Secure WordPress

Add a Good Security Point With 3 Hooks

Blog Secure WordPress Add a Good Security Point With 3 Hooks
0 comments

After the WordCamp Paris 2014, i’m back to share a tip based on fact to force some options on some values, they can become malicious:

Force the admin email address

Force this value with a hardcoded one, you’ll be sur to always receive important emails in relation with WordPress.

Force the non-registering possibility

With the same idea, if i let this option unchecked  is because my website do not and will not accept members.

Force the default new user role

Sincerely, between us, who’ll use the “Adminitrator” ? I don’t event understand with this choice is possible ? So i set it on “Subscriber” and if i want that on of my members became Admin, i’ll do it manually.

Pour tout ça, un simple code de 3 hooks :

Copy/paste this code in a php file of your, then put it in the “/wp-content/mu-plugins” folder, create it og it doesn’t exists. Do not forget to change the default URL in the plugin.

<?php
/*
Plugin Name: Forcer des valeurs absolues par sécurité
Author: Julio Potier
AuthorURI: http://boiteaweb.fr
*/

// Forcer l'adresse email admin
add_filter( 'option_admin_email', '_option_admin_email' );
function _option_admin_email( $value ) {
	return 'votre@email.fr'; // valeur à modifier
}

// Forcer l'impossibilité de s'inscrire
add_filter( 'pre_option_users_can_register', '_option_users_can_register' );
function _option_users_can_register( $value ) {
    return '0';
}

// Forcer le rôle par défaut sur "Abonné"
add_filter( 'pre_option_default_role', 'baw_option_default_role' );
function baw_option_default_role( $value ) {
    return 'subscriber';
}
Force options view raw

Malicious, how ?

And if, by example you or your clients have a theme whicj contains a security flaw. This flaw can lead on a “what ever option i can update it”? (I already saw this) The flaw pemit a simple user to modifiy any WP Options ! The hacker can touch the code as he needs, comme les 3 ci-dessus.

I count on you to put this tip in place!

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

0 comments