Do not EVER install this entirely irresponsible plugin

  • This is hands down the most irresponsible plugin ever developed for WordPress. PHP should not EVER be run from any frontend module. The point of server side code is that it runs ON THE SERVER, not from a browser. This should not even be available, because it has helped thousands of sites get hacked by malicious sources in the most convenient way possible to hackers.

    Let me explain for the uninitiated. PHP has access to EVERY SINGLE THING your site does. Your database, your WooCommerce accounts and payment gateway, any and all information in your site, your passwords, etc, etc. Using this plugin makes it childs play for anyone with even a tiny little bit of programming knowledge to steal anything and everything on your site. They can erase your entire site. They can steal money from your customers which you are legally liable to reimburse. They can hack any other sites on your host besides the one running this plugin. They can literally have a field day with everything accessible to any part of your server. DO NOT INSTALL THIS. If you can’t figure out how to use FTP and write a plugin properly, you should NOT BE WRITING PHP.

    Shame on the developer for submitting this, and also shame on anyone dumb enough to actually install it.

    Using this plugin entirely invalidates ALL other security you have in place. Your SSL is useless, Wordfence/Sucuri/etc is useless, your login is useless, your database password is useless, all of it may as well not even be there at all. Not only does this make everything on your site hackable, it also makes everything connected to your site hackable. Got social media accounts connected? Congratulations, those are getting hacked too. Got your Google calendar account connected? Yep, your gmail is also getting hacked, which means that all of your password resets to every other account you have can also be hacked, including your bank account, student loan account, etc. This is the digital equivalent of storing your life savings out in the street during a looting spree.

    • This topic was modified 6 years, 9 months ago by mopsyd.
    • This topic was modified 6 years, 9 months ago by mopsyd.
Viewing 3 replies - 1 through 3 (of 3 total)

  • I had to stop and read this comment a couple of times. Frankly, it makes no sense at all. I can tell you are not a programmer, so why would you post something like this?

    You are correct that PHP runs on the server. However, your points seems to lead people (non programmers) into thinking this plugin somehow makes it possible for this developer to make the PHP code run in the broswer.

    This is nonsense. PHP cannot run in a web browser. PHP is an interpreted language. It is evaluated, compiled to an intermediate bytecode, and then interpreted by the runtime engine. This is all done on the server. It does not matter where or what page this is done in WordPress. Someone could create their own security hole with this plugin if they do not know what they are doing, but that is akin to saying knives cut people. Sure, they do if you do not handle it correctly, but it doesn’t make the knife inherently dangerous.

    Your review makes no sense. It is misleading and should be removed.

    FWIW – I do not even know this plugin’s developer.

    Probably the author of this review didn’t put it correctly into words but he is correct. The general idea of this plugin is bad. You shouldn’t expose another way for users to manipulate back-end code. We have enough exploits already.

    @furioussnail That sounds very … Apple, Inc. WordPress gives you a framework so you do not have to reinvent the wheel every time you stand up a website. This plugin gives you the option to add customization without hacking the WordPress code. For example, we have a licensing server that interacts with a WordPress plugin to expand some capabilities. We don’t use this plugin, but I wrote one that basically does the same thing.

    Where this can be a security issue is at what point in the WordPress evaluation this plugin does its thing. For giggles, I tested this plugin trying to submit something that would get evaluated from the from end. The developer has correctly applied the filters so it doesn’t happen.

    You are correct that plugins made by inexperienced developers can lead to exploits. This plugin is not one of them. And deciding that something like this is bad and should be avoided is like taking a horse because airplanes crash. Yeah, they do, but they are mostly pretty damn handy.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Do not EVER install this entirely irresponsible plugin’ is closed to new replies.