Changeset 722992

Timestamp:

06/05/2013 08:42:02 AM (13 years ago)

Author:

planetzuda

Message:

Please read this! The XMLRPC is not off on any current version of this plugin. Code passed around wordpress that is supposed to turn it off, doesn't actually work. If we find a way to disable it, we will add it to an update. We removed the xmlrpc disable feature in this version and updated the readme.txt.

Location:

disable-insecure-features/trunk

Files:

• functions.php (modified) (5 diffs)
• readme.txt (modified) (3 diffs)

disable-insecure-features/trunk/functions.php

@@ -2 +2 @@
 /*
 Plugin Name: disable insecure features
-Plugin URI: http://www.planetzuda.com/news/
-Description: This disables pingbacks on previously published posts and pages, disables the xmlrpc, hides the readme.html, license.txt and fixes wp-config.php and .htaccess permissions so hackers can't modify them. 
-Version: 0.3
+Plugin URI: http://www.planetzuda.com/news/plugins/
+Description: This automatically disables pingbacks on old posts and pages, not new ones. This locks down htaccess, hides readme.html, and other files. Credit to Shivanand Sharma from http://binaryturf.com for  SQL statements to disable old post pingbacks.  Version 0.1 through 0.3 said xmlrpc was turned off. We discovered with the help from tw2113 that the WordPress code that claims it disables the xmlrpc, doesn't disable it. This means the plugin disable xmlrpc is useless. We are working to see if there is a way to disable the xmlrpc via plugin. 
+Version: 0.4
 Author: Planet Zuda, LLC
-Author URI: http://www.planetzuda.com/news/plugins/
+Author URI: http://www.planetzuda.com/news/
 License: GPLv2
 */
@@ -46 +46 @@
 add_action('admin_menu','swph_setup');
 
-function no_more_xmlrpc()
-{
-add_filter( 'xmlrpc_enabled', '__return_false' ); //
-}
-function swph_xmlrpc()
-{
-add_filter( 'xmlrpc_enabled', '__return_true' );
-}
 
 
 function swph_auto_disabled_features()
 {
+
+    
 // the following turns off pingbacks for already published posts and pages
 global $wpdb;
+
 $wpdb->query("UPDATE $wpdb->posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';");
 $wpdb->query("UPDATE $wpdb->posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';");
-// this will lock down the readme.html so hackers can't see it.
 
-// the rest is by us. All chmod files will be moved to the .htaccess in the future.
+//thank you to http://wordpress.stackexchange.com/questions/78780/xmlrpc-enabled-filter-not-called for this answer and tw2113 for helping out in the wordpress IRC. This may be implemented in the future.
 
-$swph_readme = ABSPATH . 'readme.html';
+$swph_readme = ABSPATH . 'readme.html'; // you don't want people to see what version of WordPress you're running.
 if(file_exists($swph_readme))
 {
-chmod($swph_readme,0600);
+chmod($swph_readme,0600); // makes it seem like the file doesn't exist for users who look for it. 
 }
 
@@ -84 +78 @@
 chmod($swph_config,0600);
 }
+
 // lock down the .htaccess so hackers can't write to it via bad permissions.
 $swph_access = ABSPATH . '.htaccess';
@@ -90 +85 @@
 chmod($swph_access,0644);
 }
-else
-{
-?>
- you moved your wp-config file, so we can't secure it. Sorry.
-<?php
-}
-/*
-botme needs a lot more work before it is auto enabled.
-*/
-}
-
+} // closes function 
 register_activation_hook(__FILE__,'swph_auto_disabled_features');
-function botme()
-{
-$bot = WP_PLUGIN_DIR . '/disable-insecure-features/robots.txt';
-$newbot =  ABSPATH . 'robots.txt';
-if(file_exists($newbot))
-{
-copy($bot,$newbot);
-chmod($newbot,0644);
-}
-else
-{
-fopen($newbot,"a+");
-fclose($newbot,"a+");
-copy($bot,$newbot);
-chmod($newbot,0644);
-}
-} // closes botme()
 
 
@@ -124 +92 @@
 {
 // settings page put all variables up here to make it clean then generate the form.
-$swph_url = get_bloginfo('url'); // straight-forward
-$swph_on  = swph_xmlrpc(); // turns the xmlrpc on. Not a good idea, but a few people need it.
-if($swph_on)
-register_activation_hook(__FILE__,'swph_xmlrpc');
-?>
-<br />
-<input type="radio" value="<?php swph_disable_xmlrpc(); echo 'disabled' // make sure this works before releasing it. Test it with a xmlrpc program. ?> turn off xmlrpc"> Turn off XMLRPC 
-<input type="submit" value="Submit">
-<?php
-if(!$swph_on)
-register_activation_hook(__FILE__,'swph_disable_xmlrpc');
-?>
-
-<input type="radio" value="<?php $swph_on; echo 'enabled'; // make sure this works before releasing it. Test it with a xmlrpc program. ?> turn on xmlrpc "> Turn on XMLRPC 
-<input type="submit" value="Submit">
-<?php 
-
-?>
-Please go to <a href="<?php echo $swph_url; ?>/wp-admin/options-discussion.php"> settings->discussion </a> and uncheck the box next to the words that say "Allow link notifications from other blogs (pingbacks and trackbacks)"
- <br /> then click save changes. This will disable any pingbacks for future posts and pages. This plugin automatically disables pingbacks for posts and pages already published. It also disables the xmlrpc.<br />
- This is important since hackers are abusing these features to hack other sites. <br />
- A future update will let you turn pingbacks on for old posts and pages and re-enable the xmlrpc, even though we really don't recommend it.
+ 
+?>      
+ Disable pingbacks for future posts by going to <a href="<?php $swph_url; ?>/wp-admin/options-discussion.php"> settings->discussion </a> and uncheck the box that say "Allow link notifications from other blogs (pingbacks and trackbacks)"
+ <br /> 
 <?php
 }
-
-function swph_disable_xmlrpc()
-{
-add_filter( 'xmlrpc_enabled', 'no_more_xmlrpc' );
-}
+?>

disable-insecure-features/trunk/readme.txt

@@ -3 +3 @@
 Contributors: Planet Zuda, LLC
 Tags: comments, spam, hacking, security,wordpress security, readme, htaccess, license, remove version, version, wp-config, 
-Requires at least: 3.0.1
+Requires at least: 3.0
 Tested up to: 3.5.1
 Stable tag: 3.5.1
@@ -11 +11 @@
 == Description ==
 
-This disables pingbacks on previously published posts and pages, disables the xmlrpc, hides the readme.html, license.txt and fixes wp-config.php and .htaccess permissions so hackers can't modify them. 
+This disables pingbacks on previously published posts and pages,hides the readme.html, license.txt and fixes wp-config.php and .htaccess permissions so hackers can't modify them. 
 == Installation ==
-
-1. Upload the disable-insecure-features directory to the `/wp-content/plugins/` directory in your WordPress installation
-2. Activate the plugin through the 'Plugins' menu in WordPress
-3. Pingbacks for previously published posts and pages are disabled and so is the XML-RPC!
+1. Go to your WordPress admin dashboard and go to  plugins > add new and then type disable insecure features. Our plugin will come up.
+   click install now and then hit activate now.
+   2. You are now more secure.
+   
 == Credits ==
-We would like to give credit where credit is due. We would like to thank Shivanand Sharma from http://binaryturf.com for his article on disabling pingbacks from previously published posts and pages. The disabling feature of the xml-rpc is from the disable xml-rpc plugin, so they also deserve credit.  
+We would like to give credit where credit is due. We would like to thank Shivanand Sharma from http://binaryturf.com for his article on disabling pingbacks from previously published posts and pages. 
 == Frequently Asked Questions ==
 
@@ -34 +34 @@
 = Will the readme.html, license.txt, wp-config.php, .htaccess or any other file reset to insecure permissions if I delete this plugin? =
 No. 
+= Does this plugin disable the XMLRPC?
+No. Code has been passed around WordPress claiming that it disables the XMLRPC and there is even a plugin called disable xmlrpc using that code, but it doesn't work
+= Will you be disabling the xmlrpc in the future?
+Hopefully. We are looking into how we can turn it off via the plugin. 
+= I don't want pingbacks turned off for future posts. WIll this plugin do that?
+Whenever you update the core or reactivate the plugin your pingbacks for all published posts and pages will be turned off. 
 == Changelog ==
+=0.4=
+We discovered that the code everyone is using to disable the xmlrpc for 3.5 and up isn't disabling the xmlrpc, so we've removed that feature. We hope to actually disable the xmlrpc if at all possible.
+= 0.3 =
+changes permissions for readme.html, license.txt, and .htaccess. It makes it so readme.html and license.txt can't be accessed by visitors. It makes sure .htaccess has the appropiate permissions.
 
 = 0.2 =