pete_398

Hi @darshanaw – Okay thanks

Thanks @darshanaw for your reply. Are those options available with the free versions of the plugins ?

@sterndata – thanks for your reply, and for the links to the security side of things and plugins for forms.

`3. WordPress is not an email client. You could build a form (see 2) that allowed properly authenticated users to send mail to other opted-in users, selecting them from a dropdown.

without plugins? That’s not how WordPress works..`

Okay , so from the Form plugin, we can possibly do the email side of things. Do you know if the ‘username’ is sent from the form and contained within the email ? I guess that is something I need to ask the plugin authors, and/or test.

My concerns are mostly from a security basis, somewhat explained in a post from over two years ago, at https://www.ads-software.com/support/topic/new-wordpress-feature-is-a-security-risk/#post-11829865

In the past, I was able to manage the website ‘problems’ by looking for the PHP error log file. PHP logs the error and displays error messages like …

An error of type E_ERROR was caused in line 116 of the file /home/********/public_html/wp-content/plugins/wp-optimize/wp-optimize.php. Error message: Class ‘WP_Optimize_Options’ not found

(and where I have “*********” it was the username for the website). So, security is such on that site that only I can see that file and hence the username.

BUT, now because of the (auto) email notification sourced from WordPress, that username has been sent across the internet in plain text. It’s in all the email headers also of course.

It’s not just WordPress on that site but other applications, so now the ENTIRE website security has been compromised.

Just to be clear on when I use the term USERNAME. It is not the WordPress username of course, but the ‘webmaster/admin’ username. It is something I had guarded well up until now. ??

So, moving on. I see the code at line 192 of /wp-includes/class-wp-recovery-mode-email-service.php

		$sent = wp_mail(
			$email['to'],
			wp_specialchars_decode( sprintf( $email['subject'], $blogname ) ),
			$email['message'],
			$email['headers']
		);

I could comment the code out there, but that means ‘re-work’ everytime I do a WP upgrade. I only had a quick glance at that PHP file and it doesn’t seem that there is an admin type setting to effect something like “don’t send any emails”. It would be nice if the dashboard had that; had a quick look. Doesn’t seem to.

So, for now I’ll simply modify the WP admin email address, to stop WP from sending me any emails. (I assume if I tried changing it in the dashboard it will only allow a valid email address.

I understand the thinking behind giving people this ‘feature’, but there is no possibility that I will ever get locked out of the system. If WP broke for me, I’d just wipe the lot and re-load the database from the daily backup.

(Just a PS to help – I’m the only WP user on this site. There are no comments allowed. It’s a totally stock std WP, use a WP theme, and 3 very well known plugins.)

Okay, thanks for your reply James. ??

It doesn’t return a 404, but it displays code and possibly this is an exploit or security risk ??

Here is what this does – https://example.com/?rest_route=%2Foembed%2F1.0%2Fembed&url=http%3A%2F%2Fexample.com%2F%3Fp%3D73

