Block Specific Plugins

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Block Specific Plugins

Chris Carter-5
Any function to block a specific plugins based on its repository name?
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Daniel
You may be able to swing something with WPCLI and a cron to search for
specific plugins, or only allow specific plugins. That's how some major
WPaaS places do it.
On Apr 29, 2015 2:01 PM, <[hidden email]> wrote:

> Any function to block a specific plugins based on its repository name?
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Chris Carter-5
Thanks - the setup is above my pay grade but very informative though..

I was thinking smaller -- use case is on dev server working as a 3rd
party developer - I don't want client to install theme downloader or
some csv exporting thing but they need admin access.. - and someone in
their org is probably smart enough to figure out - hey let's not pay
em...

I'm lazy enough to disable the editors but thinking would be nice to
have as a function I could drop in for a little more security...

Editing user roles I guess...  Back to work :)

> On Apr 29, 2015, at 4:03 PM, Daniel <[hidden email]> wrote:
>
> You may be able to swing something with WPCLI and a cron to search for
> specific plugins, or only allow specific plugins. That's how some major
> WPaaS places do it.
>> On Apr 29, 2015 2:01 PM, <[hidden email]> wrote:
>>
>> Any function to block a specific plugins based on its repository name?
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Andrew Bartel
Really would recommend you start working with proper contracts if you have
those kind of concerns.  The cost of a lawyer to write up and review
contracts is trivial compared to headaches it will prevent.

On that note: https://www.youtube.com/watch?v=jVkLVRt6c1U (good talk at
creative mornings, but contains nsfw language)

Thanks,

Andrew Bartel

On Wed, Apr 29, 2015 at 2:09 PM, <[hidden email]> wrote:

> Thanks - the setup is above my pay grade but very informative though..
>
> I was thinking smaller -- use case is on dev server working as a 3rd
> party developer - I don't want client to install theme downloader or
> some csv exporting thing but they need admin access.. - and someone in
> their org is probably smart enough to figure out - hey let's not pay
> em...
>
> I'm lazy enough to disable the editors but thinking would be nice to
> have as a function I could drop in for a little more security...
>
> Editing user roles I guess...  Back to work :)
>
> > On Apr 29, 2015, at 4:03 PM, Daniel <[hidden email]> wrote:
> >
> > You may be able to swing something with WPCLI and a cron to search for
> > specific plugins, or only allow specific plugins. That's how some major
> > WPaaS places do it.
> >> On Apr 29, 2015 2:01 PM, <[hidden email]> wrote:
> >>
> >> Any function to block a specific plugins based on its repository name?
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Henry, Bobby
You could always just set up a file that has a list of the plugin names or directories you approve and then set the cronjob to run every 5 minutes or something. Assuming you're using linux here's a quick and dirty script that'll achieve it.
This doesn't remove the files, but turns the bits off, and makes it immutable so it can't be altered by another script.
This outputs to a log file, so you can review them at a later date.
Also, keep in mind this isn't a fix, just a dirty script I made a few years ago to do something similar. I'm sure there's a plugin out there, or a plugin you could make that does something similar to this.
Make sure the first argument in this file is always -iname plugins, there are several ways to go about this, and mine isn't very clean but it works.
Example:
listfile:
-iname plugins -iname Plugin-dir-1 -iname  Plugin-dir-2 -iname  Plugin-dir-3



Script:
#!/bin/bash
blockdir=${/var/www/domain/wp-content/blocked-plugins}
If [ ! -d "${blockdir}" ]; then
mkdir ${blockdir}
fi
approved=$(cat /path/to/listfile)
logtime=$(date +"%b %a %I:%M:%S %m/%d/%Y")
for unapproved  in $(find /var/www/domain/public_html/wp-content/plugins/ -maxdepth 1 -type d ! -perm 000  \( ! ${approved} \));
do
#Count how many '/' your path has, then add +1 and change the numerical awk value to that.
dirname=$( echo ${unapproved} | awk -F '/' '{print $8}' )
mv ${unapproved} ${blockdir}
chmod -R 000 ${blockdir}/${dirname}
chattr +i ${blockdir}/${dirname}
echo "${logtime} ${unapproved}  has been moved to ${blockdir}/${dirname}" >>/var/log/unapproved.log
done


Bobby Henry, LFCS
Tier 2 Technician | LPIC-1 | Linux+
Expedient Data Centers | [hidden email]
P: 614-246-0147  | C: 877.570.7827 



-----Original Message-----
From: wp-hackers [mailto:[hidden email]] On Behalf Of Andrew Bartel
Sent: Wednesday, April 29, 2015 5:16 PM
To: [hidden email]
Subject: Re: [wp-hackers] Block Specific Plugins

Really would recommend you start working with proper contracts if you have those kind of concerns.  The cost of a lawyer to write up and review contracts is trivial compared to headaches it will prevent.

