Plugin incompatible with WP Hide and Security Enhancer

  • Resolved mywebdesign

    (@mhwebdesign)


    4 years, 8 months ago

    Hi there,

    Just wanted to let you know that your plugin is incompatible with WP Hide and Security Enhancer, and infact any other security plugin (or manual code) that obfuscates /wp-contents directory.

    When OMGF attempts to load fonts from /wp-content/cache it cannot because the directory is obfuscated.

    Even changing the directory it cannot jump one level back I found (e.g /fonts), it cna only download fonts to directories under /wp-contents/.

    Given more and more people and using security by obscurity, it’s something that probably needs looking into.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author DaanvandenBergh

    (@daanvandenbergh)

    I’m aware of this. I’m looking into a way to implement this.

    Thread Starter mywebdesign

    (@mhwebdesign)

    HAHAHA I’d have to mark this down as worlds fastest reply on WordPress.

    Bummer! I’ve used the plugin before with incredibly good results (before it was renamed), and was hoping to squeeze a little more pace out of my site (that said in testing it went from 2.1 to 1.8 seconds), so my guests shouldn’t notice 0.4 of a second.

    For most of those plugins the obfuscation isn’t server side, but client side, so technically if your plugin can be installed, and run, it should be accessible. I sense though the issue is more with the client being able to access an actual directory instead of a 404’d one (i.e blocked by code).

    Could it possibly work if it’s under the subdirectory of the plugin (as in /wp-content/plugins/omgf/fonts)?

    Plugin Author DaanvandenBergh

    (@daanvandenbergh)

    In older versions it worked like that, but I switched it, because then security plugins such as WordFence would start complaining that ‘plugin files were altered.’

    Thread Starter mywebdesign

    (@mhwebdesign)

    I’m suprised in such instances an exclusion (in security vendors software) couldn’t be made (i.e adding your app and its directory to a whitelist).

    Shame because unfortunately security comes before speed.

    Plugin Author DaanvandenBergh

    (@daanvandenbergh)

    Yes, it probably could. But that would be still be a weakness in security wouldn’t it? Everyone would start adding my plugins to a whitelist, making my plugin a perfect place for a hacker to start scanning for weaknesses. Although I trust my code is safe, you can never be careful enough.

    No worries, I’m currently working on a big OMGF release and I’m pretty sure I can pick this up before release as well.

    Thread Starter mywebdesign

    (@mhwebdesign)

    Awesome Daan,

    Will keep an eye out for it.

    One less issue to worry about with Content Security Policies too if you can get it resolved ??

    Plugin Author DaanvandenBergh

    (@daanvandenbergh)

    Hi again,

    Just wanted to let you know that I added a ‘serve webfonts from…’ option to v3.1.0. This allows you to rewrite the URLs generated in the stylesheet.

    E.g. setting:

    Save webfonts to… /cache/omgf-webfonts, and
    Serve webfonts from… /code/cache/omgf-webfonts

    Will make the fonts be downloaded to wp-content/cache/omgf-webfonts, but the URLs in the stylesheet will be e.g. https://yourdomain.com/code/cache/omgf-webfonts/fontname.woff2.

    I’m running WP Hide with OMGF successfully on woosh.dev. ??

    Thread Starter mywebdesign

    (@mhwebdesign)

    Hi Daan,

    That’s fantastic and will be a massive help to so many, because in some cases you want to shift data outside of WordPress directories to keep things organised (e.g /fonts).

    Good to know you are using that plugin too and it works ??

    Will keep an eye out for the new release and try again (albeit with the page now tweaked and loading in under a second, it may not impact me too much ??

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Plugin incompatible with WP Hide and Security Enhancer’ is closed to new replies.