madivad

G;day guys, thanks for your replies.

Because obscurity and security are not synonymous

I agree with that whole-heartedly, but given I want these plugins for whatever reason (finding them again to reinstall can be painful) but want to keep potential risks minimal, the thought of moving them out of existing paths could be beneficial. (discussed further below)

Having any number of deactivated plugins on your site is not a security risk, regardless of if you have 1 or 150. It’s not the volume that matters, it’s the one plugin that may be exploitable.

I’m not sure if we’re on the same point here: my intent is that a quantity of plugins (activated or not) are a POTENTIAL security risk, ie, those plugins where vulnerabilities have been discovered by the hackers and NOT by the authors/users. My point specifically is that deactivated plugins are (in as far as I can tell) STILL exploitable. If I want to keep a plugin around, I’d prefer to keep those potential risks at a minimum.

Reducing the number of deactivated plugins doesn’t do anything for that risk because you need to keep your code updated regardless if it’s activated or not.

Agreed, and my hope is that everyone DOES keep their plugins up to date. As mentioned above, it’s more about the quantity of POTENTIAL risks which is all plugins, not just activated vs deactivated.

I think my sentiment here is that 20 active and 30 inactive (up to date) plugins are more of a risk than 20 active (and again up to date) plugins.

I suppose the only surefire way to reduce those risks is to remove (ie delete) the plugin and reinstall as necessary, but that could introduce other problems such as retaining unnecessary database entries/configurations if not used again, or losing them if they are required (depending on the deactivation process).

I haven’t yet automated my updates, although I am pretty much on top of them as needed these days. I like to handle them manually, especially for those that might not play nicely with others. Plus, for those days away from WordPress (they do exist lol) I get my email which tells/reminds me that plugins are required to be updated.

On a slightly side note: do people ever incorporate simple plugins into their own functions.php file whereby negating the need for the plugin? I wrote a plugin for myself some years ago that allowed me to haver a functions.php file outside of the theme. Well, technically it wasn’t a functions.php file, it was in fact a plugin, and I could chop and change it as necessary without changing themes being an issue. (Yes these are theme independent changes). I ended up adopting an actively updated plugin that checks my code. I liked the idea of removing these simple plugins, but realise that generally these would provide less of a risk than other plugins anyway. ie Just by nature of their changes such as one line hooks/filters etc.

Coffees and beers all round ??

Great starting point there, interestingly, it was never reverted! I didn’t realise it was in fact in place (I don’t often read posts where I discuss “wordpress” vs “WordPress” in my actual site, I read and re-read things in my editor and since the content is never changed, I never noticed it. (I originally wrote that: none of my sites correct incorrect instances of WordPress, but then I made a post and checked it from the front end and was surprised it was still there).

My memory serves that it was about what WordPress COULD do, but in hindsight now, it was probably the discussion about the fact they DID it.

There appears to be a lot of wasted keystrokes in those discussions lol

The funny thing is, I had a real life purpose for wanting to introduce a similar feature (it was only for my personal site and not correcting anyone else’s “mistakes”), but in reading half of these discussions (I gave up, it was too long) I realise it would break some things of mine. At least if I do apply the filter, I’ll be more weary of HOW it’s applied ??

Thanks for the reply!

spoke a little too soon, I had to add h3 as well ??

I’ve just noticed the ugliness of this last night as well… Very ugly.

Fix applied… That’s better ??

That’s a whole lot of explaining to do then ??

I hate to sound like others that say: post a link to the site so we can have a look

But that’s really what’s needed if you’ve already done some work and want guidance on how to go further.

In essence however, If you have the front page set to blog posts (the default) and you’ve created posts, they will be automatically there.

If you’ve created a page already and posts are separate and set a (not so) ‘static’ front page to some other page, you’ll need to create a dummy ‘blog’ page and then link that in your settings. Then when you reload the page, you’ll have BLOG in the menu (once you’ve added it to the menu as well of course) and you can navigate to your posts from there

I get this error from time to time, never got to the bottom of it. I have a multisite install and believe it’s possibly a cross domain problem, ie working in one domain and an action is required to happen somewhere else. Just thought I’d offer someone for you to look

Ok, I’ll have a look, thanks

What battlestar said.

You can include a link to the dashboard on the maintenance screen to make it even more simple. But adding “wp-admin” to the end of the url gets you to the login page (and what I use)

That’s cheating, but I love your thinking on this!! Great idea and super speedy (for my bug report on the issue) which gives you the: “here’s your beer” donation (once I’m out of bed and don’t have one of the kids limiting to single arm/hand/thumb typing)

Cheers.

No worries, it was more for info than anything else. Is it known to anything specific? ie, am I a loner? or is it OS/browser/WP version specific?

Thank YOU for the feedback ??

Ahhh, I’d followed https://ithemes.com/contributing-to-ithemes-security/ which takes you to a page that is sorely lacking content ??

I actually determined the correct link and (from memory) it was as simple as adding another folder to the path which could/should be detected as being a part of multisite.

Anyway, will look more closely at trello

I’ve just realised that it’s not a banned username, but rather a banned site name.

However, I’m getting over 100 hits for various IPs all trying each of my site installs under my multisite. I did notice the same IP requesting on a couple of them. If an IP is banned from one site, they should be banned from all.

I thought I would add:

I would LOVE to see a feature whereby (mostly multisite related):

• away mode could be per site
• away mode could be triggered as the last admin for each site logs off
• away mode for all sites could be triggered when super admin logs off
• fixed IP addresses for users (notwithstanding the fact that some people use mobile devices or have a dynamic IP address assigned at home, in the case where a site would have power users who only log in from fixed locations or remotely through vpns to a fixed location, some IP option could be handy)
• a log entry after X filed attempts at logging in to denote whether that IP address actually got in or not. Personally, everytime someone logs in from a new IP address, I want to know about it, possibly even have some form of geolocation worked in with that
• possibly an error from another plugin (or not) but the link to the log file from the malware test section in the settings area gives me a permission error, but going directly to the log works
• tonight for the first time (since installing this a week ago) I was getting hit from multiple IP addresses simultaneously and once they failed on one site they went to one of the others in the network. It would be good to enter a “panic room” mode where all user logins are denied for a fixed/editable period. Since my site is more a personal blog, it won’t affect anyone, I’m mainly the only user.
• further to “panic room” mode, possibly enhance the away mode to allow users INSIDE the backend to remain there (if at all possible). Or allow only certain users access yet leave the away mode activated

Maybe the away mode triggers something that just doesn’t allow anyone in, if that’s the case, then I understand it wouldn’t be possible to let anyone in. But if it’s possible to only le one IP in for a period, that could be of great security benefit ??

Time to shutup now. Sorry guys ??

Ok, tried it tonight and since I was in an IDE with FTP, I opened the file and looked at the contents. A word to anyone else thinking of doing this, it doesn’t work. ??

Either rename the file (as suggested by @dwinden) or delete it. Since from what i can gather, it only gets deleted anyway once away mode is off (if I’m not mistaken—which at this late hour is possible :P)

Thanks @dwinden for your reply and patience.

Sorry, I haven’t had a chance to test this. I’m currently migrating servers, I’ll let you know as this is a feature I’m very interested in.