Wordfence alerts changes to 301 Redirects code

  • Resolved Secret Agency

    (@secretagency)


    3 years, 11 months ago

    I keep getting alerts from WordFence that your plugin code has changed. Here is the latest:

    Filename: wp-content/plugins/eps-301-redirects/wp301/wp301.php
    File Type: Plugin
    Details: This file belongs to plugin “301 Redirects” version “2.53” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly

    In the past I compared the before and after changes and only one line was changed – a blank line at that. Now the differences are many but still appear benign.

    Is the plugin code changing dynamically without running the plugin updater or updating the version number? Or is this a false positive?

    Here are the differences:
    https://drive.google.com/file/d/1nay2XA49fR-GJ1U0AWVxcWx08ruNynfb/view?usp=sharing

Viewing 4 replies - 1 through 4 (of 4 total)

  • I follow this thread. I’ve received the same alert from Wordfence.

    Plugin Author WebFactory

    (@webfactory)

    Hi,
    I didn’t feel like that change warranted an immediate version bump which would prompt everybody to update the plugin. When we push new versions for such small changes people complain that we do too many new versions and that they need to constantly update. I somewhat agree with that.

    So, 100% this is not malicious, nothing bad is going on, we’re fully aware of what we did ??

    Is this a good practice? Well, I don’t know because people are emailing us again and are not pleased ?? We’ll push a new version in about 10 days so things will be back to normal.

    Thread Starter Secret Agency

    (@secretagency)

    Hey thanks for the quick reply!

    Yeah, I don’t think it is a good practice to have production code change without the version number changing.

    At best it sews confusion. And when security plugins complain about the code changes, people might assume they have been hacked. The changes looked benign to me but a lot of folks won’t know how to tell the difference.

    Just a thought – not sure if it’s a good one or not – but, what if you had some sort of public beta option? You could let users opt in and maybe call it something less scary than beta- like “fast track” with the promise that the updates will have been tested before release so they shouldn’t compromise security or break sites. The selling point would be that they provide the latest features, only faster. Then you can gather feedback before pushing to production.

    I am not sure how it would work in practice but you would probably need to use a parallel updating mechanism like via GitHub or something a la https://code.tutsplus.com/tutorials/distributing-your-plugins-in-github-with-automatic-updates–wp-34817

    On second thought, a free plugin is already kind of a public beta, isn’t it? I mean, if it is free, who are users to complain about frequent updates? Maybe just ignore those complaints?

    Anyway, thanks for clarifying and again for the quick reply.

    Plugin Author WebFactory

    (@webfactory)

    We’re explicitly forbidden to have any code on wp.org that servers updates from a 3rd party server. So if we would have a beta branch that code would have to be 100% detached from what we have on wp.org. I’m not against it but feel that would be used by like 5 people max ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence alerts changes to 301 Redirects code’ is closed to new replies.