Blog of Daniel Ruf

A few weeks ago, I did some small security audits of WordPress plugins and the result is not great.

It only needs some creativity to bypass the security measures of a WordPress plugin, that tries to hide your login URL.

Every day attackers are scanning the internet for vulnerable WordPress websites and we can often see corresponding probing requests on most websites, even if they do not use WordPress.

Valid URLs can use a wide range of different protocols. This requires strict validation of user supplied URLs combined with correct checks. Too lax or wrong checks can quickly lead to vulnerabilities.