=========
{"version":"1.0","provider_name":"Provider ....","provider_url":"http:\/\/example.com","author_name":"****","author_url":"http:\/\/example.com\/?author=1","title":"**","type":"rich","width":600,"height":338,"html":"
<blockquote><a href="http:\/\/example.com\/?p=73">****<\/a><\/blockquote>\n<script type='text\/javascript'>\n<!--\/\/--><![CDATA[\/\/><!--\n\t\t!function(a,b){\"use strict\";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf(\"MSIE 10\"),h=!!navigator.userAgent.match(\/Trident.*rv:11\\.\/),i=b.querySelectorAll(\"iframe.wp-embedded-content\"),j=b.querySelectorAll(\"blockquote.wp-embedded-content\");for(c=0;c<j.length;c++)j[c].style.display=\"none\";for(c=0;c<i.length;c++)if(d=i[c],d.style.display=\"\",!d.getAttribute(\"data-secret\")){if(f=Math.random().toString(36).substr(2,10),d.src+=\"#?secret=\"+f,d.setAttribute(\"data-secret\",f),g||h)a=d.cloneNode(!0),a.removeAttribute(\"security\"),d.parentNode.replaceChild(a,d)}else;}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d.secret||d.message||d.value)if(!\/[^a-zA-Z0-9]\/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret=\"'+d.secret+'\"]'),k=b.querySelectorAll('blockquote[data-secret=\"'+d.secret+'\"]');for(e=0;e<k.length;e++)k[e].style.display=\"none\";for(e=0;e<j.length;e++)if(f=j[e],c.source===f.contentWindow){if(f.style.display=\"\",\"height\"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(200>~~g)g=200;f.height=g}if(\"link\"===d.message)if(h=b.createElement(\"a\"),i=b.createElement(\"a\"),h.href=f.getAttribute(\"src\"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener(\"message\",a.wp.receiveEmbedMessage,!1),b.addEventListener(\"DOMContentLoaded\",c,!1),a.addEventListener(\"load\",c,!1)}(window,document);\n\/\/--><!]]>\n<\/script><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"http:\/\/example.com\/?p=73&embed=true\" width=\"600\" height=\"338\" title=\"Embedded WordPress Post\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe>"}
===============</a>

Thanks for your help. ??

Is that actually accomplishing anything? I mean, are you seeing just log entries or are the attackers actually getting in or causing a denial of service?

The reason I ask is that any site on the Internet will get attacked. Blocking that file is only necessary if you’re seeing an adverse effect of that POST activity. That’s only one attempted vector and if you look in your log you’ll see many other probes.

My attention was drawn to it, because I noticed a significant increase in bandwidth. There are 4,885 log entries just from that IP, attempting to post to xmlrpc.php. Each attempt resulted in 54,971 bytes, which isn’t much, but total is 268 Mb, the posts about every 2 seconds.

If you don’t need the functionality that xmlrpc.php provides (see Jan’s note), I’d block it even if you’re not seeing a performance hit just to avoid future problems and to rule it out as a factor if you are seeing a slow down.

Yes, I don’t need that functionality. I think it is used to post remotely. I have no need of that at all.

I will follow that article, so that no-one can post. It will then give a 403 or similar I guess. Will check through the database and see if anything was inserted.

..and again ..

[15-Aug-2015 22:51:23 Australia/NSW] PHP Fatal error: Call to undefined function add_action() in /home/********/public_html/wp-content/plugins/hello.php on line 60
[19-Aug-2015 13:39:37 Australia/NSW] PHP Fatal error: Call to undefined function add_action() in /home/********/public_html/wp-content/plugins/hello.php on line 60

When is this going to be fixed ?

Version 4.2.4

[26-Jul-2015 04:08:09 Australia/NSW] PHP Fatal error: Call to undefined function get_header() in /home/*******/public_html/wp-content/themes/twentyeleven/404.php on line 10

Well, I don’t know how I got only 4 references; there are roughly 21 as you say.

Will do the .htaccess tip, lower the perms to 400 or 440 (444 now), and think about moving it outside the web root path. Thanks

Thanks for advising about the exploit. I don’t have that plugin, however there may be weaknesses in the plugins I do have, or in WP core itself, to display wp-config.php

I think the best solution for me is to rename the file.

Okay, thanks for your help. ??

Do I still place the following in wp-config.php ?

define('FORCE_SSL_ADMIN', true);
define('DISABLE_WP_CRON', true);

Also, if I’m the only admin and the only person that logs in, is there a need for FORCE_SSL_ADMIN to be set to true ? I do have an SSL connection, but would prefer that no links are shown which point to it.

Usually a blank page in php means a php error of some sort. What are the contents of your error log file ?

If you post the contents ere, don’t post any username info, like /home/username/ , just post what is after it.

Re-read this please ..

Where do I now place FORCE_SSL_ADMIN ?