I'm wondering is it allowed and also what's the best way to track how many users are currently using and running your WordPress plugin?
It's not really allowed without user permission, best bet is to check your plugin stats for active versions and download counts.
No "phoning home" without user's informed consent. This seemingly
simple rule actually covers several different aspects:
No unauthorized collection of user data. For example, sending the admin's email address back to your own servers without permission of
the user is not allowed; but asking the user for an email address and
collecting if they choose to submit it is fine. All actions taken in
this respect MUST be of the user's doing, not automatically done by
the plugin.
All images and scripts shown should be part of the plugin. These should be loaded locally. If the plugin does require that data is
loaded from an external site (such as blocklists) this should be made
clear in the plugin's admin screens or description. The point is that
the user must be informed of what information is being sent where.
Source: Detailed Plugin Guidelines - Wordpress.org
Why not just check how many people have downloaded your WP plugin?
You could make a callback to your server, but many users won't like it.
Related
Help a developer i hired not only he didn't finish the job, but also he left a rule that sends him a copy for everyone who sings up on my site i've been trying to remove the rule from the plugins to no avail I am new to programming, below ill place some images hopefully one can indicate me where such rule could be, i want to mention i am using fluent form and that also he had ftp access only to that specific directory as i didn't fully trusted him.
also, there are not custom snippets in the snippets section
also he never had access to cpanel, and the email is sent only from that specific form i belive as it was the only form at the time enter image description here
I can confirm that removing the plugins and removing cache and re-installing the plugins doesn't work but I can officially confirm that the issue only happens when this line is added into fluent form, methods=stripe&fname={inputs.names.first_name}&lname={inputs.names.last_name}&email={inputs.email}&cname={inputs.input_text_1}&acname={inputs.input_text_2}&phone={inputs.numeric-field}&admin_url={submission.id}
Even if only this: methods=stripe is added, still send the email to him that instructions tells the plugin where to find that email address
i tried typing the email address in php my admin and file manager in cpanel but nothing i find only logs at most of the emails sent
Since you are using Fluent forms then you should check the notification rules of that specific form.
Click on Settings of the form you want
Go to Settings & Integration(Top bar) > Email Notifications (Sidebar)
There you will see all notification rules for that form, his email is probably there, remove it.
More info here.
SOLVED: The rule came from within the theme file editor, wasn't the plugins.
the developer added his email for notification testing and never removed it.
We are currently trying to use Concrete5 to create an internal Intranet for the company I work for (this is a web-based server). What we would like to do is allow our employees to sign in using their Gmail and be able to see their personal calendars amongst other things on sign in.
I would like the employees to just sign in once, get automatically asked for granting permissions during the login, and then be taken to the home page.
I'm having trouble figure out how to modify Concrete5's built-in Google login to request these scopes. I am pretty bare-bones in my PHP knowledge and no amount of Google searching has really answered my question specifically for modifying the authentication for Concrete5.
So to sum up my question:
How would someone go about modifying Concrete5's Google authentication to request additional permissions? We are using 5.8.3 and are always updating as necessary, so modifying the core is not really an option to prevent overwrites in the future.
The best way to do that would be to copy the core Google login system to create a new one. You could call it Google Custom or anything you want. You could include it in the folder application/authentication or in a package, with the appropriate modifications.
But to be honest, if you're bare-bones in your PHP knowledge, it all might be a bit too difficult to achieve
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
By checking the WordPress stats we get the idea that how many times a WordPress plugin is downloaded. But this is not the number of how many users for that plugin, right. Same user will download the plugin when a new version releases.
So do we have any tools or stats to get the total number of unique users for a WordPress plugin??
I did a research on the matter. And the answer is no.
Quotes from Otto comments in this 2010
article
about the stats charts in every plugin's page.
[...] the download count includes direct downloads as well
There is no “raw count” anywhere on that version number chart. The raw count is not data that will be made available.
For your own plugin, you can use tracking as #PeterVanDerDoes points out.
Curiously, the plugin I used as example in the research, WordPress SEO by Yoast, is the same that does this kind of tracking. And here's a nice discussion about it.
I'll reproduce the relevant part of the plugin development official guidelines:
7. No "phoning home" without user's informed consent. This seemingly simple rule actually covers several different aspects:
No unauthorized collection of user data. For example, sending the admin's email address back to your own servers without permission of the user is not allowed; but asking the user for an email address and collecting if they choose to submit it is fine. All actions taken in this respect MUST be of the user's doing, not automatically done by the plugin.
All images and scripts shown should be part of the plugin. These should be loaded locally. If the plugin does require that data is loaded from an external site (such as blocklists) this should be made clear in the plugin's admin screens or description. The point is that the user must be informed of what information is being sent where.
In general, things like banner or text link advertising should not be anywhere in a plugin, including on its settings screen. Advertising on settings screens is generally ineffective anyway, as ideally users rarely visit these screens, and the advertising is low quality because the advertising systems cannot see the page content to determine good ads. So they're best just left off entirely. Putting links back to your own site or to your social-network of choice is fine. If the plugin does include advertising from a third party service, then it must default to completely disabled, in order to prevent tracking information from being collected from the user without their consent. This is the method commonly known as "opt-in".
Note that if you do include what we consider to be "advertising spam", or attempt to game somebody else's advertising system, then we will not only remove your plugin, but also report your code to the advertising system's abuse mechanism as well. We do not react kindly to spam. Don't try it.
The only way I can think of that you could track something like this is by having the plugin phone-home with some stats to your own server.
Just make sure users can select to opt-out of tracking.
hi friends Is there way to check wordpress logs? Like what actions admin has performed etc?
Actually I am working on a project and someone has deleted my pages templates to trash and my site was down. I want to check who did this in my wordpress admin panel?
I don't think Wordpress has an event log, at least I've never heard of one or seen one. There is a login logger plugin, but it has to be installed and doesn't work retroactively.
In theory, it should be possible to get at least the IP address of the perpetrator from the normal Apache access logs, and searching it for all recent accesses to the /wp-admin folder. That is pretty cumbersome work, though.
You can use a plugin for this: try Stream or its competitors.
You may try this Activity Log Plugin.
If you have tens of users or more, you really can’t know who did what.
This plugin tries to solve this issue by tracking what users do, and
displaying it in an easy to use and easy to filter view on the
dashboard of your WordPress site.
You can try User Activity Log - WordPress Plugin.
It helps you monitor and keep track of all the activities occurs on the admin side. It will give information about log of all user activity and admin get notified when a particular user is logged in.
The following is not about action logs, but error logs, but it is also helpful. If that happened and you have WooCommerce installed, you will have access to logs:
Admin panel->WooCommerce->Status-> a tab: [Logs]