14 Jun

The WordPress Site Health Page Isn’t Exposing Private Information

One of the big problems with trying to get real security issues surrounding WordPress dealt with is that it is hard to get attention them when so much attention is paid to supposed security issues that don’t exist or are not realistic threats. In our monitoring of the WordPress Support Forum to keep track of indications of vulnerabilities in WordPress plugins for our service we ran across a new example of that today. Several days ago a plugin was introduced to the Plugin Directory named WP Disable Site Health with this description:

The addition of the new Site Health screen can be useful but it exposes a lot of server information that should be kept private. This plugin disables this feature in WordPress.

That page is only accessible to those logged in to WordPress with the install_plugins capability, which would normally only be those with the Administrator role (in a Multisite install, only Super Admins have that capability). How that makes it public is beyond us. Administrators can take just about any action they want with the website, so among other things, they could just disable this plugin and see the Site Health page again if this plugin is installed, so it doesn’t actually accomplish what it sets out to.

What brought this to our attention was a review that claimed that the “tool is a security hole waiting to be exploited”:

Great plugin. Works like a charm. Won’t be long before many start using it.

WordPress’ Site Health tool is a security hole waiting to be exploited. This plugin eliminates it.

In reality the plugin doesn’t disabled the tool, only access to its admin page, so if there were insecurities with parts of the tool this might not have an impact them. Some vulnerabilities that had existed in the plugin version of the tool didn’t require access to any page.

What seems like a better reason for this plugin existing would be to avoid people that you manage a website for from overreacting to some of the information on the page, since in some ways it doesn’t seem to be well thought out in how it presents information, though that may also call for them to be using an account with less capabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *