Plugin to limit the url specified in the src attribute associated with iframe, embed & video tags to a specified list of trusted domains.
Author: | Larry Robertson (profile at wordpress.org) |
WordPress version required: | 4.5.0 |
WordPress version tested: | 4.9.1 |
Plugin version: | 1.2.1 |
Added to WordPress repository: | 25-07-2017 |
Last updated: | 07-12-2017
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|
Rating, %: | 0 |
Rated by: | 0 |
Plugin URI: | |
Total downloads: | 871 |
Click to start download |
Screenshots
This screen shot shows the Administrator's Settings page. The page is showing a couple of error messages that you will see when you first install the plugin (see item 5 under Installation).
This screen shot shows the icon as it appears in the editor.
This screen shot shows initial dialog.
This screen shot shows the YouTube Settings.
This screen shot shows the YouTube after url/id has been pasted.
This screen shot shows the YouTube after shortcode has been inserted.
This screen shot shows the YouTube preview imbed.
This screen shot shows the Vimeo Settings.
This screen shot shows the Livestream Settings.
This screen shot shows the Brightcove Settings.
This screen shot shows the Dailymotion Settings.
This screen shot shows the Custom Settings for Other Video Embed.
This screen shot shows the Custom Settings for HTML Embed.
What is the Security Risk with iframe tags and embed Shortcode?
By far the biggest security risk is someone getting your WordPress Administrator user name and password. Taking second place is someone getting an Editor or Author Role’s user name and password.
Given a user name and password to login to your WordPress site allows a hacker to edit the content of the “src attribute” of an iframe tag or embed shortcode. One thing a hacker might do is to point the URL to hackersite.com/copyofyourpage.html. This page could be a copy of your embedded page with a hidden div that when clicked will install without you knowing malicious software on your customers computer.
Another way is the hacker will inject malicious JavaScript code into a hidden iframe that will execute even if you don’t click on anything. Watch this video demonstrating a Drive By Attack:
Javascript Injection
How does a Hacker get you Username and Password?
There are many ways for example someone standing behind you as you log in is watching. The scariest method is a malicious web site has install spyware on your computer for example watch the video below which complains about Microsoft’s .net framework which allows a programmer to record keystrokes to capture everything you type on your keyboard!
Recording Keystrokes to get your password
How does Responsive Iframe Watchdog Prevent this type of Hacking?
The hacker’s domain will not be in the list of trusted domains which can only be changed by Administrators. As long as the hacker did not capture the username and password of an Administrator Role for your WordPress Site you should be safe. Responsive Iframe Watchdog will block the hacker’s URL from Public View (domain not trusted) if the hacker logged in as a role other than Administrator (i.e. Editor, Author…).
If the the hacker has a login for an Administrator Role you are in big trouble anyway so try to limit the number of Administrator Roles on your site.
Do I have to disable iframes in WordPress by Removing the unfiltered_html capability?
You may have already disabled iframes from your WordPress site so that only an Administrator can embed. This is a good idea! Responsive Iframe Watchdog will allow your Editors and Authors to embed with iframes (unfiltered_html) disabled.
How do I disable iframes in WordPress by Removing the unfiltered_html capability?
Refer to the documentation on remove_cap. You should be experienced in executing php code within WordPress to run the following code and the code should only execute one time.
To remove capability for Editor Roles:
try{
$editor_role = get_role( 'editor' );
if( $editor_role ){
$editor_role ->remove_cap( 'unfiltered_html' );
}
}
catch(Exception $e){
continue;
}
To remove capability for Author Roles:
try{
$author_role = get_role( 'author' );
if( $author_role ){
$author_role ->remove_cap( 'unfiltered_html' );
}
}
catch(Exception $e){
continue;
}
Will I have to change all existing iframes on my site?
Any pre-existing HTML elements (i.e.
<iframe>
,<embed>
,<video><source>
) will still function as it did before providing the domain name is trusted. If you at some point you need to edit these pages/posts you should use this plugin’s embed dialog form to re-embed using shortcode instead of the original HTML element. Convert any existing<iframe>
,<embed>
or<video><source>
elements to [lgrriw_div][lgrriw_iframe] shortcode via the dialog form. Failure to convert iframe tags to shorcode after editing an existing post/page containing an iframe will result in a blockage to public view after updating any changes to the page/post if your role has unfiltered_html capability disabled.
What does “Responsive Mean?
Have you ever noticed that when you shrink your browser width and/or height, an embedded video doesn’t always shrink with it? Or that the same video doesn’t scale quite right on a mobile phone or tablet?. When one says that a video is responsive that means that it will look perfect in any browser or on any device at any size and it will not have any black borders around the video as the container is resized. Note: The WordPress embed shortcode is not responsive and can not be made responsive.
Can I embed a playlist?
Yes playlists are supported for YouTube and Dailymotion (Reoccurring Event) just the a URI into the URL textbox and the app will do the rest. Vimeo and Brightcove individual videos are supported but playlists are not supported.
Are all player parameters supported?
Just about all of the parameters are supported for all players (see screenshots).
Can I put a border around the embedded video?
Yes just select the border thickness from the drop-down and enter a color or color number (i.e. red, blue, #c19925).
Will the embed be clearly visible on my phone in portrait view?
Yes since your Worpress site pages are automatically responsive the embeds will follow all orientations and screen sizes. The smallest screen size I tested was an iPhone 5s which looks perfect in both portrait and landscape orientations.
What if my video server is not YouTube, Vimeo, Livestream, Dailymotion or Brightcove can I still embed a video?
Yes just copy you URI and all of it’s parameters to the clipboard and paste it into the “Other” url textbox and it will honor all parameters as is and make it responsive as well.
What if my video is supposed to be SD 4X3 but on youtube it was encoded as HD 16X9 with black borders?
You can paste the URI into the textbox as usual and select 4X3 from the “Aspect Ratio” drop-down and it will be perfectly responsive as 4X3 with no black borders.
1.2.1
- Fixed: Changed all explicit installations paths to relative paths.
- Fixed: Removed call from admin page to prevent “saved settings” message from appearing twice.
- Fixed links to tutorial videos.
- Changed: Author URI to point to a static page
- Tested: on WordPress 4.9.1
1.2
- Fixed broken file path to lgr_responsive_iframe_watchdog.css in lgr_responsive_iframe_watchdog.php.
- Fixed broken file path to lgr_responsive_iframe_watchdog.js in lgr_responsive_iframe_watchdog_options_page.php.
1.1
- Fixed: Changed installation path to match the name of the original uploaded zip file.
1.0
- Initial Version.