that wordpress.org page was probably written by someone that do not get security. Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like “<” to the appropriate HTML entity. Yes, if you do … Read more
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There’s also one for plugins. Any default functionality like comment forms will already be escaped/sanitized.
It’s probably the issue mentioned in the changelog for 6.3.8 here. The developers were unable to release the patch on dot org themselves because Mullenweg had unilaterally revoked their access to the plugin repository because the plugin is owned by WP Engine. The issue has been patched in the version available directly from the developer, … Read more
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more
The JSON API will allow for the enumeration of authors (and usernames) for a WordPress site. You can’t turn that off. To protect yourself you should: Use strong passwords (you’re already doing that) Leverage two-factor authentication (either with the community-developed Two-Factor or using WordFence’s own support) Leverage a plugin like Jetpack that also supports brute … Read more
is partly wrong in every WordPress .Htaccess hardening article I’ve seen. Unfortunately it is very common for Apache config/regex code snippets to be blindly copy/pasted and errors do propagate. Unless there is some obscure vulnerability we are not aware of then I would bet that that is what has happened here. (Although matching “too much” … Read more
If you look at the source of admin-ajax.php, the answer becomes clearer: $action = $_REQUEST[‘action’]; if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. if ( ! has_action( “wp_ajax_{$action}” ) ) { wp_die( ‘0’, 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * * … Read more
The problem with having a “hook” is that the add_action() function would not be defined that early so WordPress would have to be recoded so that the function is available much earlier. Also to use an action hook you would need to add your code inside a theme or a plugin. WordPress must make database … Read more
If you were in the process of making any changes when the bot came by, it may have picked up something bogus from the site. You can request a review in search console, I think they should either green-light it or tell you more specifics on what the problem is.