Title: WordPress/Plugin Vulnerability Last modified: August 24, 2016 --- # WordPress/Plugin Vulnerability * Resolved [brenolara](https://wordpress.org/support/users/brenolara/) * (@brenolara) * [11 years, 1 month ago](https://wordpress.org/support/topic/wordpressplugin-vulnerability/) * There is a recent warning regarding a major vulnerability. Most plugin developers were quick with updates to address the issue. * However, just in case, there are some guys suggesting that it is wise to create a .htaccess file in the wp-admin folder to block external calls to the admin initialization functions. * Is BPS already doing that for us or should we add a custom code to the wp-admin. htaccess file? * You have an awesome plugin by the way! * Best regards * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/) Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [11 years, 1 month ago](https://wordpress.org/support/topic/wordpressplugin-vulnerability/#post-6054911) * First off, in order to actually exploit this “vulnerability” it would require a very complex effort by a hacker to pull this off and several conditions|requirements would have to exist in order for it to work. The chances of a hacker actually making the effort to exploit this and for the hack to actually work are extremely low. hackers focus on automated bot attacks with volume being the goal. ie hack 1,000 sites in a day using an automated bot. It is not cost effective for a hacker to actually try and hack 1 site. They go for automated volume|bulk hacking because it is profitable. 1 z’s 2 z’s is typically not profitable unless hacking a particular site would be very profitable. * WordPress 4.1.2 was released in coordination with all plugins listed to address this issue. I am not sure if WP did the sanitization for the XSS bug|vulnerability so that even if a plugin did not do that in the plugin code then the bug|vulnerability would still be sanitized. * [https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html](https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html) * > Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due > to the misuse of the add_query_arg() and remove_query_arg() functions. These > are popular functions used by developers to modify and add query strings to > URLs within WordPress. * Conclusion: This bug|vulnerability has been patched in all plugins and WP 4.1.2 and higher versions. The chances of a hacker making the effort to exploit this are pretty much zero. Personally and professionally I do not think any other methods of securing the wp-admin folder|directory or adding any additional security measures are necessary. * Thread Starter [brenolara](https://wordpress.org/support/users/brenolara/) * (@brenolara) * [11 years, 1 month ago](https://wordpress.org/support/topic/wordpressplugin-vulnerability/#post-6054944) * Thank you very much for taking your time to take a look at this issue. * Awesome support as usual! Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘WordPress/Plugin Vulnerability’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 2 replies * 2 participants * Last reply from: [brenolara](https://wordpress.org/support/users/brenolara/) * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/wordpressplugin-vulnerability/#post-6054944) * Status: resolved