Closed RogerKeulen closed 5 years ago
Hello,
Thanks for your concern. We are not aware of any outstanding security issues, the newest version should be secure.
If you have the plugin installed, /facebookadstoolbox/productfeed/gen
is a URL Facebook uses to trigger the feed regeneration mechanism (by default once a day) before fetching the feed file, so this endpoint will be queried from Facebook (more accurately genPing
will be queried). It's true that this endpoint can be queried by others, but there is a cache preventing the feed from being regenerated too often to cause a DDoS. Details are in the code.
I can think of a couple of ways to secure this endpoint even further to prevent requests not originating from Facebook, if that is a concern.
Closing, we have had no reported security problems for over a year now with this plugin, so I don't think we need to go overboard with security enhancements at this time.
I get some requests at my servers for your code. Blocked-Ip: /facebookadstoolbox/productfeed/gen
Please make shure your code is save to use. Always install honeypot and check your logs.