On that note: https://www.youtube.com/watch?v=jVkLVRt6c1U (good talk at creative mornings, but contains nsfw language)

Thanks,

Andrew Bartel

On Wed, Apr 29, 2015 at 2:09 PM, <[hidden email]> wrote:

> Thanks - the setup is above my pay grade but very informative though..
>
> I was thinking smaller -- use case is on dev server working as a 3rd
> party developer - I don't want client to install theme downloader or
> some csv exporting thing but they need admin access.. - and someone in
> their org is probably smart enough to figure out - hey let's not pay
> em...
>
> I'm lazy enough to disable the editors but thinking would be nice to
> have as a function I could drop in for a little more security...
>
> Editing user roles I guess...  Back to work :)
>
> > On Apr 29, 2015, at 4:03 PM, Daniel <[hidden email]> wrote:
> >
> > You may be able to swing something with WPCLI and a cron to search
> > for specific plugins, or only allow specific plugins. That's how
> > some major WPaaS places do it.
> >> On Apr 29, 2015 2:01 PM, <[hidden email]> wrote:
> >>
> >> Any function to block a specific plugins based on its repository name?
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Chris Carter-5
In reply to this post by Andrew Bartel
agreed - and appreciate your input. is a good video!

not necessarily concerned as we do use them.

my intentions were a simple padlock for those with even the best intentions.

Chris Carter
Founder
http://www.314media.com
[hidden email]

On Wed, Apr 29, 2015 at 4:15 PM, Andrew Bartel <[hidden email]>
wrote:

> Really would recommend you start working with proper contracts if you have
> those kind of concerns.  The cost of a lawyer to write up and review
> contracts is trivial compared to headaches it will prevent.
>
> On that note: https://www.youtube.com/watch?v=jVkLVRt6c1U (good talk at
> creative mornings, but contains nsfw language)
>
> Thanks,
>
> Andrew Bartel
>
> On Wed, Apr 29, 2015 at 2:09 PM, <[hidden email]> wrote:
>
> > Thanks - the setup is above my pay grade but very informative though..
> >
> > I was thinking smaller -- use case is on dev server working as a 3rd
> > party developer - I don't want client to install theme downloader or
> > some csv exporting thing but they need admin access.. - and someone in
> > their org is probably smart enough to figure out - hey let's not pay
> > em...
> >
> > I'm lazy enough to disable the editors but thinking would be nice to
> > have as a function I could drop in for a little more security...
> >
> > Editing user roles I guess...  Back to work :)
> >
> > > On Apr 29, 2015, at 4:03 PM, Daniel <[hidden email]> wrote:
> > >
> > > You may be able to swing something with WPCLI and a cron to search for
> > > specific plugins, or only allow specific plugins. That's how some major
> > > WPaaS places do it.
> > >> On Apr 29, 2015 2:01 PM, <[hidden email]> wrote:
> > >>
> > >> Any function to block a specific plugins based on its repository name?
> > >> _______________________________________________
> > >> wp-hackers mailing list
> > >> [hidden email]
> > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > _______________________________________________
> > > wp-hackers mailing list
> > > [hidden email]
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Stephen Rider
In reply to this post by Chris Carter-5
Something like this will remove specific plugins any time WP calls the list of actives:

add_filter( 'option_active_plugins', 'filter_get_active_plugins' );
add_filter( 'transient_active_plugins', 'filter_get_active_plugins' );

function filter_get_active_plugins( $data ) {
        $blocked = array( <plugins you don’t want to allow> );
        foreach ($blocked as $plugin) {
                unset( $data[$plugin] );
        }
        sort( $data );
        return $data;
}

Some pseudo code there, but you get the idea.

