WordPress File Upload is a plugin for uploading files from the front-end. It has many capabilities and functionalities, like selecting multiple files, including user data alogn with the uploaded files, send emails, viewing and downloading the uploaded files and many more.
When dealing with files, security is important. So, the question is How Secure Is the Plugin? Is the a risk of someone uploading dangerous files to the website and causing damage or stealing sensitive information? Is there a risk of someone using hacking techniques, like CSRF or XSS attacks to get unauthorized access to the website or expose unwanted information?
Iptanus team takes security very seriously. The answer is that the Plugin is Highly Secure and many precautions have been taken so that hacking is prevented. It’s security measures have been thoroughly tested and improved through close cooperation with independent security experts.
The plugin adopts most security measures suggested by WordPress, as well as widely accepted techniques and best practices for maximizing security in all levels. More in detail:
- The plugin restricts uploading of suspicious file extentions, that may contain executable code that could run on the server (like php, js, html files). Check and rejection of harmul files occurs on server side before the files start getting uploaded. This measure prevents unauthorized code from executing on server side.
- The plugin executes multiple checks to verify that upload (or other type of) requests are valid and are not coming by a hacker. For all requests the plugin server scripts check and verify WordPress nonces and referer information, unique ids stored in session variables, current user capabilities as well as validity and existence of request parameters. This measure prevents CSRF attacks.
- In special cases and were possible (like for verification of captcha or download of files) the plugin uses also unique tokens of very short life to verify validity of the request. Even if someone steals request data and tries to repeat the request (for cheating captcha security or downloading files from the website), the request data will be expired and the hacked request will fail. This measure prevents CSRF attacks.
- All request parameters passing to server scripts are sanitized before used. If a hacker tries to pass executable code through a parameter, the executable code will be deactivated and/or rejected. This measure prevents XSS attacks.
- No sensitive information (such as codes, keys, urls or absolute file paths) is exposed to the user’s browser. This measure prevents stealing of unwanted information.
- The plugin’s File Browser in Dashboard for administrators has been optimized for security. Even if a hacker gains access to the administration panel (Dashboard) and tries to rename, delete or modify system files by hacking the File Browser he/she will fail. The File Browser does not allow access to system files or to files outside the website root. Furthermore, file operations like rename, delete or download can only be applied to files uploaded by the plugin. This measure prevents unauthorized access and modification of system files and eventually unauthorized execution of hacking code.
- The plugin offers the option to add captcha check before uploading files. This is an additional measure of protection against robots that can flood the website with useless files and cause corruption of web-server file system.
As the fight against hacking is a continuous process, Iptanus team strives to make the plugin better and better every time. Problems and reports related to security are handled in first priority and mitigated very quickly.
For any question of further information please contact the Iptanus team.