Get Oxygen
Learn Reference Other Security Considerations

Security Considerations

Shortcode Signing

At Oxygen -> Settings -> Security you can choose to prevent Oxygen from executing its shortcodes if they lack a valid signature.

To harden Oxygen against potential attacks, it is highly recommend you enable this option. It is enabled by default for new installs of Oxygen 2.1 and up.

Shortcode Signing Explained

Oxygen stores the elements on your page as WordPress shortcodes. At runtime, those shortcodes are compiled into PHP, HTML, CSS, and JavaScript.

If another plugin on your site has a security hole which lets unauthorized users execute shortcodes, they could execute Oxygen's shortcodes. Since Oxygen's shortcodes allow for the execution of PHP, they could run any arbitrary PHP code they want on your site - in other words, change your admin password, steal all your user data, or do literally anything else.

Of course, this attack would require another plugin to be present on your site with a security flaw that allows unauthorized users to execute shortcodes. But since it is likely many of these plugins are floating around, it is highly recommended you enable this option.

The only way to generate a valid signature is to have access to the signing keys, which are unique and randomly generated when you install Oxygen. These are stored in your wp_options table, so only a site admin or an attacker who could otherwise read data from your database could get the keys and sign a shortcode.

Further reading:

WordPress Multisite

By giving users on a multisite network access to Oxygen, you’re giving them the ability to write PHP code from within Oxygen using elements like Code Block or Easy Posts.

Obviously, this means they could they could execute any arbitrary PHP code - just like if you gave them the privilege to install plugins or edit theme PHP files.

Soflyy is proud to offer you Oxygen, our vision for what visual website design can be. We love it, and we think you will too.
More About Us

Stay up to date with Oxygen

© Soflyy 2019
Designed with Oxygen.
LegalTrademark Policy
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram