Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-36916: Hide My WP - Amazing Security Plugin for WordPress!

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function “hmwp_get_user_ip” tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as “X-Forwarded-For.” As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

CVE
#sql#xss#csrf#vulnerability#web#windows#apache#js

Hide My WP is number one security plugin for WordPress. It hides your WordPress from attackers, spammers and theme detectors. Over 26,000 satisfied customers use Hide My WP. It also hides your wp login URL and renames admin URL. It detects and blocks XSS, SQL Injection type of security attacks on your WordPress website.

Beware of nulled and duplicate versions of Hide My WP on the Internet. We are an exclusive author at Envato and we don’t sell anywhere else. Hide My WP on CodeCanyon is the only official plugin which can be used to hide your WordPress website.

  • Multisite on Nginx and IIS is in our plan. A mix of different webservers is not offically supported. More about compatibility

Also at:

  • WP Buffs
  • Hide My WP

More Information

  • You can use Extended version of this plugin on upto 5 sites
  • To try this plugin before buying, download our hide my wp lite version

Customers Feedback

I really think you are onto something highly unique with this plugin. For a few years now, I?ve been wishing someone could develop something that can help protect files, folder names, etc and you have clearly worked very hard to do just that. Keep up the great work! I look forward to seeing what else you come up with! * 5 Stars! *
– mrhocs

As a veteran of a thousand psychic wars? this is fabulous and is most useful! Good on Ya! for making this one! I wish you many sales as they are well deserved. For privacy? what man can pay a price as that? Privacy is key If one wants to take it? Molon Labe.
Keep up the work as we are in need of your talent. Thank you
– drmedia1

YES!! I saw this earlier today but just couldn?t resist to put off buying it. And I must say this plugin works just as described.
I love it! And I gave the official 3rd rating so now you have 5 STARS… Thanks.
– noahjnet

Change WordPress permalinks

The magic starts now… But before it, stick in your mind we don’t change any file or folder and everything is in its default location! we just control access to it and this guarantees maximum compatibility for the plugin.

Hide wp-login.php

  • Try this: hide-my-wp.wpwave.com/wp-login.php
  • Not found!? OK. Try this one: hide-my-wp.wpwave.com/wp-login.php?hide_my_wp=1234

Hide or change wp-admin and all of its files (for untrusted users)

  • hide-my-wp.wpwave.com/wp-admin/ – Not found!
  • or Change it to wpwave.com/my-admin/

Change WordPress theme directory, remove theme Info from stylesheet, replace default WP classes and finally minify it!

  • hide-my-wp.wpwave.com/template/main.css (Instead: …/wp-content/themes/twentytwelve/style.css)

Change plugins directory and hash plugins name

  • hide-my-wp.wpwave.com/modules/95578af5/shortcodes.css (Instead: …/wp-content/plugins/zilla-shortcodes/shortcodes.css)
  • hide-my-wp.wpwave.com/modules/95578af5/shortcodes.php – Not found! (Deny access)

Change upload URL, wp-includes folder, AJAX URL, etc.

  • hide-my-wp.wpwave.com/file/test-image-landscape.jpg (Instead: …/wp-content/uploads/test-image-landscape.jpg)
  • hide-my-wp.wpwave.com/lib/js/jquery/jquery.js (Instead: …/wp-includes/js/jquery/jquery.js)
  • hide-my-wp.wpwave.com/ajax.php – Output 0 (Instead: …/wp-admin/admin-ajax.php)

Change WordPress queries URL:

  • New URLs:
  • hide-my-wp.wpwave.com/?article_id=1
  • hide-my-wp.wpwave.com/?user=1
  • hide-my-wp.wpwave.com/?find=hide
  • Old, not working URLs:
  • hide-my-wp.wpwave.com/?p=1 – Nothing happen!
  • hide-my-wp.wpwave.com/?author=1 – Nothing happen!
  • hide-my-wp.wpwave.com/?s=hide – Nothing happen!

Change author permalink (or disable it!)

  • New: hide-my-wp.wpwave.com/admin or wpwave.com/profile/admin (Optional)
  • Old: hide-my-wp.wpwave.com/author/admin – Not found!

Change or disable feeds

  • New: hide-my-wp.wpwave.com/index.xml
  • New: hide-my-wp.wpwave.com/cat/aciform/index.xml
  • Old: hide-my-wp.wpwave.com/feed/ – Not found!
  • Old: hide-my-wp.wpwave.com/cat/uncategorized/feed/ – Not found!

Hide all other WordPress files!

  • hide-my-wp.wpwave.com/readme.html – Not found!
  • hide-my-wp.wpwave.com/license.txt – Not found!

Disable WordPress archives, categories, tags, pages, posts, etc

  • hide-my-wp.wpwave.com/2012/09/ – Not found!
  • hide-my-wp.wpwave.com/?m=201209 – Nothing happen!

Continue reading there’s still more!

  • Easily replace any words in your html output file!
  • Notify you when someone is mousing about your WordPress site (included with visitor details like IP, user agent, referrer and even username!)
  • Compress html output and remove comments in source code
  • Remove WordPress meta Info from header and feeds
  • Change default WordPress email sender
  • Custom 404 page!
  • Remove unnecessary menu classes
  • Clean up body classes
  • Protection from XSS, SQL Injection, Command Injection using builtin IDS protection

Changelog

6.2.4 (October 26, 2021)

- Fixed security vulnerabilities reported by Envato.

  • Minor Bug fixes.

6.2.3 (January 15, 2021)

- Tested up to WordPress 5.6

  • Bug: Fixed IDS Log entry when IDS is disabled.
  • Bug: Fixed Gutenberg saving issue related to Rest API.
  • Bug: Fixed issues in admin settings.
  • Bug: Fixed robots.txt file rewrite issue.

6.2.2 (November 10, 2020)

- Bug: Fixed export file path issue
- Bug: Fixed site crashes issue while activating plugin.
- Bug: Fixed WP Rocket white labelling issue.
- Removed Deprecated functions.
- Redesign Dashboard boxes.
- Added option to put IDS in "alert" mode.
- Improve Instructions for renaming 'wp-admin' path.

6.2.1 (July 24, 2020)

- Bug: Fixed Issue with Elementor when Auto Configuration is enabled.
- Bug: Fixed site crashes issue while activating plugin.
- Bug: Fixed warning issue for plugin update.

6.2.0 – July 10, 2020

- Support for hide Elementor page builder
- Hide Online Detectors option
- Allow Specific Countries
- Export settings to a file
- Improve ip lookup service
- Blocked IPs Listing with options to whitelist & delete
- Bug: "Open Wizard" link is incorrect when wp-admin path is renamed
- Bug: Plugin version incorrect
- Bug: Conflict with WP Rocket plugin
- Bug: High privacy breaks the site
- Deprecated: Replace \`\_wpnonce\` option

6.1 – 08/01/2020

- Feature: IDS - Delete All Log for IP Address

  • Feature: Support for PHP 7.2 and 7.3
  • Bug: Cron job stuck
  • Bug: Deprecated: Function create_function()
  • Bug: hide_my_wp plugin name still visible in URL
  • Bug: PHP notice undefined variable rules
  • Bug: Incompatibility with Elementor v2.6
  • Bug: Dashboard fixes are shown with a blank line in b/w
  • Bug: PHP Warning: Cannot modify header information
  • Bug: Purchase code doesn’t work for first time installation via Wizard
  • Bug: Wrong link to plugin settings
  • Bug: REST API rename issue
  • Bug: whatcms.org detecting WordPress
  • Bug: Trust Network Bugs

6.0 – 11/06/2019

- UI Overhaul - New dashboard and completely new menus.

  • True trust network - intelligent scoring of bad ip addresses and blacklisting
  • Auto detect common issues (e.g .htaccess is not writable)
  • Wizard based installation
  • Separate intrusion detection and trust network pages
  • Better hiding features for online detectors
  • Extended testing with popular plugins and themes
  • Changed preset settings & removed confusing settings
  • Bug fix: XML RPC Disabling
  • Bug fix: Retain settings on deactivation (checkbox to override this behaviour)
  • Bug fix: Disabling Rest API breaks WP

5.6.2 – 06/07/2019

- Fixed: Issue with Country Blocking

  • Added: Advance method to block theme detectors

5.6.1 – 02/25/2019

- Added: Block access to wp-register.php

  • Fixed:: Replace _wpnonce in URLs with _nonce (support for Buddypress)
  • Fixed: /wp-admin rename to /panel bug
  • Fixed:: UTF-8 Error - https://codecanyon.net/comments/20516486.

5.6 – 01/12/2019

- Added: Support for Rest API in WP 5.0

  • Added: Customize IDS Email Address
  • Fixed: Removed deprecated functions (create_function()).

5.5.7 – 09/13/2018

- Added: Improvements for detection for Yoast and WooCommerce

  • Added: Hides Rest API on enabling Auto Configuration, improves detection
  • Fixed: Minor Bugs

5.5.6 – 02/26/2018

- Added: Support to hide WP Rocket plugin

  • Added: Instant reset link to deactivate HMWP in case of lockouts

5.5.5 – 10/27/2017

- Fixed: WordPress Social Login Path Issue

  • Improved: WooCommerce Wapanalyzer Support
  • Fixed: Browser cache setting can be configured
  • Added: Support for our new plugin - Scan My WP (WordPress Security Scanner)

5.5.4 – 09/11/2017

- Fixed: wp-login.php not being hidden

5.5.3 – 08/31/2017

- New (and Most Wanted): Change wp-login to something else (like login or login.php).

  • Improvement: Hiding Gravity Forms from wapplyzer (using auto config system).
  • Fixed: Important bug in blocking IPs of several different countries.
  • Minor changes in code and file structure.

5.5.2 – 04/07/2017 (May require manual update due to auto update conflict)

- New: Counter for Trust Network to show number of blocked dangerous requests

  • Fixed: Auto Update conflict bug with other plugin
  • Improved: Update libraries to improve PHP 7 compatibility

5.5.1 – 12/19/2016

- Fixed: A small typo avoid hide wp-admin to work correctly

5.5 – 12/16/2016

- NEW: Auto Plugin Configuration! It hides (common) parts of WooCommerce and JetPack (Experimental)

  • NEW: Change URL or completely disable REST API i.e. wp-json (Probably one of the only plugin works in WP 4.7)
  • NEW: Internal JS and CSS fields: A smart technique to hide internal code from source code
  • NEW: Hide OEmbed assets
  • NEW: Security check for security keys
  • IMPROVEMENT: Better performance for automatic assets
  • IMPROVEMENT: Support for new Minify module of W3 Total Cache
  • IMPROVEMENT: Guide for Nginx configuration
  • IMPROVEMENT: PHP 7.1 and 7.0 compatibility
  • IMPROVEMENT: WP 4.7 compatibility
  • FIX: Several bugs when permalink is off
  • FIX: Full Hide mode working correctly with Nginx
  • FIX: Problem in saving HTML fields (IDS Firewall)
  • FIX: A small syntax error in configuration files
  • FIX: A bug in Antispam system
  • FIX: Annoying message for purchase code
  • FIX: Error message in checking array fields (Trust Network)

5.1 – 04/21/2016

- New: Minify and clean up stylesheets in child themes

  • New: Added ban IP link to intrusion table (Thanks to turner2f)
  • New: Ability to disable WP emojies (still works in modern browsers)
  • New: New IP to country providers
  • Fixed: A breaking bug with full hide feature
  • Fixed: Auto update problem
  • Fixed: A white screen death error which occur in long pages
  • Fixed: Removing WP Super Cache header parameter
  • Fixed: A small security bug related to cookies
  • Improved: Change IP details provider (Thanks to turner2f)
  • Improved: Trust IP and Firewall tabs were merged for a simpler UI
  • Improved: WP 4.5 compatibility
  • Other minor improvements

5.01 – 11/27/2015

- Fixed an error in old PHP servers (5.3)
Note: WP recommends PHP 5.6 or more

5.0 – 11/27/2015

- NEW: Introducing Trust Network which blocks common dangerous patterns and IPs without even enabling IDS

  • NEW: Completely rewritten New Admin Path to make it clearer to configure
  • NEW: Ban countries, IPs or IP ranges from admin page
  • NEW: Country flags plus a link to details were added to intrusion log table.
  • IMPROVEMENT: Better Hiding WP from CMS finder tools
  • IMPROVEMENT: Compatibility test with PHP 7 (RC)
  • FIX: An important bug which cause problem to find super admin
  • FIX: Double slashes(//) in multisite subdomains
  • FIX: Syntax problem in Windows (IIS) servers
  • FIX: Problem with displaying messages
  • FIX: Issue with importing specific kind of settings
  • FIX: Unsaved checkboxes in settings page
  • FIX: Fatal error in IDS files
  • …and other minor improvements

4.54 – 08/12/2015

- New: Hiding default WP robot

  • Fixed: Security bug in IDS log page
  • Improved: Limit access to cookie to HTTP only
  • Improved: Compatibility test with WordPress 4.3 RC

4.53 – 08/02/2015

Note: If you configured HMWP manually (multi-site, Nginx, etc.) It’s require to do it again after updating)

- Improved: New hash function to make it almost impossible to guess plugin names

  • Fixed: Firewall is now the first loaded plugin
  • Fixed: A bug in anti-spam system
  • Fixed: important security bug in displaying IDS log
  • Improved: Internal web server queries are not guessable now

4.52 – 07/28/2015

- Fixed: an important security bug

  • Fixed: a php warning error
  • Improved: Firewall run sooner to act faster
  • Improved: Avoid direct access to PHP files now works with double extension files
  • Improved: provided IP is more reliable now

4.51 (and 4.51.1) – 07/10/2015

- Improved: Replace rules limitation has been increased to 30

  • Improved: Better cover for wordpress
  • Fixed: 500 error in old versions of Apache
  • Fixed: A bug which prevents replace rules to be restored by undo button
  • Fixed: Fatal error in older PHP versions
  • Several small but helpful bug fixes (4.51.1)

4.5 – 06/20/2015

- New full hide feature to improve undetectability of WP and themes

  • New CDN path tools which makes it easy to setup CDN
  • New path for wp-content (useful for some plugins which located in wp-content like cache plugins)
  • Improved Simplification of UI
  • Improved: IDS for anti-XSS attacks
  • Improved: Antispam checks
  • Improved: Replacement tools to make it easy for everyone
  • Improved: IDS system for slightly faster responses
  • Fixed: Reply email bug in Contact form 7
  • Fixed: Loading issue of HMWP_MS.CSS
  • Fixed: WP-Rocket Minify incompatibility

4.03 – 02/14/2015

- New Option to replace new URLs in AJAX responses

  • BUG FIX: Inserting media with safe HTML minify enabled

4.02 – 02/06/2015

- Bug Fix: wp-signup.php was hided

  • Bug Fix: WP IDS rules were updated
  • Bug Fix: Make New admin path work in Multisite
  • Bug Fix: Purchase code remains after importing new settings
  • Bug Fix: New admin path for Nginx webserver
  • Improvement: IDS alert email is reformatted
  • Improvement: More readable info for IDS log

4.01 – 11/12/2014

- Compatibility with Hyper Cache, WP-Rocket

  • General improvement for auto update
  • A bug fix related to displaying message

4.00 – 11/06/2014

- NEW: Introducing IDS (Intrusion Detection System) with customized rules for WP

  • NEW: Auto plugin update (require valid purchase code)
  • NEW: Finally official support for IIS (Windows servers!)
  • NEW: Undo previous settings whenever you want!
  • NEW: Light settings scheme was added
  • NEW: Ability to use backslash in Replace in HTML
  • IMPROVEMENT: Full compatibility for gantry-based themes
  • IMPROVEMENT: Options mapper was written
  • IMPROVEMENT: Automatic compatibility test has been added to guide users
  • FIX a bug caused by author base default value
  • FIX year numbers bug (for upload directory)

3.0 – 07/02/2014

- NEW: Ability to rename wp-admin!

  • NEW: Simple and sweet anti-spam
  • NEW: Disable directory listing for plugins and themes and WP
  • WP 1.9 compatibility plus UI adjustment
  • Deactivating HMWP now store saved settings
  • API filter added to resetting to defatults
  • wp-cron.php and upgrade.php added to whitelist
  • Fixed a bug in page preview
  • Fixed feed and canonical URL issue
  • Fixed multisite table prefix
  • Fixed bug in notification message when login address has changed
  • Fixed multiple messages in settings page
  • Fixed problem with minify plugins that cause 400 error
  • Fixed base address problem in configuration of some multisite installs
  • Fixed a bug in register URL
  • Fixed a notice message

