Should the HTML attribute ‘tabindex’ be escaped?
Should the HTML attribute ‘tabindex’ be escaped?
security
“406 Not Acceptable” appearing in SEMrush index audit for WordPress site — how do I identify and fix the cause?
“406 Not Acceptable” appearing in SEMrush index audit for WordPress site — how do I identify and fix the cause?
How to assess whether a WP core (or other) function is escaped already or not?
How to assess whether a WP core (or other) function is escaped already or not?
If necessary, how should wp_get_attachment_image() and its parameters be escaped?
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
How to verify/test that a custom built wordpress theme is as secure as possible?
Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There’s also one for plugins. Any default functionality like comment forms will already be escaped/sanitized.
Is there a security vulnerability in Advanced Custom Fields related to the SCF fork?
It’s probably the issue mentioned in the changelog for 6.3.8 here. The developers were unable to release the patch on dot org themselves because Mullenweg had unilaterally revoked their access to the plugin repository because the plugin is owned by WP Engine. The issue has been patched in the version available directly from the developer, … Read more
Is it safe to update wp-includes/certificates/ca-bundle.crt manually?
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more
Hackers try to login knowing admins usernames in self made theme wordpress theme
The JSON API will allow for the enumeration of authors (and usernames) for a WordPress site. You can’t turn that off. To protect yourself you should: Use strong passwords (you’re already doing that) Leverage two-factor authentication (either with the community-developed Two-Factor or using WordFence’s own support) Leverage a plugin like Jetpack that also supports brute … Read more
Why is this line of code Wrong in every WordPress .Htaccess security article?
is partly wrong in every WordPress .Htaccess hardening article I’ve seen. Unfortunately it is very common for Apache config/regex code snippets to be blindly copy/pasted and errors do propagate. Unless there is some obscure vulnerability we are not aware of then I would bet that that is what has happened here. (Although matching “too much” … Read more
Code Snippets security when selecting “only run on front end”
Code Snippets security when selecting “only run on front end”