• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question WordPress Vulnerabilities -> No updates available

Rene van Lieshout

Basic Pleskian
Server operating system version
n/a
Plesk version and microupdate number
18.0.60
Hi,

The Wordpress Security Status shows a few issues that don't have a fix. Does anybody here know if there is a way to ignore those? They are reported in mails too.

1: WordPress Core - Informational - All known Versions - Weak Hashing Algorithm - All known versions of WordPress core use a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. - Date: 20.06.2012 | Source: Wordfence
2. WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key - All known versions of WordPress Core store cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). - Date: 10.10.2017 | Source: Wordfence
 
Which WP Toolkit version do you have? In 6.3 version you have a feature to ignore vulnerabilities by CVSS Score (it means that you don't receive notification about these vulnerabilities and your site isn't marked as vulnerable), In 6.4 we have improved version of this feature that helps you to ignore these never fixable vulnerabilities. So just wait for a new version of WP Toolkit :cool:
 
Version 6.4 hasn't been released yet. There's no ETA yet, but release is expected this month.
 
I've upgraded to 6.4 on one site, but don't see a feature to do as you cited.
Is this ok, or should I do something about them and if so, what?
1717682001758.png
 
@Robert Alexander there seems to be some confusion here. It's not about Wordpress version 6.4, but about version WP Toolkit version 6.4 (which hasn't been released yet).
 
Ah. My bad then Kaspar. Thanks for clarifying. So I guess now it's June that it's expected as opposed to May when you posted your expectation? Any update on that please? Thanks
 
I've checked my server and it says I'm on WP Toolkit version: 6.4.0-8486
Why I've been looking at this, is that Cloud Linux who support me on Imunify360, suggest that WP Toolkit may be sending out emails to their support email address. Why this is a problem itself, is that it's creating tickets with them, via my account when there are Lets Encrypt Messages or Plugin Security Messages.
This results in quite a lot of unnecessary Tickets and I'm trying to find out what's causing it.
My Plesk Notification Settings are off and the only setting in WP Toolkit that is in force is "Allow Customers to use Sets when they install Wordpress"

I've run out of ideas at the moment?
 
Back
Top