Excellent idea

Hello Nick.
First of all, thanks for your review.
Could you please send me the Hacker demo plugin? This is just the first plugin version, I would like to improve it.
About restore or migration, I don’t know if leaving a manual solution (using phpmyadmin) or creating a removing solution (another plugin?). What about ?

My email is: [email protected]

• This reply was modified 7 years, 5 months ago by Pigrecolab.

Hello,

The version 1.1 blocks the attempt to create new admin by code.

I just sent you the hacker script to the email address you indicated above.

– Even with version 1.1 installed, my Hacker script was able to generate the new admin user without any resistance from this plugin, so no, version 1.1 does not block me from creating new admins by code.

– IMPORTANT: I did not have the time to look at the code, or test this idea, and I guess, we need to fix one thing at a time, and let’s assume that blocking the creation of new admins gets done, this plugin would still have a limitation that I would be able to bypass relatively very easily. Let me explain: I’m guessing that this plugin checks for the new users user role name, Administrator, and not the actual permissions this new user will have. It true, I would be able tho bypass this plugin very easily. I would be able to create a new user role in the database, give it some random name, like Goonigoogoo, and assign all the same permissions as an Administrator, thus rendering this plugin useless, once again. If asked, I have some vague ideas how to fix all this. This plugin is still very important, but still a lot of work must be done to get things right, and close down all the security holes that the WordPress environment leaves wide open, as far as this plugin is trying to accomplish anyway.

CORRECTION: The version 1.1 STOPS the creation of a new admin with code. The plugin was deactivated from the dashboard while testing, sorry for that. So my rating will go to 4 stars, and will end up with 5 stars if it can stop the creation of a user with a custom user role that has the same roles as an admin.

Hello Nick, thanks for your help in improving this plugin.
I tested your hacker script and it was blocked by version 1.1. If you remove the user table obfuscation, you can see that the new user has role “HACKER ATTEMPT” with no capabilities. IMPORTANT: TO SEE VERSION 1.1 IN ACTION YOU MUST DEACTIVATE THE BLOCK USING PASSWORD AND ACTIVATE THE BLOCK AGAIN AFTER UPGRADE.
On the other side, you’re right. On the next plugin version I’ll work on capabilities.
If you have tips, you’re welcome :), you can also send me an email, if you want.
I think till next version the plugin is still useful against old doorway…

You sir, are very impressive… sorry for my carelessness in testing version 1.1, I can now confirm that this plugin now works perfectly, however, as you admitted, I just tested this too, I can create a custom user role with admin capabilities, and bypass the restrictions set from this plugin.

Looking forward for the next version, and updating my review from 4 stars to 5. I am also very glad that I found somebody of understands this WordPress security issue, and is doing something about it. If only the core developers would pay some attention to this problem, WordPress would be a much, MUCH safer platform. I am not holding my breath on that, they live on another planet!