Title: WordPress Exploits ?!
Last modified: August 20, 2016

---

# WordPress Exploits ?!

 *  [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/)
 * Hi
 * I installed a plugin calles S6 Scan and it came up with the following errors:
 * ERROR 1
 *  Open user-edit.php file for editing
    Find the line that begins with ‘wp_enqueue_script(‘
   user-profile’);” Append the next lines with the following:
 *     ```
       if ( current_user_can('edit_user',$user_id ) == FALSE )
           wp_die(__( 'Forbidden' ) );
       ```
   
 *  Save
    Done
 * ================
 * ERROR 2
 *  Edit the wp-comments-post.php file
    Find the line, that begins with “/** Sets
   up the WordPress Environment. */” Prepend that line with the next code:
 *     ```
       if ( ! isset( $_SERVER[ "HTTP_REFERER" ] ) )
           		die();
   
           	$referrer_url = $_SERVER[ "HTTP_REFERER" ];
           	$server_name = str_replace( "." , "\." , $_SERVER[ "HTTP_HOST" ] );	/*	Escape the dots for following regexp search */
           	$server_name = str_replace( '/' , '\/' , $server_name );	/*	Escape the '/' for following regexp search */
   
           	$referr_pattern = "/^((http(s)?):\/\/)?(www.)?$server_name/";
   
           	if ( ! preg_match( $referr_pattern, $referrer_url ) )
           		die();
       ```
   
 *  Save
    Done
 * ==============================
 * Wondering if this is just “crap” and fake or is it for real!?
    Shall I be worried…
   apparently it is vulnerable to security threats.
 * Any suggestions?

Viewing 9 replies - 1 through 9 (of 9 total)

 *  [Amy Hendrix (sabreuse)](https://wordpress.org/support/users/sabreuse/)
 * (@sabreuse)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236105)
 * It’s crap — don’t ever use anything that asks you to edit core WP files; it leaves
   your installation far more vulnerable to security issues in the future because
   it messes with your ability to keep up with future updates.
 * Beyond that, the first snippet checks that users have the permissions they already
   need to have to even be on that page. And the second requires that comments actually
   have to be coming from your site — which can be done much more safely with something
   like [Cookies for Comments](http://wordpress.org/extend/plugins/cookies-for-comments/).
 * Where did you find this delightful plugin?
 *  Thread Starter [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236108)
 * Hi
 * The plugin can be found on WordPress Plugins called S6 Scan!
    I wanted to see
   if my site is open to any exploits because some site state that even 3.4.2 is
   vulnerable 🙁 and dont want my site to be hacked.
 * But yeh there are soooo many plugins out there, unless u know every bit of coding,
   otherwise ppl like me wont know what the plugin does behind the scenes 🙁
 *  Thread Starter [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236109)
 * Besides the coding above was provided by the S6 Scan.
    In other words, it asked
   me to follow the steps above!
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236122)
 * [@bucki](https://wordpress.org/support/users/bucki/)
 * Could you be kind enough to leave a link to that exact plugin so I can download
   it? I can’t find it, and I would like to take a look at it. Thank you!
 *  Thread Starter [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236123)
 * oh my bad it was called 6Scan
    [http://wordpress.org/extend/plugins/6scan-protection/](http://wordpress.org/extend/plugins/6scan-protection/)
 * Those two plugins also speak of “securing your wordpress”
 * [http://wordpress.org/extend/plugins/wp-security-scan/](http://wordpress.org/extend/plugins/wp-security-scan/)
   
   [http://wordpress.org/extend/plugins/exploit-scanner/](http://wordpress.org/extend/plugins/exploit-scanner/)
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236124)
 * Thanks!
 * [edit] Just some more info for you if you didn’t already see it. The support 
   conversations for the plugin are interesting reading.
 * [http://wordpress.org/support/plugin/6scan-protection](http://wordpress.org/support/plugin/6scan-protection)
 * I find this response particularly thought provoking.
 * [http://wordpress.org/support/topic/plugin-6scan-security-what-exactly-is-a-one-time-fix?replies=2](http://wordpress.org/support/topic/plugin-6scan-security-what-exactly-is-a-one-time-fix?replies=2)
 *  Thread Starter [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236126)
 * Clayton
 * Yeh, I removed that plugin
    Just hoping it didnt do anything bad 🙁 hmmmm
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236128)
 * Eeeh, it’s one of those things which is really generally bad advice (they should
   be submitted ‘fixes’ to core), but as Amy said, they’re adding a second (unneeded)
   layer to the code. It falls under ‘Plugins I think are unnecessary and not doing
   it best, but to each their own.’
 *  Thread Starter [Bucki](https://wordpress.org/support/users/bucki/)
 * (@bucki)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236129)
 * Hmmmmm I dont know really but when I saw this site;
    [http://core.trac.wordpress.org/ticket/21917](http://core.trac.wordpress.org/ticket/21917)
   [http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html](http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html)
 * Made me think that even 3.4.2 is not secure enough, hence why I looked up for
   alternative security check. hmmm

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘WordPress Exploits ?!’ is closed to new replies.

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 9 replies
 * 4 participants
 * Last reply from: [Bucki](https://wordpress.org/support/users/bucki/)
 * Last activity: [13 years, 6 months ago](https://wordpress.org/support/topic/wordpress-exploits/#post-3236129)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics