Cornelius Bergen
Forum Replies Created
-
Forum: Plugins
In reply to: [Gauntlet Security] UMMM? This plugin has Malware built in it?!?!?!Thanks for the kind words, Rob!
Forum: Plugins
In reply to: [Gauntlet Security] UMMM? This plugin has Malware built in it?!?!?!Hi milton-01,
This is very helpful. It seems Sucuri’s scanner has spotted some code in that file that matches their definition of a specific type of malware. I know 100% that there’s no black-hat SEO malware in that file.
I’d suggest contacting Sucuri and asking them to confirm that that file does or does not have malware in it. If there is malware in it, it might be getting added automatically by another script on your server. If there isn’t, Sucuri might need to tweak their scanner a little bit to prevent false positives. Please let me know how it turns out.
Forum: Plugins
In reply to: [Gauntlet Security] UMMM? This plugin has Malware built in it?!?!?!The plugin does not come with malware. If you doubt this, you can download a fresh copy of the plugin from the WordPress plugin directory and compare it with the copy installed on your server. Do not trust plugins distributed by anyone other than the developer themselves or from the WordPress plugin directory. Also, feel free to contact me directly: http://matchboxcreative.com
It’s very possible that your site has been hacked. This guide outlines the steps you should take if you think you’ve been hacked: https://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
Forum: Plugins
In reply to: [Simple Cache] automagically purge cache on new post?I would vote to keep it simple and not include any automatic cache invalidation. Every site might have different needs for invalidating the cache and I wouldn’t want the plugin making hidden assumptions.
I like that there’s a way to flush cache programmatically though. If any complexity were to be added regarding this, I’d prefer to have it all optional and allow the developer to control it in detail. Similar to comet cache pro’s API: https://cometcache.com/kb-article/clearing-the-cache-dynamically/
I’ve had this problem too. I can understand the need to write the dropins and the main cache directory into wp-content, but I’d prefer to edit the wp-config file myself. It would be great if a more detailed error message explained exactly what files/directories this plugin needs one-time or regular write access to.
Also, why are the options are being stored in both a file and the database?
Forum: Plugins
In reply to: [Simple Cache] toggling advanced mode disables option dropdownsOSX/Chrome 49.0.2623.110 (no browser extensions)
I uninstalled and reinstalled and it works fine now. Sorry for the false alarm!
Forum: Plugins
In reply to: [Gauntlet Security] Fix for uploads directory code execution doesn't workI like the whitelist approach since anything other than a known static file should simply return ‘Forbidden’ which is, I think, a good response. With the SetHandler method, PHP files are actually downloaded.
The multiple extensions issue is very real though and should be addressed. I wonder if it would be worth trying to fix that issue closer to the web root rather than just the uploads folder. Here’s an old but relevant discussion:
https://core.trac.ww.wp.xz.cn/ticket/11122#comment:8Maybe something like this should be recommended for the root .htaccess file (only if the server is deemed vulnerable)?…
<Files *> SetHandler default-handler </Files> <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>This is untested as well. But if it works, I would prefer to leave the uploads directory fix as-is.
Thanks for the suggestion! I’ll be testing this on a vulnerable server and will definitely consider this for the next release.
Forum: Plugins
In reply to: [Gauntlet Security] Unknown admin-ajax and admin-post actionI don’t know how a scan could possibly find this, I doubt it’s possible. An active security firewall though could (like you’ve built).
I’m curious though, would the $wp_filter not always get filled whenever WP loads?
Forum: Plugins
In reply to: [Gauntlet Security] PHP security goodiesHi Viktor,
I don’t have immediate plans but I have been meaning to review the plugin again and see what I can add.
Forum: Plugins
In reply to: [Gauntlet Security] Results questionsThe plugin can only provide general advice and recommendations for the permissions settings. There are plenty of example permission modes on the codex page here: http://codex.ww.wp.xz.cn/Changing_File_Permissions. And your web host might have a guide on file permissions that applies specifically to your server.
The directory index check looks at the
/wp-content/plugins/gauntlet-security/admin/includes/classesdirectory. If it gets an error message (403+ server status code), it assumes you’ve properly turned off indexing. If it gets anything else, it assumes that directory indexing is enabled. You can test this directory yourself by visiting it in your browser: http://yoursite.com/wp-content/plugins/gauntlet-security/admin/includes/classes. If you get anything other than the built-in apache “Forbidden” message, another plugin might be inserting an index file into the directory or triggering redirects from an htaccess file. Some security plugins do this as an alternative to theOptions -Indexesmethod but if the status code isn’t 403, then that’s not ideal.Forum: Plugins
In reply to: [Gauntlet Security] Results questionsHi atdblog,
Thanks for posting…
1. It’s very difficult to recommend a perfect permission setting. Start at the lowest recommended setting and if the plugin is not able to edit the file(s), then increase it. If one plugin can edit the file, all of them can so you should be able to find something that will work for any plugin. Just be aware that testing permissions could temporarily break your site if they’re set too low. Sorry, I can’t be too specific here.
2. The plugin has no cache. For the directory indexing, did you put that code in the web root htaccess file? Perhaps there is a
Options +Indexessomewhere further down in that file or in another htaccess file in a parent directory of the plugin. You can test that you’ve actually disabled directory indexing by pointing your browser to a publicly accessible directory that does not have an index file in it – perhaps a directory in your theme folder. If you see a list of files, apache is still serving indexes, if you get a “forbidden” error, you’ve got indexing turned off. If you have disabled directory indexing and Gauntlet Security is still giving you a warning for that test, please let me know what type of warning it is.Which issues do you still see regarding the log file block?
Forum: Plugins
In reply to: [Simple Share Buttons Adder] Notice: Undefined variable:Would it be possible to instead use WordPress’s HTTP API for this? The HTTP API uses cURL if available and would make your plugin also work for those who choose to keep allow_url_fopen turned off.
Forum: Plugins
In reply to: [Gauntlet Security] i18n salt-lessIn the most recent version, I’ve added a check that ensures that not all salts are equal. That should account for most situations where the salts haven’t been added and should avoid any false positives.
Forum: Plugins
In reply to: [Gauntlet Security] Plugin downgradeThis has been considered in the most recent version of the plugin (1.2.2).
Thanks for the tip!