Disabling Add From Server plugin

Home Forums BulletProof Security Pro Disabling Add From Server plugin

This topic contains 3 replies, has 2 voices, and was last updated by  AITpro Admin 9 months, 3 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #33532

    Marsha Marrings
    Participant

    Is it possible to disable the capabilities of add from server plugin with BPS? It can see the / of the server. While it is designed to do that, I’d feel more comfortable if only capable after whitelisting the plugin in BPS.

    #33533

    AITpro Admin
    Keymaster

    It looks like the normal functionality of the Add From Server plugin needs to be able to access your hosting account folders. Basically it is just a file upload form in the backend WP Dashboard.  Plugins are only accessible if someone with the Administrator Role logs into a website.  So if a hacker has WordPress Administrator Role permissions to your WordPress Dashboard then it would be game over anyway since anyone with Administrator permissions can install anything they want to install. 😉  The Add From Server plugin has User Access Control Role option settings so that if you hired someone to work on your website and gave that person Administrator Role permissions then the Add From Server plugin would not let them access the Add From Server plugin.  At least that is what the description of that option sounds like it does.

    #33534

    Marsha Marrings
    Participant

    Yes, and that’s not all. The plugin can access / of the server, not / of the hosting account. By clicking ‘parent directory’ in the plugin a few times, I see all directories and files on the server from root and can import any of them. Don’t think anyone should be able to do that from a plugin. Short of blocking installation of the plugin, can BPS block the access?

    #33535

    AITpro Admin
    Keymaster

    BPS Pro could block the plugin from working altogether if that is what you want, but BPS Pro could not limit the plugin’s capabilities.  I think you should contact the Add From Server plugin author and express your concerns.  The plugin author may already have a solution created for your concerns or could add a new feature that would address your concerns.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.