Update to 1.1

I’m no longer really maintaining this plugin but just did a minor update to version 1.1. This was always a free plugin/volunteer project but I will always make the effort to be responsive to security reports. (I’m not monitoring www.ads-software.com or this forum in general, but I will watch this thread for any bug reports related to the new version for a little while.)

If you are already using the plugin, there is nothing you need to know or do. Let WordPress do its autoupdate, the new version works exactly the same.

Here’s what changed: By default the plugin has always initialized the default log file location for new installs to a “log” directory inside the plugin itself, along with big warnings in the install instructions and on the admin panel to change this to something that is outside your www root. Otherwise your user info and logs are visible over the web. So, if you were following instructions and changed this setting, great, there is nothing to worry about. If for some reason you’ve never changed this, you really might want to do that now (just upgrading the plugin isn’t going to change your settings).

For new installs, version 1.1 now instead will try to initalize the log file location to the PHP error_log location, or if that value is not set, it will go with one directory up from wherever WordPress is installed (e.g. if WordPress is /www/somedir/WordPress-html it will try /www/somedir ). This is better for security because the default is no longer a www-visible location. The downside is that the new default may not be webserver-writable or where you want your User Spam Remover log files to go, so if you’re a new user be sure to update this setting on the admin panel to wherever you want your logs to go and chown/chmod that dir so that it’s writable by the webserver/PHP/WordPress user.

Props and thanks Joshua for your attention and submitting a report. I really appreciate it.