44 Comments


  1. Wow. This looks like a slick plugin and a great method for adding an extra layer of security.

    At first read I was a bit thrown by the need for something like this as I would assume most WordPress Admins always have their phones available for two-factor authorization, but then I remembered the dangers of assuming;)

    As WordPress continues to gain popularity around the world and keeps making it’s way to less experienced bloggers and publishers who may not be fortunate enough to even own a mobile phone, this seems like a great option.

    Reply

    1. Sometimes developers add things in after it’s already passed the review. I hope the plugin author fixes it soon, because this plugin really is a great idea.

      Reply

  2. This plugin has been removed from the plugin directory due to security issues and the fact the plugin was harvesting personal information and phoning home with it.

    As a suggestion, I would quite like to see WP Tavern slow down a little bit with reviews of brand new plugins, so they get a chance to be reviewed by other developers for potential problems like this. This plugin was released only hours before this article was written, the author has no previous plugins in the directory, and the code was a complete mess. If WP Tavern had waited 24 hours before writing a review, then this situation wouldn’t have arisen.

    Reply

    1. Thanks for your advice. I tested the plugin and thought it was very useful, but I guess it had code in it that phoned home, unfortunately. I think I assumed that since it had passed the WordPress.org plugin review process that the code wouldn’t be “a complete mess” as you say. In the future we’ll do better at waiting on newer plugins. Thanks, John, for your suggestion and for reading!

      Reply

      1. Agreed Sarah, I too assumed that if a plugin passed the review process and was successfully listed in the repo, that these kinds of things would have been caught before it passed muster.

        Reply

        1. Sometimes developers add things in after it’s already passed the review. I hope the plugin author fixes it soon, because this plugin really is a great idea.

          Reply

      2. In general, assuming it’s fine (when brand new) because it passed our code review is completely fine, though due to the sheer number of plugins that get reviewed in the repository every week, this cannot be considered a hard fast rule as it is easy for us to miss items. Also, just because it passes our review does not mean the plugin that is actually released on the repo is “clean”.

        In this particular plugin’s case, the plugin was soft rejected due to the issues and then later approved by someone other than the original reviewer because the issues cited in the soft rejection were fixed. Once approved, the plugin author submitted entirely different code than was reviewed. The only way to police that is to have the plugin get reviewed as it lives in the repo over time.

        Reply

        1. Lesson learned! Sometimes I get too excited about a new plugin without giving it much time to breathe. But in some cases time doesn’t matter if the code was added after the fact. If it wasn’t for the review, perhaps the person who reported the security issue would never have noticed the plugin at all. Hopefully the plugin author will be amenable to the guidelines.

          Reply
          1. Chris English

            Heck, I was just excited about this as well as was all ready to install it. Lol


        2. @pippin, would it make sense to have plugins be reviewed if the code changes by a certain percent? I can imagine that some folks might also target an old plugin for takeover, hoping that some sites still have it installed. Get permission to update an old plugin and all of the sudden you get 100 sites that are still running it under your control. If an automated process kicked out plugins that changed by a certain % over a certain amount of time it would certainly slow down this sort of thing. It might also make sense to flag plugins that use certain php or WordPress functions to catch code that phones home and the like…

          Reply

          1. It’s a great idea in theory, but it wouldn’t have made any difference in this case because the code that is submitted for review doesn’t actually touch the repo. The first time the developer’s code touches the repo is when they submit their first version. We could theoretically compare version to version, but not review version to first version (automatically at least).


    2. Wow… I like that WP Tavern is on top of things and don’t slight Sara or WP Tavern in the least. In a perfect world we would know all before writing about things. But in our world John that just doesn’t happen and things like this do. Great job Sarah… I love your enthusiasm. Don’t let one Debbie-Downer ruin that. This is how things are found out, fixed and made available again. Love the WP Tavern!

      Reply

      1. But in our world John that just doesn’t happen and things like this do.

        I’m not quite sure what you mean by this, but you’ll note that I was providing a constructive suggestion on how to avoid this situation in the future, not being a “Debbie Downer”.

        Reply
      2. Ted Clayton

        Yeah, me too on this …

        It’s cool & right that John Blackbourn has the chops & position to spot this issue, and step in to notify the community about it.

        But is the community-design & dynamic therefore outa kilter and needs changing, because somebody pulled a fast on (and not just on the Tav)? Not that I see.

        Mr. Blackbourn made a valuable contribution … but Sarah Gooding and Jeff Chandler are also making valuable contributions, every day.

        That WPTavern is fast on the draw with news & innovations, is part of what their proper role & dynamic is. Sometimes, they will miscue. Now & then, they get sucked … Just as we see the bigger WordPress organization getting bamboozled a little, here & there.

        We want WPTavern to be hot-on-it. And we want John Blackbourn to be watching over our shoulder, clearing his throat when he sees something amiss.

        For my money, the universe is unfolding as it should. We all did good, and we should all just carry as we were.

        Reply
  3. Ted Clayton

    This looks actually a little on the fun side.

    That is still allowed, isn’t it? Yeah, good. It can be a drag, doing passwords. Anything to lighten-up the drill is a help.

    Here’s hoping that the author can clean up those security-dings, double-scan those Guidlines, and get it back in for re-review, asap.

    Reply
    1. Ted Clayton

      janwoostendorp said;

      Looks fun but I’m curious how long before it gets tedious.

      There’s certainly no shortage of volunteers, anxious to probe that tedium-threshold. ;)

      But verily, yesterday’s cute is sooo yesterday.

      I won’t be surprised, though, if the idea goes a bit viral, with a parade of novel & charming (ok; cute) permutations getting spun off it.

      Reply

    2. I find Google Autenticator to be more tedious, but I think it’s just personal preference. Easier for me to just make a couple extra clicks on an image on the login form than to have to fire up the app on my phone and type in the verification code.

      Reply

  4. Hi Sarah
    I think that you said the most important thing at the beginning of your post…

    “Experts who specialize in reversing hacked WordPress sites will generally tell you that the most important thing you can do is create a strong password. ”

    A strong password and a long password.

    There are a some good password generators out there so generating a strong long password is easy – a password manager is also essential these days and there are some good free ones.

    For extra protection to my login I use the WordPress Simple Firewall plugin, which allows you to add a GASP type check box to your login and to your comments.

    One thing I’ve never solved is how to hide the author username.
    If you click on the author’s name at the top of a post you are taken to the author’s archive and the author’s username is shown in the URL.

    If I click on your name Sarah I am taken to http://wptavern.com/author/sarah

    So I’m guessing that your username is sarah.

    Am I missing something on this one?

    Reply

  5. Keith,
    Thinking that knowing the user id (name) is a security issue is a fallacy. User ids/names are not meant to be secret. You user id on twitter/facebook/linked are all similarly discoverable.

    It does seem like knowing half of the equation would make it twice as easy to break in. But adding one more lowercase letter to your password makes it 26 times harder to crack. If you use a combination of upper/lower case letters, numbers, and special characters in your password (and you do don’t you?), then adding just one more character makes it 95 times harder to crack.

    So stop worrying about user names and add an extra character or two to your password.

    Reply

    1. Thanks for a great reply Mike
      “But adding one more lowercase letter to your password makes it 26 times harder to crack.”

      Makes perfect sense and I do “use a combination of upper/lower case letters, numbers, and special characters”

      I always looked at it from the “It does seem like knowing half of the equation would make it twice as easy to break in” point of view, which made me think that I was doing something wrong.

      Appreciate you taking the time to spell it out.

      Reply

        1. Thanks John

          This section says it all…

          “It has been stated in previous tickets, “leaking” of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL, If you don’t like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

          Instead of attempting to provide security by forcing people to guess your username (Which btw, is incredibly easy in most cases, as people are not that inventive) you should be focusing on improving passwords, and/or considering 2 factor authentication (ie. Google Authenticator) if your passwords are known to be insecure/weak.”

          Appreciate the help guys.

          Reply

      1. If you’re really worried about this, use two accounts. One to post articles, etc. with, and one to manage the site. The admin account can have a secure, hidden, username and the public author based one will not have permissions at a high enough level to do a lot of damage to your site. In fact you can even do this and never login as the lower level user at all, just set the author of the post to your secondary user account.

        Reply

  6. Whoops!

    We couldn’t find that plugin.

    Where can i download this plugin?

    Reply

  7. Maybe you edit the post and state that this plugin is removed/soft rejected or whatever? Since this plugin had a bad startup, I doubt that I’ll use it ever.

    Reply
  8. Chris English

    Maybe another developer will build on this idea without having to add code that could potentially be malicious.

    Reply

  9. Sarah this Plugin aren’t at WP repository anymore… you know why?

    I want to try it, looks promissing.

    Reply

  10. Sorry, refreshed the comments right now and I already know what happened. Hope the developer fix that.

    Reply

  11. I confirm that on 21/03 this plugin is not any more available on WordPress.org
    Any idea of the reason?

    Reply
    1. Ted Clayton

      Yes; the plugin turned out to have problems.

      The details are in the comments above.

      Reply

  12. I really think you should update your article. This article is showing in the News section of the wordpress dashboard. People like me are running over here and reading it. Then people like me may be trying to download it. The comments to this article are actually more helpful than the article itself. A huge lesson learned can be gained from reading the comments. ARTICLE SHOULD BE UPDATED TO REFLECT THOSE LESSONS!

    Reply

  13. Awesome plugin idea. Really wish it were available. If the author doesn’t get his act together and fix the problems someone else should implement it the right way.

    Reply

  14. Just an update – the author has fixed it up and re-submitted it for review. Should be available again shortly.

    Reply
    1. Chris English

      The question now is, “Will we trust anything from this author again?” Maybe you could interview him and find out what’s his story.

      Reply

      1. It could be that he was unaware of the guidelines but I’d have to verify with him. I’ll ask him to comment over here.

        Reply
  15. Piter

    The plugin is re-approved and published again.

    Reply

Leave a Reply