Fix “sslverify=false” for Pro Plugin / Theme Updates

This is a pet peeve of mine – some plugin and theme authors (to make their lives easier) set “sslverify = false” in their Pro / Premium version update checks and/or other HTTP requests.

Luckily a few security and error checking plugins like the Query Monitor plugin (for example), will show a warning if the WordPress wp_remote_get() function is executed with “sslverify = false”. To make sure this is never the case, you can use the following filters in your functions.php file.

 
add_filter( 'https_ssl_verify', '__return_true', PHP_INT_MAX );

add_filter( 'http_request_args', 'http_request_force_ssl_verify', PHP_INT_MAX );

function http_request_force_ssl_verify( $args ) {

        $args[ 'sslverify' ] = true;

        return $args;
}

Continue reading


Secure Vulnerable WordPress Files and Directories

Recently Jason A. Donenfeld reported a simple vulnerability in W3 Total Cache on the Full Disclosure mailing list, which was picked up by the Security Ledger website, and then posted on Slashdot. The vulnerability is a simple Apache Httpd configuration oversight — plugins often create their own folders under ./wordpress/wp-content/ without considering that directory indexing might be turned on, or that files within that folder are located under a DocumentRoot, and thus available to anyone. Some configuration files are also vulnerable in this way — the wp-config.php file, for example. During the WordPress install, it is recommended that the wp-config.php be re-located one folder above ./wordpress/, to move it out of the DocumentRoot.

Continue reading