Plugin / Responsive Iframe Watchdog
Larry Robertson
Frequently Asked Questions (FAQ)
By far the biggest security risk is someone getting your WordPress Administrator user name and password. Taking second place is someone getting an Editor or Author Role’s user name and password.
Given a user name and password to login to your WordPress site allows a hacker to edit the content of the “src attribute” of an iframe tag or embed shortcode. One thing a hacker might do is to point the URL to hackersite.com/copyofyourpage.html. This page could be a copy of your embedded page with a hidden div that when clicked will install without you knowing malicious software on your customers computer.
Another way is the hacker will inject malicious JavaScript code into a hidden iframe that will execute even if you don’t click on anything. Watch this video demonstrating a Drive By Attack:Javascript Injection
There are many ways for example someone standing behind you as you log in is watching. The scariest method is a malicious web site has install spyware on your computer for example watch the video below which complains about Microsoft’s .net framework which allows a programmer to record keystrokes to capture everything you type on your keyboard!Recording Keystrokes to get your password
The hacker’s domain will not be in the list of trusted domains which can only be changed by Administrators. As long as the hacker did not capture the username and password of an Administrator Role for your WordPress Site you should be safe. Responsive Iframe Watchdog will block the hacker’s URL from Public View (domain not trusted) if the hacker logged in as a role other than Administrator (i.e. Editor, Author…).
If the the hacker has a login for an Administrator Role you are in big trouble anyway so try to limit the number of Administrator Roles on your site.
You may have already disabled iframes from your WordPress site so that only an Administrator can embed. This is a good idea! Responsive Iframe Watchdog will allow your Editors and Authors to embed with iframes (unfiltered_html) disabled.
Refer to the documentation on remove_cap. You should be experienced in executing php code within WordPress to run the following code and the code should only execute one time.
To remove capability for Editor Roles:
try{
$editor_role = get_role( 'editor' );
if( $editor_role ){
$editor_role ->remove_cap( 'unfiltered_html' );
}
}
catch(Exception $e){
continue;
}
To remove capability for Author Roles:
try{
$author_role = get_role( 'author' );
if( $author_role ){
$author_role ->remove_cap( 'unfiltered_html' );
}
}
catch(Exception $e){
continue;
}
Any pre-existing HTML elements (i.e.