If you are handing off your wordpress sites to clients and giving access as an editor login, you might want to think about restricting access to some of your plugins and plugin settings. One such plugin called ‘Hana Code’ has overly lacks security and potentially allows a client to change code entries or worse inject new PHP code into the site. If the client doesn’t know what they are doing this could be devastating to the site.
So for example the Hana Code plugin could be modified so it would not be accessible to logins below an administrator level.
Change line 109 of ‘hana-code-insert.php’ file.
add_options_page($this->admin_setting_title,$this->admin_setting_menu, 1, __FILE__,array(&$this,’hana_code_options_page’));
add_options_page($this->admin_setting_title,$this->admin_setting_menu, 8, __FILE__,array(&$this,’hana_code_options_page’));
Note the only change would raising the access level number from ’1′ to ’8′.
You can potentially make this modification on other WordPress plugins as well. We did a simple content search of our wordpress files for the string “add_options_page(“. Below are some of the results we found.
Then in the array line of code you could look for the following “, <a number>, __FILE__,“
If you see something like “, 1, __FILE__,” you might want to change the 1 to an 8 which would only allow Admistrators or higher access to the Plugin settings.
Hope this was helpful for everyone.