bs-wp-sandbox plugin: Lock WP Functions
Filed Under (Tools, WordPress) by DK on 26 December 2007

The BlogSec WordPress Sandbox plugin works on a whitelist principle. We accept all pages and posts (including wp-admin, feeds and xmlrpc) but deny requests for any other resources or WordPress functions.

I came up with the idea for this plugin when developing my homepage WithDK.com (where it is currently being tested). I wanted WordPress to act like a CMS (Content Management System), but I didn’t want all the whistles and bells. This plugin allowed me to achieve this, although it is still being tested.

We may want to extend this project to include a fully featured menu system with checkboxes for enabled/disabled WordPress features, but for now its a pet project.

I like the concept of this plugin. A whitelist approach means we allow only what we want which in turn means less areas for attackers to target.

Download bs-wp-sandbox.php.txt - Ver 1.2.1 NOW AVAILABLE.

Once downloaded, open the file with your favourite text editor and change BLOGNAME to suit your needs. Below BLOGNAME, you’ll also find the permitted list, you can delete or add entries as needed.

Enjoy!

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

Terry on 28 December, 2007 at 11:01 am #

Doesn’t work for me. When it is installed the plugin redirects requests for my Wordpress blog to my site homepage which is in a higher folder!


DK on 28 December, 2007 at 1:39 pm #

Terry, yes this is correct. My blog was in my root directory “/”.

Look for this line:

header(”Location: /”);

Change it to suit your needs, example:

header(”Location: /blog”);

For the next release, I’ll place a define statement at the top to make this easier to change.


Anita Campbell on 29 December, 2007 at 8:25 pm #

Hi, this is a great site.

One of my sites was attacked this week much the same as this:

http://wordpress.org/support/topic/141041

We have since upgraded and removed a suspicous plugin. But I wonder if you could write something in plain English for the non-technical among us as to what was the cause of the problem and what we can do to protect against it. I’d like to alert friends and colleagues, but I’m not sure I understand how this attack occurred and what could have been done to prevent it.

Thank you.

Anita

PS, I tried to insert this into your contact form, but it just hung and hung.


DK on 30 December, 2007 at 12:12 am #

Anita, thank you for your message. We did receive your email via our Contact form in will be in touch with you shortly. Thanks.


BlogSecurity » Blog Archive » bs-wp-sandbox v1.2 released on 14 January, 2008 at 3:17 am #

[…] 1.2 of the BlogSecurity WordPress Sandbox plugin has been released. See its tool page for details and for the latest download.     Enjoy the article? Please take a […]


DK on 18 January, 2008 at 3:50 pm #

I just realised this plugin will not work if your blog is not in your webroot. Will get this resolved in the next release.


seppelb on 23 January, 2008 at 2:22 pm #

can you add possible other scenario for the permitted list? why and what should i add to this list maybe?


DK on 24 January, 2008 at 9:09 am #

seppelb, I’ll add some more functions in the next release that you can add/remove. If you have anything specific in mind, let me know.


Comment
Name:
Email:
Website:
Message: