Title: [Plugin: Ultimate Security Checker] Code check
Last modified: August 19, 2016

---

# [Plugin: Ultimate Security Checker] Code check

 *  Resolved [rolandos](https://wordpress.org/support/users/rolandos/)
 * (@rolandos)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/)
 * Even if the Block Bad Queries plugin is activated, code check shows “Your blog
   can be hacked with malicious URL requests.”
 * Why?
 * I am using Godaddy hosting and sec.checker ver. 2.5.1
 * [http://wordpress.org/extend/plugins/ultimate-security-checker/](http://wordpress.org/extend/plugins/ultimate-security-checker/)

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Plugin Author [bsndev](https://wordpress.org/support/users/bsndev/)
 * (@bsndev)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015767)
 * Hi, thanks for the question. I will take deeper look on this.
 *  [weareonesoul](https://wordpress.org/support/users/weareonesoul/)
 * (@weareonesoul)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015880)
 * I have this issue as well. I also have the core of my config file outside of 
   my WordPress folder but it says I don’t since I can’t move the whole thing out.
   One directory up is another website. There should be a checkbox or something “
   yes it is secure” that can be checked if you KNOW it is secure.
 * But yea the issue described by first poster is an issue I have. However I’m on
   webhostingpad.
 *  [tommcgee](https://wordpress.org/support/users/tommcgee/)
 * (@tommcgee)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015938)
 * I’m also having that issue, on all my sites. Some are self-hosted on RedHat Linux,
   others on third-party hosting installations.
 *  [tommcgee](https://wordpress.org/support/users/tommcgee/)
 * (@tommcgee)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015939)
 * A couple of questions: Isn’t a 255-character limit a little arbitrary? The allowable
   limit for URLs is much higher than that.
 * But maybe it fails because of this: blockbadqueries.php is looking for a REQUEST_URI
   of greater than 255 characters. But the REQUEST_URI is the portion _after_ the
   domain name. The Ultimate Security Checker test is only generating a query string
   250 characters long:
 * ‘long’ -> $this->gen_random_string(250),
 * So when tested against the 255 value the URL generated by the test won’t it always
   pass, because it’s going to be at most 252 characters long?
 * But that’s not it; I tried some URLs that are supposed to be trapped (after logging
   off my admin account):
 * [http://this.blogs.com/?12341234base640-982321](http://this.blogs.com/?12341234base640-982321)
   
   [http://this.blogs.com/?12341234base640-982321eval(xyzz)](http://this.blogs.com/?12341234base640-982321eval(xyzz));
   f4 [http://this.blogs.com/?eval(CONCAT(this+that)](http://this.blogs.com/?eval(CONCAT(this+that)))
 * In each case, my server cheerfully returned a “200” server response. So is the
   problem with the blockbadqueries.php plugin itself?
 * Is the $user_ID defined? Do the guys with black hats have one? If not, then it
   doesn’t even run the test. Same with current_user_can — what if there is no “
   current user”?
 * When I commented out the tests for the existence of $user_ID and the ‘level_10’
   access, bingo: my test URLs successfully failed, as it were.
 *  [tommcgee](https://wordpress.org/support/users/tommcgee/)
 * (@tommcgee)
 * [15 years, 2 months ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015960)
 * One more thing. WordPress on its own generates query strings longer than 255 
   characters. For example, if you empty your Akismet spam folder you’re going to
   have a URL somewhere around 700 characters. Same with any bulk approve/delete/
   spam actions you might take on comments.
 * When you click you get the “white screen of death.” Click the back button and
   refresh, all your comments are untouched.
 *  Plugin Author [bsndev](https://wordpress.org/support/users/bsndev/)
 * (@bsndev)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015986)
 * Hi everybody, thanks for your reports.
 * **tommcgee, rolandos, weareonesoul** – I’ve updated the code of plugin – removed
   255 characters limit and checks for user rights since you might be logged in 
   and click some link that will do bad thing for your blog.
 * ** weareonesoul** some people can understand it wrong if I won’t put that message.
   Technically config file still remains in unsecured place. If you know that you
   can’t put it in folder above – that’s ok, keep it in your mind.
 *  [M-J-B](https://wordpress.org/support/users/m-j-b/)
 * (@m-j-b)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015987)
 * So now it always states “Your blog can be hacked with malicious URL requests.”
   whenever I’m logged in with full credentials? I updated the plugin a while ago
   and now receive the warning mentioned above which was not shown with the old 
   version of the plugin.
 *  Thread Starter [rolandos](https://wordpress.org/support/users/rolandos/)
 * (@rolandos)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015988)
 * Now it’s OK for me. 96 of 104 security points. Rating ACAAAA, but with site at
   root of domain + fresh WP 3.1.2 install. Site in subdomain still states “Your
   blog can be hacked with malicious URL requests”. Both sites have the latest US
   Checker v.2.5.5 and the same BBQ plugin.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘[Plugin: Ultimate Security Checker] Code check’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/ultimate-security-checker.svg)
 * [Ultimate Security Checker](https://wordpress.org/plugins/ultimate-security-checker/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ultimate-security-checker/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ultimate-security-checker/)
 * [Active Topics](https://wordpress.org/support/plugin/ultimate-security-checker/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ultimate-security-checker/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ultimate-security-checker/reviews/)

 * 8 replies
 * 5 participants
 * Last reply from: [rolandos](https://wordpress.org/support/users/rolandos/)
 * Last activity: [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-ultimate-security-checker-code-check/#post-2015988)
 * Status: resolved