--
Stephen Rider

[hidden email]
http://striderweb.com/nerdaphernalia



> On Apr 29, 2015, at 4:01 PM, [hidden email] wrote:
>
> Any function to block a specific plugins based on its repository name?
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Nikola Nikolov
Stephen Rider's solution is the best IMO - cron job is not the best way,
because they might be able to start the export in even under 1
minute(that'd be hell of tricky and take some trial and error, but not
impossible).

The code must go in a mu-plugin. My suggestion is to symlink the mu-plugins
folder in all of your projects to a single directory on your hosting.

Now, here comes another question though - having a blacklist is more
difficult(and much longer), than having a white-list. The white-list is
some extra work on a per-project basis, but protects you from tricks(like
renaming the directory of the plugin, zip-ing it and uploading it as a new
plugin - which your blacklist will never catch). I think you can manually
create an option in the DB(maybe some code in functions.php if you're going
to disable the editors anyway) that lists all plugins that are needed for
the site to function - this will be your whitelist. Just grab that option
from the DB in the filtering function and return it's value.

Andrew Bartel's advice is good too - if you're afraid that your clients
will leave you high and dry, then ask them to sign a contract. If they have
some doubts, point out that having a contract protects them too. If they
still refuse, just get up and leave - there's something fishy with them and
you don't want to have them as clients.

I use a modified version of the "Contract Killer
<https://gist.github.com/malarkey/4031110>", which you can find here
<https://drive.google.com/file/d/0B1SFrFarWWXqbmcwQWlfbDdzOVU/view?usp=sharing>.
Obviously you would want to add your own clauses and adjust the existing
ones. I like that contract because it's written in an easy to understand
language(well, unless you make it complicated). I usually discuss the
contract with the clients and if they have any concerns I adjusted in a way
that works for both of us.

Note the Copyrights section - I preserve the ownership of the source code
and license it's use to the client. This way I can later re-use any parts
of the code in the case of something complex being created that could be
useful in another project.

On Thu, Apr 30, 2015 at 7:45 AM, Stephen Rider <[hidden email]>
wrote:

> Something like this will remove specific plugins any time WP calls the
> list of actives:
>
> add_filter( 'option_active_plugins', 'filter_get_active_plugins' );
> add_filter( 'transient_active_plugins', 'filter_get_active_plugins' );
>
> function filter_get_active_plugins( $data ) {
>         $blocked = array( <plugins you don’t want to allow> );
>         foreach ($blocked as $plugin) {
>                 unset( $data[$plugin] );
>         }
>         sort( $data );
>         return $data;
> }
>
> Some pseudo code there, but you get the idea.
>
> --
> Stephen Rider
>
> [hidden email]
> http://striderweb.com/nerdaphernalia
>
>
>
> > On Apr 29, 2015, at 4:01 PM, [hidden email] wrote:
> >
> > Any function to block a specific plugins based on its repository name?
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Stephen Rider
IF you really KNOW what plugins you want, you can do this:

add_filter( 'option_active_plugins', ‘filter_get_active_plugins’, 100 );
add_filter( 'transient_active_plugins', ‘filter_get_active_plugins’, 100 );

function filter_get_active_plugins( $data ) {
        $data = array( <plugins you want to allow> );
        sort( $data );
        return $data;
}

This won’t merely **allow** them; it will completely replace the list of active plugins with your list. If one of those plugins are not present, however, you’ll get “not found” errors.

For a whitelist solution of permitted (but not necessarily present) plugins, you’d do a loop and remove anything from $data that’s not on the whitelist.

--
Stephen Rider

[hidden email]
http://striderweb.com/nerdaphernalia

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Stephen Rider
And yes, Nikola is correct.  Such a filter would have to be an mu-plugin, or perhaps go in functions.php.

--
Stephen Rider

[hidden email]
http://striderweb.com/nerdaphernalia

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Block Specific Plugins

Chris Carter-5
exactly what I was looking for - you guys are the best.

-Chris

On Thu, Apr 30, 2015 at 1:00 PM, Stephen Rider <[hidden email]>
wrote:

> And yes, Nikola is correct.  Such a filter would have to be an mu-plugin,
> or perhaps go in functions.php.
>
> --
> Stephen Rider
>
> [hidden email]
> http://striderweb.com/nerdaphernalia
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers