Plugin info leakage etc

  • Resolved pixel-burn

    (@pixel-burn)


    7 years, 11 months ago

    Hi,

    I have been using AIO WP SEC for a long time now and recently I have tested my sites with https://wpscans.com and it shows all my plugins, instalation paths etc. I have configured AIO to the max almost and it still cant hide that info.

    When I tried Wordfence, no plugin info was displayed, all was hidden after scan. Am I doing some wrong configuration or? I love AIO because it’s lightveighted and with more options than wordfence but this seems like a big concern to me.

    Best regards,

    Ian

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    7 years, 11 months ago

    Hi, thank you for sharing this information.

    I did a test using the above site and to tell you the truth the information leakage that shows for one of my site is really minute while using this plugin. Basically the following list is the only leakage information showed.

    – robots.txt available = One can choose not to use this file. It is up to the owner of the site.
    – Interesting entry from robots.txt: /wp-admin/ = This file is protected and there is no access.
    – Interesting entry from robots.txt: /admin-ajax.php = this file only shows a 0
    – Interesting header: SERVER: Apache
    – Interesting header: X-HYPER-CACHE: hit – plain = this is visible because of the cache plugin I am using.

    it shows all my plugins, instalation paths etc.

    Did you check your file permissions under Filesystem Security?

    Kind regards

    Thread Starter pixel-burn

    (@pixel-burn)

    7 years, 11 months ago

    Yes, all file permisions are in green (as recommended).

    For example, it sees:

    JS_COMPOSER
    Installation Directory

    REVSLIDER
    Installation Directory

    and it says:

    Your WordPress website is potentially vulnerable to attack!

    etc.

    Maybe I have forgoten to enable some of the security options? Can you share what options you have enabled so your plugins dont get listed on wpscan? (https://wpscans.com)

    Regards

    • This reply was modified 7 years, 11 months ago by pixel-burn.
    Plugin Contributor mbrsolution

    (@mbrsolution)

    7 years, 11 months ago

    Hi,

    For example, it sees:

    JS_COMPOSER
    Installation Directory

    REVSLIDER
    Installation Directory

    Are they the only directories it detects as visible? If it is, have you spoken to the developers of these plugins or are they part of a theme?

    Regards

    Thread Starter pixel-burn

    (@pixel-burn)

    7 years, 11 months ago

    Hi,

    That is Visual Composer, and Revolution slider, you never heard of them? They come as part of theme in this particular case.

    I have them on majority of sites, and when site is protected with Wordfence, their directories remain hidden. Actually non of plugins are showed when a site is protected with Wordfence.

    I am trying to make this happen with AIO if possible.

    Regards

    Plugin Contributor mbrsolution

    (@mbrsolution)

    7 years, 11 months ago

    Thank you for reporting back. Just one more question what is the actual file path? I am curious to know.

    Thank you

    Thread Starter pixel-burn

    (@pixel-burn)

    7 years, 11 months ago

    Yes, it shows this as path:

    wp-content/plugins/js_composer/

    Regarding the enumeriting users, when will the conflict with CT7 be resolved?

    I am blocking user enumeration manualy via hta and functions.php but it would be nice if AIO has that option itself

    Best regards,

    Ian

    Plugin Contributor mbrsolution

    (@mbrsolution)

    7 years, 11 months ago

    Hi,

    Regarding the enumeriting users, when will the conflict with CT7 be resolved?

    Very soon. The developers are working on it.

    Kind regards

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Plugin info leakage etc’ is closed to new replies.