I recently stumbled upon a surprising fact about the popular WordPress plugin “WP Optimize.” It turns out that the plugin creates a file named “wpo-plugins-tables-list.json” in your public “uploads” directory — a place usually reserved for images. What’s alarming is that the file isn’t just any file — it contains all of your site’s plugins and their database tables.
Gathering all of this information in one easily accessible file can’t be good. Why would WP Optimize just casually lay out a welcome mat for hackers?
Stay One Step Ahead of Cyber Threats
Let’s nip this issue in the bud.
By inserting the following ‘add_filter’ statement into a custom plugin or your function.php file, you can stop WP Optimize from creating this hazardous file:
add_filter( 'wpo_update_plugin_json', '__return_false' );
How to Create a Custom WordPress Plugin to Disable wpo-plugins-tables-list.json file
Creating a simple WordPress plugin to implement the code snippet above is straightforward. Here’s a quick guide to writing such a plugin:
- Create a PHP File for Your Plugin: First, you need to create a new PHP file for your plugin. You can name it something like disable-wpo-json-creation.php.
- Add the Plugin Header: At the top of your PHP file, add a comment block that WordPress recognizes as a plugin header. This includes details like the plugin name, description, version, and author.
- Add the Functionality: After the header, write the code that alters the behavior of WP Optimize.
Here is how your complete plugin file (disable-wpo-json-creation.php) should look:
<?php
/**
* Plugin Name: Disable WPO JSON Creation
* Description: Disables the creation of the wpo-plugins-tables-list.json file by WP Optimize.
* Version: 1.0
* Author: ThreatPicture.com
* Author URI: https://threatpicture.com
*/
// Hook to disable WP Optimize from creating the JSON file.
add_filter( 'wpo_update_plugin_json', '__return_false' );
- Install the Plugin: To use this plugin, you need to upload the disable-wpo-json-creation.php file to your WordPress installation under the wp-content/plugins directory.
- Activate the Plugin: Finally, log in to your WordPress dashboard, navigate to the ‘Plugins’ section, find the ‘Disable WPO JSON Creation’ plugin in the list, and click ‘Activate.’
Make sure to delete “wpo-plugins-tables-list.json.”
SOURCE: WordPress.org
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional