perrydc

Alley has approved this branch for deployment, however, they have identified a few remaining security issues which we should probably take offline since these are vulnerabilities that could be exploited. Please email me and I’ll send you the results of their branch review: perrydc AT gmail DOT org.

Hi @rankmathteam

Thank you for pulling this together! The team at Alley is reviewing this branch in our next cycle (complete 9/7). I will let you know if they have any further concerns after running this branch through their linting tool.

Thank you!

Thank you for your attention to this matter. Rank Math is central to our growth strategy, so I am motivated to work with you to resolve these issues and also help you open up your plugin to more restrictive sites on wordpress VIP and other strict security platforms.

Our site is not on VIP (we use Alley Interactive), but the developer uses VIP’s linting tool to assess issues before approving any plugin. Although I have not worked directly with VIP, I have worked with other major Automattic-approved developers who use similar linting tools and don’t currently offer RankMath as an option. If these are false positives, they are scaring away many potential clients of RankMath.

We can, as you suggest, go through these on a line by line basis, but there are over 800 lines that were flagged as critical or severe security issues by the VIP linter. Manually reviewing each line will take weeks at our present contract allocation and consume thousands of dollars in developer time that I need to apply to other priorities. If we eat the cost of that review, it will only open up Rank Math to other clients of Alley and only for a limited time, since future updates to the plugin will need to be reviewed on a line by line basis.

Would it be possible for you to explore whether there is a simple change to your code that might knock out a high percentage of these issues? If you are amenable, I can connect you with our lead developer and also share details on our linter. I believe an investment in silencing these security flags on your side will yield a larger customer base.

If you are not amenable to updating your code (because you do not regard them as true security vulnerabilities), perhaps you could supply me with a list of development shops in the US who have high security standards and also allow deployment of your plugin.

I know RankMath works (and I’ve seen its impact on site traffic for other properties I’ve managed in the past), so I will find a way to make this happen, one way or another.

Wow. I can’t believe you got a fix in that fast! Smooth sailing on my site. Thanks!

I’m seeing a related problem, which just happened after updating to 0.9.3. While it’s letting me post, I’m getting the following error every time I hit publish:

Warning: opendir(/home/content/p/e/r/perrydc/html/wordpress/wp-content/cache/meta/) [function.opendir]: failed to open dir: No such file or directory in /home/content/p/e/r/perrydc/html/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 632

Warning: Cannot modify header information – headers already sent by (output started at /home/content/p/e/r/perrydc/html/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php:632) in /home/content/p/e/r/perrydc/html/wordpress/wp-includes/pluggable.php on line 850

…hope this helps to diagnose!