New WordPress “feature” is a security risk

  • Last night I was uploading some updated themes and plugins, via Filezilla, whilst I was logged in as the site admin.

    Then I get an email ….

    “Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.”

    The email stated down the bottom – “Error Details
    =============
    An error of type E_ERROR was caused in line 116 of the file /home/********/public_html/wp-content/plugins/wp-optimize/wp-optimize.php. Error message: Class ‘WP_Optimize_Options’ not found

    Except where I have placed “***********” it actually had the website username. Sending login details via plain text emails is a HUGE security risk.

    Please advise how I can “disable” this new feature.

    Not impressed !!! ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Hi Pete, I’m just getting my head around the concern. Can you go into further detail as to why you think this is a security concern? WordPress is only acting as the messenger in this case; the error message would have displayed regardless and is how PHP works out of the box.

    Thread Starter pete_398

    (@pete_398)

    In the past, I was able to manage the website ‘problems’ by looking for the PHP error log file. PHP logs the error and displays error messages like …

    An error of type E_ERROR was caused in line 116 of the file /home/********/public_html/wp-content/plugins/wp-optimize/wp-optimize.php. Error message: Class ‘WP_Optimize_Options’ not found

    (and where I have “*********” it was the username for the website). So, security is such on that site that only I can see that file and hence the username.

    BUT, now because of the (auto) email notification sourced from WordPress, that username has been sent across the internet in plain text. It’s in all the email headers also of course.

    It’s not just WordPress on that site but other applications, so now the ENTIRE website security has been compromised.

    Just to be clear on when I use the term USERNAME. It is not the WordPress username of course, but the ‘webmaster/admin’ username. It is something I had guarded well up until now. ??

    So, moving on. I see the code at line 192 of /wp-includes/class-wp-recovery-mode-email-service.php

    		$sent = wp_mail(
			$email['to'],
			wp_specialchars_decode( sprintf( $email['subject'], $blogname ) ),
			$email['message'],
			$email['headers']
		);

    I could comment the code out there, but that means ‘re-work’ everytime I do a WP upgrade. I only had a quick glance at that PHP file and it doesn’t seem that there is an admin type setting to effect something like “don’t send any emails”. It would be nice if the dashboard had that; had a quick look. Doesn’t seem to.

    So, for now I’ll simply modify the WP admin email address, to stop WP from sending me any emails. (I assume if I tried changing it in the dashboard it will only allow a valid email address.

    I understand the thinking behind giving people this ‘feature’, but there is no possibility that I will ever get locked out of the system. If WP broke for me, I’d just wipe the lot and re-load the database from the daily backup.

    (Just a PS to help – I’m the only WP user on this site. There are no comments allowed. It’s a totally stock std WP, use a WP theme, and 3 very well known plugins.)

    Dion

    (@diondesigns)

    Many other applications filter raw filepaths in displayed messages and emails; perhaps WordPress could do something like this:

    $message = str_replace(ABSPATH, '[WP Root]/', $message);

    There is a recovery_mode_email filter hook that you could use to do this yourself.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘New WordPress “feature” is a security risk’ is closed to new replies.