
IMers, Wordpress Plugins disabling SSL/TLS certificates
Recently, a highly respected security expert, Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, shared with ZDNet that many CMS plugins are disabling SSL/TLS certificates. WordPress is a CMS and as many are already aware of and there are thousands of free and paid WordPress plugins.
The majority of the plugins that will concern Internet Marketers are 'payment processor' plugins. But not limited to 'payment processor' plugins.
This is no small issue that can be ignored. The problem is extremely widespread in the PHP community, especially. A cursory GitHub search for the first and second settings reveals hundreds of thousands of projects where developers are disabling cURL certificate validation, including in hundreds of plugins. [WordPress plugins]. |
The short of this is where a WordPress (WP) website utilizes a plugin(s) that has disabled your SSL/TLS simply means you need to fix it. The reasons are many, but the main reason is your paying customer faces the chance that secure data could be maliciously compromised. Also, as more information is coming to light there are other negative impacts. Do you due diligence and learn more from the following links.
1) Many CMS plugins are disabling TLS certificate validation... and that's very bad, October 30, 2018
https://www.zdnet.com/article/many-c...hats-very-bad/
2) Report: Thousands of CMS Plugins are Disabling SSL/TLS Certificate Validation, November 5, 2018
https://www.thesslstore.com/blog/cms...ls-validation/
3) Certainty: Automated CACert.pem Management for PHP Software, Scott Arciszewski
https://paragonie.com/blog/2017/10/c...r-php-software
4) For a list of know plugins see:
GitHub
https://github.com/search?l=&q=CURLO...gins&type=Code
After checking some of my own sites (and still working on them) I discovered many plugins with the problem. Quickly, I contacted my clients that use the same plugins and went to work. Also, as I dug deeper into the problem I discovered some additional work that must be done to the PHPMyAdmin in the host cPanel. Have to search and replace the values in two files:
CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYPEER
How to Clean up Your wp_options Table and Autoloaded Data
https://kinsta.com/knowledgebase/wp-...toloaded-data/
How to disable all WordPress plugins directly from the database?
https://www.siteground.com/kb/how_to...from_database/
Quickly Disable or Enable All WordPress Plugins via the Database
https://perishablepress.com/quickly-...-the-database/
And see the first comment.
See the above articles for the fix. Know now there is 'no automatic fix' meaning there is a lot of 'manual work' to be done if you have a lot of sites and want to fix all affected plugins. Also, the free SSL certificates.. some of the articles explain why they are not a good idea.
Jeffery 100%


-
MSutton -
Thanks - Reply
{{ DiscussionBoard.errors[11476957].message }} -
-
SanjeevM -
Thanks - Reply
{{ DiscussionBoard.errors[11477090].message }} -
