Description
Balada Fix protects your site from unauthenticated abuse of specific WordPress REST API endpoints. Such endpoints (for example the tagDiv theme’s wp-json/tdw/save_css) are often targeted by the “Balada Injector” and similar campaigns to inject malicious scripts.
- Add one or more REST path patterns in Settings Balada Fix (one per line).
- Only logged-in administrators with the
edit_theme_optionscapability can access those paths. - Unauthenticated or unauthorized requests receive a 403 Forbidden response.
Default protected path: tdw/save_css (tagDiv / Newspaper theme vulnerability).
Screenshots
Screenshot installed plugin
Installation
- Upload the plugin files to
/wp-content/plugins/balada-fix/, or install through WordPress Plugins Add New Upload. - Activate the plugin through the Plugins screen.
- Go to Settings Balada Fix to review or add blocked paths (one per line, e.g.
wp-json/tdw/save_cssortdw/save_css).
FAQ
-
Which paths should I add?
-
Add the REST path that is known to be vulnerable and should only be used by admins. Example:
tdw/save_cssfor the tagDiv Composer / Newspaper theme. You can use the full path likewp-json/tdw/save_cssor the short formtdw/save_css. -
Will this break my theme?
-
No. Legitimate use (when you are logged in as an administrator) continues to work. Only unauthenticated or non-admin access to the listed paths is blocked.
Contributors & Developers
“Balada Fix” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Balada Fix” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.0
- Added Settings Balada Fix page to configure blocked paths.
- Support for multiple paths (one per line).
- Default path: tdw/save_css.
1.0.0
- Initial release. Blocked unauthenticated access to tdw/save_css.