trying to load a .css/.js file, or something (in other words direct loading files to look for vulnerabilities).
Or if they attempt to directly access /wp-admin, /wp-content, or /wp-includes.
Whilst one can block off / obfuscate access to those directories, it would be nice to be alerted to if anyone is attempting to access those directories (or files within them).
Hi,
It was more to log if someone was directly trying to load a .css/.js file, or something (in other words direct loading files to look for vulnerabilities).
Or if they attempt to directly access /wp-admin, /wp-content, or /wp-includes.
The only way someone can upload a file in your site is by having access to your site. The Brute Force features in our plugin will prevent this from happening. The other way they can access your site is by hacking the server. Which I am sure your server administrator already has security measures set in place.
Whilst one can block off / obfuscate access to those directories, it would be nice to be alerted to if anyone is attempting to access those directories (or files within them).
Currently we don’t have any feature in our plugin that can warn you if someone is accessing your site forcefully. However the security features already available in our plugin will prevent anyone from accessing your site without permission.
Kind regards
-
This reply was modified 6 years, 2 months ago by
mbrsolution.
Thanks mbrsolution.
Will have a look into it. Might have to look at auditing plugins and see if perhaps they offer that side of functionality.
