I noticed that godaddy does block some wordpress plugins because of various reasons. https://nl.godaddy.com/help/blacklisted-plugins-8964?ci=97106 My biggest question is how do they do this? Anyone got a clue? Also any other tips to improve wordpress sites on cpanel?
Looks like it’s (only) for their managed Wordpress offerings, they probably blacklisted the plugins in the code itself?
They also mention
and if we detect them installed on your account, they will be removed., so they are probably scanning the wp-plugins folder for those plugins as well.
My kimsufi got infected because of a shit WordPress plugin. I stopped using WordPress because of that. GoDaddy sucks but that’s a decent safety precaution.
No correct its only for there wordpress hosting, But since im hosting some wordpress sites aswell, and already got a few people hacked because of bad plugins, im looking todo something like that aswel… Just block the unsupported plugins
While not really on the topic of blocking plugins, there are some things you can do:
- Litespeed’s cPanel allows you to have a WAF that can drop or throttle brute force traffic on Wordpress login pages
- Litespeed’s cPanel lets you mass install and update LS Cache. Also lets you know if they’re already using another caching plugin.
- I don’t use them currently, but I’m sure there’s some Modsecurity vendors (maybe through CXS) that can add more WAF rules for keeping down Wordpress abuse
Seems they block all common caching plugins. That’s stupid
They’re probably using their own. It makes sense.
We want people to use our provided caching plugin (LS Cache) because the web server (Litespeed) has features that can work directly with the plugin for improved caching and reduced load. That’s better than using another PHP level cache.
Correct. Any managed WP platform will have their own deeply integrated caching solution, and using a third party plugin is likely to break that.
Litespeed sounds pretty cool, right now I’m use nginx as cache en then Apache with mod security. And the comodo rules. Cxs any good rules?
Litespeed is The Shit, check my related thread :
Nice. Never tried LiteSpeed, always defaulted to nginx. Might give it a whirl and see, but I do like how easy nginx is to config for vhosts and the like.
I am planning on getting a server and install cPanel + Litespeed. LSCache is awesome. If anyone wants to give it a try let me know.
Which plugin? I try to use only the most popular ones to avoid this from happening (or at least minimize the odds)
With wordpress plugins, the danger is in the automatic “minor version updates”
Better to do manual updates to major versions instead of bleeding edge.
You must have not really needed WP. Getting rid of WP for most people because of “shit WordPress plugin” is not the solution. I try to minimize the use of plugins, and only use widely known plugins with a significant user base.
On shared host if a neigbor gets infected from a bad plugin, that’s always a concern, but not common. I do frequent backups, and have spare servers (different host) ready to go if there’s a problem. For now WordPress is the sweet spot for some of the work I do.
@Ympker Avoid “premium” hacked plugins from usenet, torrent sites etc. That’s the source of most “shit” plugins. I follow the same rules as choosing Android apps. Stick to plugins with frequent updates, which support the current release of WordPress. Also, perhaps the most important attributue, they should have a significant user base.
Truthfully it’s been a couple years since I had the problem so I don’t remember which one was the bad apple.
I don’t use “hacked”/leaked versions of premium plugins. When I said hacked I meant hackable. As in “codeable”. There is a certain config file in the official plugin.zip where the max. file size is defined. All you have to do is change the value to a greater one. Done.
I wasn’t accusing anyone here of using hacked plugins, but I think this is a cause of many of the problems I read about on shared hosts.
Here’s a list of poorly coded/vulnerable plugins. I can’t find anything that I’ve used on the list, and have no idea how accurate it is:
Should’ve linked this instead of some random page: https://wpvulndb.com
Note that 99%+ vulnerabilities can be mitigated by shoving a WAF in front. Even some pretty basic rules are enough to block blatant SQLi and other injections, path traversal, etc…