While the Slider Revolution exploit is, at this point, fairly old news, it seems that not everyone got the memo. In a recent post by Wordfence, they claim that the recent Panama Papers fiasco may have begun by a breach of the Mossack Fonseca web server through this exploit.

The agency where I work applied fixes to all of our client sites as soon as the initial news hit, but I have a college friend who recently inherited a number of WordPress websites at his job. After reading the Wordfence article, he realized he didn’t know if any of his new clients had versions of the plugin that would still be vulnerable. Of course the simple answer is “go update all of your plugins”, but since the plugin is baked into the theme in so many cases (and how many made-by-another-developer sites do you have that are all properly child-themed and easy to update?) he couldn’t simply go to his Plugins page on every site to download the new version.

The exploit itself is quite easy to test for: simply use your browser to navigate to admin-ajax.php with the appropriate parameters, and if the site is running a vulnerable copy of the plugin your browser will automatically download the site’s wp-config file.


What I did to help him out was write a quick Chrome Extension that allowed him to browse to his client sites, click the button, and the extension would attempt to download the wp-config.php file from the server. If he got the file, he knew he had a problematic copy of Slider Revolution. If the site responded in any other way, he was likely fine.

The extension was put together in about 15 minutes, and is the first Chrome Extension I’ve written, so it isn’t very fancy. I could have done something rather than try to download the file in the browser, so we could display “success” or “failure” when trying to exploit the site. It also assumes that WordPress lives at the root of the website, since the extension will attempt to access /wp-admin/ at the root of the domain – if a site has a vulnerable plugin installed but, for example, contains the WordPress installation in the /wordpress/ directory, this extension will not effectively find the exploitable path.


Click here to download the extension now

I’m distributing the extension in its “unpacked” state, so that people can review it before use. Since the zip file contains a folder with all of the raw files, you will need to enable Developer Mode in Chrome in order to load the extension if you’d like to use it yourself. Click here for instructions on how to load an unpacked extension in Google Chrome

NOTE: Obviously you use this code at your own risk and for your own purposes. You alone are responsible for your own actions. I cannot be held responsible for anything you do with this extension, or the code/information provided on this page.


You may also view the source code of the manifest.json and background.js files below, which are the only pieces of code in the whole extension. Enjoy!


This is a bit different from my usual WordPress/PHP posts, but I still wanted to share as a general development exercise and also to hopefully let other people know what I discovered about working with Child’s Play.

Childs Play Logo

I am friends with the couple who runs the Game On Marathon, a 100-hour video gaming marathon which raises money every year for the Child’s Play charity. As part of the festivities when the event is happening, they needed the ability to trigger different giveaways based on when we hit certain milestones in the fundraising effort. There is a C++ script which handles these giveaways, but it needs to be told what dollar amount the event is at and that was game on marathoncurrently being done by hand. Child’s Play has a website widget which displays the info, but there didn’t seem to be a way of easily getting their hands on the donation total at different points in time for the program so they asked if I may be able to help.

At first I tried to scrape the website via remote POST, but that was a bust. Since the Child’s Play widget is driven by a .js script include, none of the generated markup was available in the DOM when you hit the page from a remote script. While looking through the js source, however, I found reference to a JSON API endpoint which looked promising. I had initially tried googling for such a thing, but came up empty, so my guess is that this is an API they possibly only mean to use internally / by their own tools.

Continue reading

Recently I posted a note to a WordPress group on Facebook about BruteProtect no longer issuing new API keys, and naturally Automattic’s Jetpack plugin was mentioned since that is where you have to go for BruteProtect functionality nowadays. Since the internet never disappoints, Jetpack detractors there were there almost immediately chiming in with the usual comments about how “bloated” the plugin is (I don’t personally agree); how awful Jetpack is because it starts with numerous modules activated out of the gate (I don’t see this as a big problem, as they are easily enabled/disabled and it is something you only have to worry about once per site installation); and how much of a pain it is to manage Jetpack installations for clients due to its requirement for connection to a wordpress.com account.

jetpack logo
This last complaint caught my attention, because it reminded me of a discussion we’d had a few months ago at the agency where I work. We were discussing a rollout plan for giving Jetpack to many of our existing clients, but we knew that we would need to connect each site to wordpress.com in order to do so. For ease of use we wanted to use a single email alias such as [email protected], but this was immediately ruled out. When you have multiple independent clients, you can’t connect everyone with the same email address because don’t want each one having access to each others data (especially stats and plugin management!). We needed a different approach.

Our final solution ended up taking about 5 minutes to configure, and allowed us to go through the Jetpack installations with ease. New clients who receive Jetpack are quickly connected with no additional setup required.

Continue reading