Bad practice…

  • websols

    (@websols)


    3 months, 2 weeks ago

    This plugin uses it’s own alternative authentication method for the WP-JSON API instead of the native application passwords provided by core WP or more secure alternatives explained in the WordPress developer docs.

    After examining the code a bit further to find out why the authentication always returned a 401 in our setup, we’ve discovered it tries to login and run it’s code as the first (random) administrator account it can find in the database.

    Just terrible…

    • This topic was modified 3 months, 2 weeks ago by websols.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Gisela Bravo

    (@giselabrc)

    1 month, 3 weeks ago

    Could you provide how do you solved the 401 error?

    Thread Starter websols

    (@websols)

    1 month, 3 weeks ago

    @giselabrc We didn’t really solve it, we convinced our client to use better software. Otherwise we needed to disable some of our basic security-measures like hiding administrators and the administrator role for non-admins (using pre_user_query and editable_roles filters) and allowlist the make ip-adresses in Wordfence (Wordfence also didn’t like the requests)

    • This reply was modified 1 month, 3 weeks ago by websols.
Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this review.