Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There’s also one for plugins. Any default functionality like comment forms will already be escaped/sanitized.
It’s probably the issue mentioned in the changelog for 6.3.8 here. The developers were unable to release the patch on dot org themselves because Mullenweg had unilaterally revoked their access to the plugin repository because the plugin is owned by WP Engine. The issue has been patched in the version available directly from the developer, … Read more
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more
The JSON API will allow for the enumeration of authors (and usernames) for a WordPress site. You can’t turn that off. To protect yourself you should: Use strong passwords (you’re already doing that) Leverage two-factor authentication (either with the community-developed Two-Factor or using WordFence’s own support) Leverage a plugin like Jetpack that also supports brute … Read more
is partly wrong in every WordPress .Htaccess hardening article I’ve seen. Unfortunately it is very common for Apache config/regex code snippets to be blindly copy/pasted and errors do propagate. Unless there is some obscure vulnerability we are not aware of then I would bet that that is what has happened here. (Although matching “too much” … Read more
Code Snippets security when selecting “only run on front end”
nonce_user_logged_out to assign guests unique nonces breaks ajax calls
Custom true nonce in conjunction with WP nonce in PWA
If you look at the source of admin-ajax.php, the answer becomes clearer: $action = $_REQUEST[‘action’]; if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. if ( ! has_action( “wp_ajax_{$action}” ) ) { wp_die( ‘0’, 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * * … Read more
The problem with having a “hook” is that the add_action() function would not be defined that early so WordPress would have to be recoded so that the function is available much earlier. Also to use an action hook you would need to add your code inside a theme or a plugin. WordPress must make database … Read more