How to Prevent Changes to Plugins, Themes, and WordPress Core Files

Category Image 091

This is a common question I get from folks in the WordPress community. How can I “lock things down” and prevent any changes to plugins, themes, and WordPress core files. For example, how to prevent any themes and/or plugins from being updated or deleted, and how to prevent any new plugins from being installed. This is useful for certain projects where it’s necessary to lock a website to a static version. Fortunately, WordPress makes this super easy with a couple of PHP constants. Let’s take a quick look..

Contents

Prevent Changes via File Editor

Did you know that WordPress provides a Plugin File Editor and Theme File Editor in the WP Admin Area. You can find them:

  • Under the Appearance menu ▸ Theme File Editor
  • Under the Plugins menu ▸ Plugin File Editor

These tools enable admins to make changes to any plugin or theme files. Huge convenience for those that need it. For those that don’t, you can disable any changes via the file editors by adding the following line to your site’s wp-config.php file, which resides in the root WordPress directory:

// disable file changes via plugin and theme editors
define('DISALLOW_FILE_EDIT', true);

Once this line is included in the site’s configuration file, all file-editing via the Admin Area will be disabled. No menu items, no editing, nada. It’s another layer of security that effectively minimizes your site’s attack surface, so sensitive files cannot be modified by any user, including admins. This helps to protect against any changes that could compromise or crash your site.

Note: As explained at WordPress.org, disabling the file editors via DISALLOW_FILE_EDIT constant may affect any plugins that check for sufficient capabilities using current_user_can('edit_plugins'). Plugins should check if the constant is set, and if so display an appropriate error message.

Prevent All Changes via Admin Area

While the previous technique disables changes to plugins and themes via the file editors, this next technique prevents all changes to any files from inside the Admin Area. This includes:

  • Updating, deleting, installing plugins
  • Updating, deleting, installing themes
  • Updating the WordPress core files

It also includes changes made via the plugin and theme file editors. Basically this technique staticizes a site to its current version. So if that sounds like you, here is the magic code to lock it down:

// disable all changes to all files via admin area
define('DISALLOW_FILE_MODS', true);

Once this line is included in the site’s configuration file, all changes (installing, updating, deleting) to plugins and themes will be disabled. Note that the above line also disables updates to the WordPress core files, so trying to update WordPress via Dashboard ▸ Updates will not work.

Of course, it always is possible for changes to be made directly on the server via SFTP or similar method. But any file changes from within the Admin Area will be disabled completely.

Note: As mentioned, the above line disables all changes from anywhere within the Admin Area, including the file editors. So you do not need to set both DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT. Just including DISALLOW_FILE_MODS takes care of everything.
Note: Be careful when adding DISALLOW_FILE_MODS to your site’s wp-config.php file. WordPress needs to be able to make changes in order to keep plugins, themes, and core files current via updates. So only disable changes if you are 100% certain that you don’t want any updates on your WordPress site.

Proactively Protect Against WordPress Vulnerabilities

Category Image 032

Proactively Protect Against WordPress VulnerabilitiesWithout a doubt, WordPress remains the most popular content management platform in the world, powering over 43% of websites worldwide. Given its immense popularity and the number of businesses running on the WP platform, it’s no surprise that a WP website is a common target for cyberattacks. Have you done everything in your power to […]

The post Proactively Protect Against WordPress Vulnerabilities appeared first on WPExplorer.

iThemes Patches Vulnerability in BackupBuddy, Wordfence Tracks 5 Million Exploit Attempts

Category Image 032

BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited.

Wordfence reviewed its data and found that attackers began targeting this vulnerability on August 26, 2022. The company has blocked nearly 5 million attacks targeting the vulnerability since that time.

Wordfence found that the method BackupBuddy used to download locally stored files was insecurely implemented, making it possible for unauthenticated users to download any file stored on the server.

“Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability,” Wordfence threat analyst Chloe Chamberland said.

Wordfence found the majority of the attacks are attempting to read sensitive files, including the following:

  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash

iThemes published specific indicators of compromise and detailed steps to detect if a site was attacked. The company outlined additional steps for sites that have been compromised.

All BackupBuddy users are advised to update to the patched version 8.7.5. iThemes made it available to all users, regardless of their current BackupBuddy licensing status, due to the severity of the vulnerability.

WordPress To Drop Security Updates for Versions 3.7 Through 4.0 by December, 2022

Category Image 032

WordPress’ Security Team announced it will be dropping support for versions 3.7 through 4.0 on December 1, 2022. To give some context for how old these versions are, in 2013, WordPress 3.7 introduced automatic background updates and 3.8 updated the admin with a new design based on the MP6 plugin.

WordPress’ official policy is that the security team only provides support for the most recent version, but as a courtesy has extended backporting security fixes to older versions that are able to receive automatic updates.

