shadowood

If adding it to your posts/pages directly sounds daunting, just add the shortcode to the template/theme you are using:

To use a shortcode in a page/theme template, simply wrap the standard WordPress do_shortcode function (created for this very purpose) with a little PHP coding – as follows (to be inserted wherever in the page/theme template file you’d like to enable your shortcode’s specific functionality):

(php open closing brackets removed just in case 😉

php echo do_shortcode(“[insert-your-shortcode-here]”);

…remembering of course, to substitute [insert-your-shortcode-here] for the shortcode you actually want to use.

Birre,

The last update was over 6 months ago. Bear in mind that it also states that it may not work properly with the most recent version of WordPress.

Please help us out with a little more details if possible. What version of WordPress are you using? What/how was the site hacked?

Can you be more specific regarding “Input sanitation and denying direct access.”?

There are other ways to hack WordPress (and even core files have been hacked before), so how did you determine this plugin was the fault?

Did deleting the plugin correct the hack? or did you have to do a full re-installation? What if any security plugins do you have installed?

If this was the old commonality of the 3 sites, then it seems reasonable that there are still other potential issues that might need to be addressed. The better we can understand the better we can assist you.

Sandhya,

I have also encountered this problem on my own site. If I set the popup to load after seven seconds, it does so as expected.

http://shadowoodpress.com

I have the retargeting option set to:

Once shown, do NOT show this campaign again for : one week

However, if I refresh the page it shows back up. I am also using WP Super Cache, and have the Cache friendly option enabled.

If it reloads each time the homepage does, it will just be annoying to visitors.

Michael,

As I have not used your plugin directly I would potentially beg to differ with you. Explicitly stating that it does not deal with other tables can still present security concerns. Albeit most likely little.

Take a look at the SQL injection cheatsheet, in particular this section:

Union Injections

With union you do SQL queries cross-table. Basically you can poison query to return records from another table.

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
This will combine results from both news table and members table and return all of them.

There are a lot of methods for sql based attacks out there, with new ones coming out all the time. Nothing is 100% secure.

To m-Aurelius,

No one can address any and all potential security threats. Even if this plugins were perfectly secure, there would be no guarantee that the next one you install will be.

Security is a combination of factors such as a routine backup procedures, timely plugin updates and actively participating in your own WordPress blog security when you implement the security plugins you choose.

Camu,

Seems this problem causes the panels to remain open, as well as prevent the dashboard from fully loading. This causes the “screen settings” from not loading.

It also seemed to cause several other options from fully loading, such as the default wordpress links widget.

I figured it might be a memory issue, but my attempts to correctly display the dashboard by adjusting the memory upwards did not work.

hope this helps. I would be willing to test any fixes you come up with.

Pippen,

For clarity: does it search for “an htaccess file being present”?

or

“Specific HTACCESS code being present”?

Is it something that can also be added manually for those users who are using HTAccess security plugins such as BulletProof Security?

Would it also be overwritten potentially in teh event a user installs extra security, such as altering htaccess file permissions to 444, or the above mentioned Bulletproof?

OSExcel,

I believe this is the line you are looking for from the databases.

(43,'file_ext','htm,html,shtm,shtml,css,js,php,php3,php4,php5,inc,
phtml,jpg,jpeg,gif,png,bmp,c,sh,pl,perl,cgi,txt','vsscan'),

I will have to confirm that is the actual backup from the site prior to restoration, see below.

Here are the other issues we encountered: some of which I think you are or have addressed,

version 2.02 I think : running WordPress 3.6. – 3.6.1

– 400k lines of code to the databases of even a brand new, fresh install of WordPress. (fresh blank WP less then 500k size DB, OSEFW fresh install 2 megs). (being addressed you said)

– over 250k lines of SQL code related to just GEO IP aspect (must be a better method)

– we encountered errors with the ability to import the sql sections of the DB backups as they pertained to the OSE Firewall. This was due to additional restrictions between foreign key and master key access within the DB. This meant we could not do an active import of the SQL database as long as the OSE SQL sections were intact. (upon deleting ose tables and structure elements import worked fine)

– Additionally the SQL Import required DB Privileges that were inappropriate to traditional website DB Server access (Master DB USER RIGHTS instead of a Standard DB USER RIGHTS).

mysql> GRANT SUPER ON *.* TO user@'localhost' IDENTIFIED BY 'password';

We consider this to be a potentially risky issue. Don’t have the error message handy, Wanted “SUPER” access (I believe was the error) and could not import with my normal full privileged user in phpmyadmin. (cpanel hosted)

As I stated, I can go back through my files and send you copies of the DB sections from your plugin. Please just try a more standardized path that end user might take.

TO get the DB errors I simply took my standard zipped sql dump file and deleted all tables and tried to do a fresh import. It would not process directly within the phpadmin panel.

I do not know if this would impact other “re-installation methods”, as I like using mysql. 🙂 however this is the first plugin to which I would need to alter db permissions to make the import.

Osexcel,

Glad I could at least help get the creative juices flowing in the right direction. Those sound like some pretty good steps in the right direction.

I will look over this version some more, but until I can at least solve these issues on my test server I will not upgrade to this versoin on a production site.

I look forward to more details.

Do you mind if I ask another question? What prompted the considerable change in format from the old 1.6.4 to the new version? Was MVC and GeoIP the only reasons?