0. Status
WPscan identified 14 vulnerabilities
1. Core Updates
Updated core from 6.3 to 6.4.3
2. Removed plugins
- WP Console
3. Plugin Udates (15 requested)
- Updated "Advanced Custom Fields" from 6.2.0 to 6.2.1.1
- Updated "All In One WP Security" from 5.2.5 to 5.2.7
- Updated "Duplicate Page" from 4.5.2 to 4.5.3
- Updated "Easy WP SMTP" from 2.1.2 to 2.2.0
- Updated "Elementor" from 3.15.2 to 3.19.2
- Updated "Elementor Addon Elements" from 1.12.9 to 1.12.12
- Updated "Essential Addons for Elementor" from 5.8.6 to 5.9.7
- Updated "GDPR Cookie Compliance" from 4.12.5 to 4.13.1
- Updated "Redirection 5.3.10 to 5.4.2
- Updated "W3 Total Cache" from 2.4.1 to 2.6.1
- Updated "Really Simple SSL" from 7.0.8 to 7.2.3
- Updated "Yoast Test Helper" from 1.17 to 1.18
N.B
- Unable to update "Gravity Forms to 1.12.12 due to licence limitation
- "W3 Total Cache" has ben deactivated due to a apparent PHP 8.1 problem
4. Themes updates (2 requested)
- Updated Twenty Twenty-Three from 1.2 to 1.3
- Updated "Betheme" from 27.1.6 to 27.3.6
5. Additional activities
5.1 Security activities
Onetime activities
- Usign "Real Simple SSL" disabled "user enumeration"
- Usign "Real Simple SSL" enabled "vulnerability scanner"
- Using "All In One WP Security" set Disallow unauthorized REST requests
Recurring activities
- Renamed "xmlrpc.php" to "donotpass_xmlrpc.php" (should be done on EVERY core update)
- Removed "readme.txt" (should be done on EVERY core update)
- Removed "license.txt" (should be done on EVERY core update)
- Removed "licenza.html" (should be done on EVERY core update)
N.B Gravity Form plugin can not be automatically updated due to a licence lack
5.2 Spam Found
found spam in "https://wikimedia.emdev.it/wp-admin/edit-comments.php"
es. 'alldaychemist tadalafil'
es. 'cialis 10mg daily'/
5.3 Matomo activities
The matomo "classic" implementation has been removed.
Currently a Matomo TAG, including a cookie less property, included in the header.php file of wmi theme.
We suggest to review the
- Cookie policy
- Check if the cookie banner is alredy necessary
6. Notices
W3 Total cache has been disabled
Currently on wikimedia.it wordpress website DO NOT RUN "W3 Total Cache" plugin as it did until this morning.
PHP Fatal error: ob_start(): Cannot use output buffering in output buffering display handlers in /var/www/wmi/wordpress/wp-content/plugins/w3-total-cache/Util_WpFile.php on line 298
This problem has been already reported here: https://phabricator.wikimedia.org/T338346 by @valerio.bozzolan
I currelenty don't have any solution, so Idisabled the plugin to make the website works.
It need further investigation.
6.1 Too many editor are installed.
Currently on wikimedia.it wordpress website are intalled and used the following editors:
- Default "Gutenberg" default wordpress editor
- BE Editor
- Elementor
Those editors are not fully compatible and interoperable. That means that, choosing a wrong editor, there is a high risk to broke contents and to create not uniform contents.
6.2 Fragmented template elements and styles
Due to wordpress architecture and stratification of manutentive ad evolutive actions, currently styles are spread in:
- WMI wordpress theme
- Inline wordpress styles
- Editors configurations (Elementor, BE)
- Plugins configurations (Smart Slider)
This configuration makes hard to maintain end act on global styles, keeping a global aesthetic identity
6.3 The Plugin "Wiki Embed" - https://it.wordpress.org/plugins/wiki-embed/ - is old and no longer mantenined (9 years from the last update)
It causes a lot of PHP warnings
Trying to access array offset on value of type bool in /var/www/wmi/wordpress/wp-content/plugins/wiki-embed/WikiEmbed.php on line 112