“Until now, these courtesy backports have included all versions of WordPress supporting automatic updates,” 10up-sponsored Security Team member Peter Wilson said. “Versions WordPress 3.7 – 4.0 have reached levels of usage, namely less than 1% of total installs, where the benefit of providing these updates is outweighed by the effort involved.”

More than half of all WordPress sites are on the latest version – 6.0+ (54.3%), and security updates will still be available to more than 99% of sites on older versions after this change. Wilson said the decision to drop support for 3.7 through 4.0 was based off the information reported on the statistics page.

WordPress version stats – 9/7/2022

“The effect of this imbalance means that the Security team spends most of the time preparing backports for the vast minority of WordPress installations,” Wilson said. “By dropping support for these older versions, the newer versions of WordPress will become more secure as more time can be focused on their needs.”

Over the next three months, versions 4.0 and older will receive their final updates and will also display a non-dismissible notice in the dashboard, advising users to upgrade to the latest version as their sites will no longer receive security updates.

Spot the Difference: WordPress Security Threat, Vulnerability or Risk

Category Image 032

Spot the Difference: WordPress Security Threat, Vulnerability or RiskYou’ve probably heard the term “cyber threat” used more than once in the context of cybersecurity. What you may not know, however, is that the term “threat” is often mistakenly used to refer to other risks to cybersecurity, such as vulnerabilities. Although these three terms may seem to mean the same thing, they each have […]

The post Spot the Difference: WordPress Security Threat, Vulnerability or Risk appeared first on WPExplorer.

How to Protect Against WordPress Zero-Day Attacks

Category Image 032

How to Protect Against WordPress Zero-Day AttacksWhen it comes to cyber security, what you don’t know can hurt you. This is exactly the case with zero-day vulnerabilities and zero-day attacks. The repercussions of not taking your security seriously can be devastating to you and your business. Fortunately, the best weapon you have in your arsenal against malicious hackers and security threats […]

The post How to Protect Against WordPress Zero-Day Attacks appeared first on WPExplorer.

Win Your War Against Hackers and Secure Your Network

Category Image 032
"Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management." - Kevin Mitnick (American Businessman)

Work culture has changed a lot recently. The ability to work from anywhere and at any time has become comfortable for employees, which in turn has brightened up things for hackers too. These days, sites are being bombarded by hack attacks from groups of hackers who later claim responsibility for the incident and make demands. There are a few pain points where hackers start their games.

Let's look into those vulnerable spots one by one.

How Technology Kept Consumers Safe in 2021

Category Image 032

There’s no denying that consumers want credible, relevant, current, and easy-to-understand information in order to make the right purchase decisions that reflect their particular preferences. In the age of information overload, probably what we need most right now is better consumer information. Price comparison websites, for example, have made a huge difference in making it much easier for customers to evaluate different offers and make the best purchasing decision.

In recent years, the consumer credit industry has seen an increase in the number of new suppliers and types of consumer credit. Not knowing how online platforms work and the new types of credit arrangements can swiftly put consumers at a significant disadvantage.

Google’s New Ad Tracking Tech FLoC and WordPress

Category Image 032

Google’s New Ad Tracking Tech FLoC and WordPressGoogle announced that it would no longer support third-party cookies and has now come out with its own alternative ad tracking technology: FloC. In the wake of third-party cookies, a type of tracker that reports consumer activity across websites to create personalized ads and improve user experiences, there is significant interest in creating alternative tracking […]

The post Google’s New Ad Tracking Tech FLoC and WordPress appeared first on WPExplorer.

Certificates for Internal Servers

Category Image 032

I often get the question from customers "How do I make a browser trust my internal Intranet web server". Is it possible to use trusted certificates for Intranet servers? The short answer is yes. It is possible, and I'll show you two ways this can be solved. But what exactly is an Intranet server?

What Is an Intranet Server?

An Intranet (internal) server is one that runs on a private (home/business) network with a non-public IP address -- that is, any IPv4 address in the RFC 1918 range (e.g. 10.0.0.0, 172.16.0.0, 192.168.0.0) and any IPv6 address in the RFC 4193 range.

How to Fix the Deceptive Site Ahead Google Warning

Category Image 032

Fixing the Deceptive Site Ahead Google Warning MessageWhile surfing the web, you might have observed a google warning message as “Deceptive site ahead”. Whenever google recognizes a website for exposing personal user information it flags that website as “Deceptive”. Deceptive site warning creates a lot of negative impact on the website. It may even lead to a sudden loss of user traffic, […]

The post How to Fix the Deceptive Site Ahead Google Warning appeared first on WPExplorer.

How to Prevent WordPress File Upload Vulnerabilities

Category Image 032

How to Prevent WordPress File Upload VulnerabilitiesEven the smallest of vulnerabilities on your WordPress site can be easily exploited by hackers and used to hijack your entire website. This can cause severe damage through the actions of stealing data, sending spam, or even defacing pages. That’s also not to mention that you risk having your site blacklisted by Google if it’s […]

The post How to Prevent WordPress File Upload Vulnerabilities appeared first on WPExplorer.