How to chill out WordPress ajax requests? (Rate limiting)
How to chill out WordPress ajax requests? (Rate limiting)
security
Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)
that wordpress.org page was probably written by someone that do not get security. Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like “<” to the appropriate HTML entity. Yes, if you do … Read more
How to implement nonces so that undoing a trashed custom post type doesn’t cause an error?
How to implement nonces so that undoing a trashed custom post type doesn’t cause an error?
Should the HTML attribute ‘tabindex’ be escaped?
Should the HTML attribute ‘tabindex’ be escaped?
“406 Not Acceptable” appearing in SEMrush index audit for WordPress site — how do I identify and fix the cause?
“406 Not Acceptable” appearing in SEMrush index audit for WordPress site — how do I identify and fix the cause?
How to assess whether a WP core (or other) function is escaped already or not?
How to assess whether a WP core (or other) function is escaped already or not?
If necessary, how should wp_get_attachment_image() and its parameters be escaped?
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
How to verify/test that a custom built wordpress theme is as secure as possible?
Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There’s also one for plugins. Any default functionality like comment forms will already be escaped/sanitized.
Is there a security vulnerability in Advanced Custom Fields related to the SCF fork?
It’s probably the issue mentioned in the changelog for 6.3.8 here. The developers were unable to release the patch on dot org themselves because Mullenweg had unilaterally revoked their access to the plugin repository because the plugin is owned by WP Engine. The issue has been patched in the version available directly from the developer, … Read more
Is it safe to update wp-includes/certificates/ca-bundle.crt manually?
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more