TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There’s also one for plugins. Any default functionality like comment forms will already be escaped/sanitized.
It’s probably the issue mentioned in the changelog for 6.3.8 here. The developers were unable to release the patch on dot org themselves because Mullenweg had unilaterally revoked their access to the plugin repository because the plugin is owned by WP Engine. The issue has been patched in the version available directly from the developer, … Read more
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more
The JSON API will allow for the enumeration of authors (and usernames) for a WordPress site. You can’t turn that off. To protect yourself you should: Use strong passwords (you’re already doing that) Leverage two-factor authentication (either with the community-developed Two-Factor or using WordFence’s own support) Leverage a plugin like Jetpack that also supports brute … Read more
is partly wrong in every WordPress .Htaccess hardening article I’ve seen. Unfortunately it is very common for Apache config/regex code snippets to be blindly copy/pasted and errors do propagate. Unless there is some obscure vulnerability we are not aware of then I would bet that that is what has happened here. (Although matching “too much” … Read more
Code Snippets security when selecting “only run on front end”
nonce_user_logged_out to assign guests unique nonces breaks ajax calls
Custom true nonce in conjunction with WP nonce in PWA
If you look at the source of admin-ajax.php, the answer becomes clearer: $action = $_REQUEST[‘action’]; if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. if ( ! has_action( “wp_ajax_{$action}” ) ) { wp_die( ‘0’, 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * * … Read more