2.2 – 11/20/2013

-Bug Fix: Now entering Purchase Code will remove annoying warning messages -Bug Fix: Compatibility with /subdirectory/subdirectory/(…) network-enabled installs -Improvement: WordPress 3.7 compatibility -Improvement: Canonical URLs is now enabled by default (plus for settings schemes) -Improvement: Several colorful messages added to reduce support queries -Bug Fix: Buddypress pages bug (in some conditions) -Bug Fix: Fix /wp-login.php/ URL -Bug Fix: Remove a notice warning in generating debug report

2.1 & 2.11 09/21/2013

- Bug Fix: A problem in replacing new URLs (2.11)

  • New Feature: Login parameter ‘hide_my_wp’ is now changeable!
  • Improvement: W3 Total Cache Minify module works now! (Read FAQ)
  • Improvement: Better blocking of CMS finder tools
  • Improvement: W3TC credit text will be removed automatically (for untrusted users)
  • Improvement: Presstrends code added
  • Bug Fix: Log out problem in some environments
  • Bug Fix: Warning message appeared in some environments
  • Bug Fix: A number of fixes in helper class

2.01 – 08/11/2013

- Bug Fix: Added Replace in HTML back

  • Bug Fix: Correct a warning message

2.0 – 08/10/2013

- Improvement: Full WordPress 3.6 compatibility

  • Feature: Replace, rename or hide any file or folder
  • Feature: Simple page compression added
  • Feature: Block access of CMS finders tools to pages (beta)
  • Improvement: Change order of header info to hide WP better
  • Improvement: Add xmlrpc.php to excerpt list by default
  • Improvement: Cached CSS age extended to 3 days
  • Improvement: Better description and messages for easier configuration
  • Bug Fix: Scheduling problem for plugins like Backup Buddy was fixed
  • Bug Fix: Preview button problem in new post page was fixed
  • Bug Fix: Problem in full SSL websites was fixed
  • Bug Fix: Notice message appear in update settings was fixed
  • Minor changes

v1.81 & 1.82 – 06/10/2013

- Bug fix: A bug caused problem with new upload path in subdomain installs

  • Bug fix: Removed unnecessary success messages for reset defaults, import, etc.
  • Bug fix: Removed an unnecessary warning message. (1.81)
  • Bug fix: Correct miss-spelled labels

v1.8 – 06/08/2013

- Feature: Ability to choose manual configuration to use customized htaccess

  • Improvement: Better quick fix guide
  • Bug Fix: External uploaded WordPress images now works correctly
  • Bug Fix: CSRF flaw detected by Julio (boiteaweb.fr)
  • Bug Fix: Trim Replace in HTML field
  • Bug Fix: Better replace for WooCommerce plugins
  • Minor changes

v1.7 – 05/06/2013

- Feature: Ability to replace JS URLs for different entities (e.g. \ /wp-content\ /themes)

  • Improvement: BulletProof Security plugin compatibility
  • Improvement: Ability to replace codes with ‘=’ sign using [equal] tag
  • Bug Fix: Child themes bug fix
  • Bug Fix: A bug in exporting Replace in HTML content
  • Bug Fix: A bug in exporting values with double slashes
  • Minor changes in UI

v1.6 – 04/20/2013

- Feature: Ability to rename all plugins (useful for plugins located in premium themes)

  • Improvement: New and better settings scheme
  • Improvement: Added quick fix guide to Start tab
  • Files: Update file structure to work with new Codecanyon changes
  • Bug Fix: ob_start bug fix for better compatibility
  • Bug Fix: Search widget bug
  • Bug Fix: Hide login, admin, etc. shortcuts
  • Bug Fix: Replace all AJAX URLs
  • Bug Fix: Fix a bug in Nginx rewrite rules in sub-folder installs
  • Documentation: Added documentation for Nginx and multisite configuration
  • Minor changes

v1.5 – 04/04/2013

- Performance: Up to 3 times faster with new partial replace mode!

  • Feature: Nginx and Multi-site support.
  • Feature: Child themes support
  • Feature: Two different minify options for HTML and CSS
  • Feature: Better compatibility with two additional options for PHP files access
  • Feature: Option to hide _wpnonce and theme screenshot
  • Improvement: Better support for sub-directory installs
  • Improvement: More compatibility for class clean up options
  • Bug Fix: Style path bug
  • Bug Fix: Fixed login URL problem and better compatibility with login-related plugins
  • Minor bug fixes

If there is still ambiguity, please check out screenshots or read our FAQs.

Please signup in our NEWSLETTER to receive important news related to HMWP.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907