Secure WordPress

Add a Good Security Point With 3 Hooks

Blog Secure WordPress Add a Good Security Point With 3 Hooks
0 comments

After the WordCamp Paris 2014, i’m back to share a tip based on fact to force some options on some values, they can become malicious:

Force the admin email address

Force this value with a hardcoded one, you’ll be sur to always receive important emails in relation with WordPress.

Force the non-registering possibility

With the same idea, if i let this option unchecked  is because my website do not and will not accept members.

Force the default new user role

Sincerely, between us, who’ll use the “Adminitrator” ? I don’t event understand with this choice is possible ? So i set it on “Subscriber” and if i want that on of my members became Admin, i’ll do it manually.

Pour tout ça, un simple code de 3 hooks :

Copy/paste this code in a php file of your, then put it in the “/wp-content/mu-plugins” folder, create it og it doesn’t exists. Do not forget to change the default URL in the plugin.

<?php
/*
Plugin Name: Forcer des valeurs absolues par sécurité
Author: Julio Potier
AuthorURI: http://boiteaweb.fr
*/

// Forcer l'adresse email admin
add_filter( 'option_admin_email', '_option_admin_email' );
function _option_admin_email( $value ) {
	return 'votre@email.fr'; // valeur à modifier
}

// Forcer l'impossibilité de s'inscrire
add_filter( 'pre_option_users_can_register', '_option_users_can_register' );
function _option_users_can_register( $value ) {
    return '0';
}

// Forcer le rôle par défaut sur "Abonné"
add_filter( 'pre_option_default_role', 'baw_option_default_role' );
function baw_option_default_role( $value ) {
    return 'subscriber';
}

Malicious, how ?

And if, by example you or your clients have a theme whicj contains a security flaw. This flaw can lead on a “what ever option i can update it”? (I already saw this) The flaw pemit a simple user to modifiy any WP Options ! The hacker can touch the code as he needs, comme les 3 ci-dessus.

I count on you to put this tip in place!

0 comments