wordfence just highlighted this

  • Resolved rfollett

    (@rfollett)


    6 years, 4 months ago

    Warnings:
    * Modified plugin file: wp-content/plugins/updraftplus/templates/wp-admin/settings/upload-backups-modal.php

    file looks like this – good file?

    <?php if (!defined(‘UPDRAFTPLUS_DIR’)) die(‘No direct access allowed’); ?>

    <div id=”updraft-upload-modal” title=”UpdraftPlus – <?php _e(‘Upload backup’, ‘updraftplus’);?>”>
    <p><?php _e(“Select the remote storage destinations you want to upload this backup set to”, ‘updraftplus’);?>:</p>
    <form id=”updraft_upload_form” method=”post”>
    <fieldset>
    <input type=”hidden” name=”backup_timestamp” value=”0″ id=”updraft_upload_timestamp”>
    <input type=”hidden” name=”backup_nonce” value=”0″ id=”updraft_upload_nonce”>

    <?php
    global $updraftplus;

    $service = $updraftplus->just_one($updraftplus->get_canonical_service_list());

    foreach ($service as $key => $value) {
    echo ‘<input class=”updraft_remote_storage_destination” id=”updraft_remote_’.$value.'” checked=”checked” type=”checkbox” name=”updraft_remote_storage_destination_’. $value . ‘” value=”‘.$value.'”> <label for=”updraft_remote_’.$value.'”>’.$updraftplus->backup_methods[$value].'</label><br>’;
    }
    ?>
    </fieldset>
    </form>
    <p id=”updraft-upload-modal-error”></p>
    </div>

Viewing 6 replies - 1 through 6 (of 6 total)

  • I am getting the same flag from Wordfence. Says this file: wp-content/plugins/updraftplus/templates/wp-admin/settings/upload-backups-modal.php has been modified from what is in the WP repository for the plugin. When I reviewed the file in the current plugin download, what I have is the same, not what Wordfence is showing.

    What is correct? Wordfence or what I have?

    Plugin Contributor DNutbourne

    (@dnutbourne)

    Hi,

    Apologies for the confusion.

    A fix for a small issue in the latest release was pushed without the version number being updated.
    WordFence and other security plugins can flag these changes as suspicious. The warnings can be ignored in this case.

    We have a more extensive explanation of why this can occur here:
    https://updraftplus.com/faqs/wordfence-warning-files-inside-updraftplus-changed/

    I got the same error.

    It’s always unsettling to find out about an update through Wordfence versus it being a published and official update. I don’t mind updating my plugins as often as you need to issue them. In fact, I’d much rather that than getting these spooky warnings from Wordfence.

    Thanks for clarifying that this one is okay.

    The explanation was problematic for me. Once a version is released, it should not be changed. Otherwise opens the door to coverup and other mischief.

    “For example, when a new version of WordPress is released, they might change the indication of what version number the plugin supports.”

    This breaks the information chain. The industry expectation is that you will issue a new version number if the file changes. This is basic. Why even have version numbering then. Seems a very slippery thing to normalize.

    So what if you make a spelling change–it’s a new version. One without the error. If such small, discretionary, but untraceable changes are normalized, what is to stop a hacker from just making a teeny little change to a URL or php file? It would be much more difficult to stop that kind of fraudulence, made worldwide through a plugin, than it is to simply enforce versioning.

    Wordfence has it right in this case, I think. Yes they are over the top and don’t separate out real issues before blaring an alarm. It’s an irritating way to handle it–but they are following industry norms.

    I agree. Updraft knows this happens and should just bump the version! It would save a whole lot of anguish that could be easily avoided.

    I agree Wordfence has it right. Just change the version!

    Plugin Contributor DNutbourne

    (@dnutbourne)

    Hi,

    I will pass this on to our lead developer.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘wordfence just highlighted this’ is closed to new replies.