WordPress MU

I'm using the latest version of MU, and noticed that plugins, no matter what their nature, all go in the same directory. Although one can prevent their plugins directory from being browsed, any of the contents of that directory are still visible by default to the world, i.e.

1) Although there are thousands of plugins to choose from, a hacker could still guess that a target site would be running any of the more popular plugins and confirm by going to http://site-name/wp-content/plugins/plugin-name-here/filename-here, or

2) the hacker could use a fingerprinting tool like plecost to inventory a target wordpress install.

In both cases, sensitive information like plugin name, version, wordpress version and so on are exposed. I mean, what's the point in having Wordpress Firewall installed if a hacker can go to your plugins directory, see that it's there, and potentially bypass it?

Again, the fact that there are a lot of plugins is an example of security by obscurity, which is really no security at all, since with brute force tools like plecost, it's trivial to bypass that hurdle.

Would it make sense to have a separate directory for sensitive plugins like Wordpress Firewall, that can be protected with an appropriate .htaccess file?

Except the plguin files that have those headers in are also php files, and when accessed directly will not display that information, because it's being executed. If you've got the right file and folder permissions, (755 for folders, 644 for files) they can't really do anything.

Knowing if you have a certain plugin installed doesn't matter much if they figure out how to bypass it anyway. They can't check if you have it running or not just by looking at the directories. There woudl have to be a vulnerability in the plugin itself or in WP.

If you're worried about the recent round of hacks that were very public at a few hosts, it was made clear over and over again the hackers did not get in via WordPress or any WP plugins. They all got in from lifted ftp passwords.

Thanks. Yeah, I guess I've noticed vulnerabilities in some plugins. For instance, ServerBuddy writes the wordpress version, PHP version, php.ini settings, file permissions and various other information to wp-content/plugins/serverbuddy-by-pluginbuddy/definitions/security.txt, which is readable by default by anyone with no authentication. As such, it seems not all such plugin files are PHP and may in fact be readable.

What is the protocol for this - just send an email to the plugin author?

As a side note, I realized that I could also put in .htaccess files in the subdirectories where there's sensitive information. That said, it would be nice for a plugin like this not to expose that information, as it's supposed to increase security, not decrease it.

burvil:

As the author of ServerBuddy I just wanted to clarify to you that there is NO site, server, or WordPress information being stored in security.txt (or any file at all) by ServerBuddy. ServerBuddy requires an active administrator login and returns site/server information on the fly. Nothing is stored or cached to a file at any point by the plugin.

The definition text files just contain lists of tests and are of absolutely no security risk and contain NOTHING specific to your site. Myself and our team at PluginBuddy.com take security very highly and strive to create the most secure plugins possible.

Thanks!

Thanks for the clarification Dustin. :)

Dustin,

Thanks for your response. Please, don't get me wrong - ServerBuddy has provided some very useful information I've used to secure my blog. I've gotten a lot out of it, and do appreciate your work.

That said, your saying this makes me wonder if I have a wrong setting somewhere in the plugin. This is what I have in security.txt (values removed for security reasons):

wp_version,value-removed,==,1
php_version,value-removed,==,1
php_release_date,values-removed,PHP Release Date,Official release date of your current PHP version. We recommend keeping your PHP up to date (no more than a year old) to maximize security and performance.
mysql_version,value-removed,==,1
PHP Core,magic_quotes_gpc,==,value-removed
PHP Core,magic_quotes_runtime,==,value-removed

Followed by several lines like the following:

fileperms,/,==,value-removed,>,value-removed,File Permissions for / (755 needed),Follow these permission recommendations for enhanced security. Too low of permissions may cause operational issues while too high of permissions may result in lessoned security.

The values I removed are in fact correct, and what the plugin shows via the admin GUI interface. I am using the latest version (0.1.4) of the plugin.

Can you tell me what should be in security.txt, then? Why would my installation have these values stored in security.txt? I wouldn't have thought to put them there, and looking at serverbuddy.php, it does account for security.txt, so I figure it must do something.

Again, I'm not trying to put down you or anything you've done. I do appreciate the work you put into the plugin. I'm just trying to understand why the information is there.

Dustin,

I went ahead and deleted the security.txt file, and the plugin seems to run OK. I also downloaded a fresh copy of the plugin, and noticed that the security.txt file was the same, i.e. had the same values, even before I installed it. So, does security.txt include simply suggested/recommended values? If anything, it seems to run OK without it.

This is good to know, as I'll probably re-enable Serverbuddy for http://burvil.org again. I'll run it through some more tests on my test system.

Dustin said above:

The definition text files just contain lists of tests and are of absolutely no security risk and contain NOTHING specific to your site.