IMers, Wordpress Plugins disabling SSL/TLS certificates

2 replies
No affiliate links are in this post

Recently, a highly respected security expert, Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, shared with ZDNet that many CMS plugins are disabling SSL/TLS certificates. WordPress is a CMS and as many are already aware of and there are thousands of free and paid WordPress plugins.

The majority of the plugins that will concern Internet Marketers are 'payment processor' plugins. But not limited to 'payment processor' plugins.

This is no small issue that can be ignored. The problem is extremely widespread in the PHP community, especially.
A cursory GitHub search for the first and second settings reveals hundreds of thousands of projects where developers are disabling cURL certificate validation, including in hundreds of plugins. [WordPress plugins].

The short of this is where a WordPress (WP) website utilizes a plugin(s) that has disabled your SSL/TLS simply means you need to fix it. The reasons are many, but the main reason is your paying customer faces the chance that secure data could be maliciously compromised. Also, as more information is coming to light there are other negative impacts. Do you due diligence and learn more from the following links.

1) Many CMS plugins are disabling TLS certificate validation... and that's very bad, October 30, 2018
https://www.zdnet.com/article/many-c...hats-very-bad/

2) Report: Thousands of CMS Plugins are Disabling SSL/TLS Certificate Validation, November 5, 2018
https://www.thesslstore.com/blog/cms...ls-validation/

3) Certainty: Automated CACert.pem Management for PHP Software, Scott Arciszewski
https://paragonie.com/blog/2017/10/c...r-php-software

4) For a list of know plugins see:
GitHub
https://github.com/search?l=&q=CURLO...gins&type=Code

After checking some of my own sites (and still working on them) I discovered many plugins with the problem. Quickly, I contacted my clients that use the same plugins and went to work. Also, as I dug deeper into the problem I discovered some additional work that must be done to the PHPMyAdmin in the host cPanel. Have to search and replace the values in two files:

CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYPEER

How to Clean up Your wp_options Table and Autoloaded Data
https://kinsta.com/knowledgebase/wp-...toloaded-data/

How to disable all WordPress plugins directly from the database?
https://www.siteground.com/kb/how_to...from_database/

Quickly Disable or Enable All WordPress Plugins via the Database
https://perishablepress.com/quickly-...-the-database/
And see the first comment.

See the above articles for the fix. Know now there is 'no automatic fix' meaning there is a lot of 'manual work' to be done if you have a lot of sites and want to fix all affected plugins. Also, the free SSL certificates.. some of the articles explain why they are not a good idea.

Jeffery 100%
#certificates #disabling #imers #plugins #ssl or tls #wordpress
Avatar of Unregistered
  • Profile picture of the author MSutton
    I am very hesitant anymore to use wordpress. To me, WP is still only good for blogging. Anything else, and you need a lot of plugins or you have to be good at programming to modify WP to do what you need it to do.


    There is no way to know if these themes and plugins in the repository are safe to use.


    And a lot of themes and plugins are almost useless unless you buy the "Pro version". You can easily spend thousands of dollars a year in wordpress themes and plugins just for one site. So much for "free wordpress". lol
    {{ DiscussionBoard.errors[11476957].message }}
  • Profile picture of the author SanjeevM
    Never knew this problem even existed!

    Thanks for the heads up, Jeffery!

    It looks like the best bet would be to get a tech-savvy VA to go over all the sites and plugins. The manual work involved looks forbidding. To me, at least!
    {{ DiscussionBoard.errors[11477090].message }}
Avatar of Unregistered

Trending Topics