Less than an answer, but just a list of things straight from my experience with it – maybe you’ve overlooked something. Debugging the request & its results Without diggin’ too deep into the update process, but the WP HTTP API uses the WP_HTTP class. It also offers a nice thing: A debug hook. do_action( ‘http_api_debug’, … Read more
Essentially, WordPress needs to connect back to the server where it is actually running on. There are several possible ways WordPress can use to write files and thus “overwrite” itself during an upgrade. From a security perspective, the important part of this process is that the new files must have the same ownership as the … Read more
You don’t have to do anything. On WP load: ‘init’ hook -> kses_init() -> kses_init_filters() Later: wp_insert_post() -> sanitize_post() -> sanitize_post_field() -> ‘content_save_pre’ -> wp_filter_post_kses() Similarly for post titles, comment text etc. Conclusion: wp_insert_post() is very sanitized. 🙂
A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren’t using. If you have plugins that you aren’t using, you often don’t care about keeping them updated. As a result, they won’t get any … Read more
SVG can contain JavaScript. JavaScript can be used to hijack cookies or do other questionable actions. It can even be “hidden” in namespaces: <html xmlns:ø=”http://www.w3.org/1999/xhtml”> <ø:script src=”https://0x.lv/” /> </html> source It is very hard to filter that out during the upload, so it is just not allowed by default.
You don’t really need to remove these files. It’s much easier to just block access to them. If you are using pretty URL’s you already have an .htaccess file. Using .htaccess to block the files is secure and you only have to add a directive once. Blocking files is done by adding a directive to … Read more
No, there is no security risk. Both files do sanity checks before anything happens. If WordPress is already installed: install-helper.php returns just a blank page. install.php says WordPress is installed and you should log in: You can forbid access to both files with a simple rule in your .htaccess above the permalink rules: RedirectMatch Permanent … Read more
If you check the documentation on Data Validation it has following to say about the function: Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols […], eliminates invalid characters, and removes dangerous characters. There you have it — … Read more
Here is a modified checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes): Plugins should prefix all options, custom functions, custom variables, and custom constants with plugin-slug. Plugins should implement Plugin Options and Plugin Settings pages deliberately, rather … Read more
admin-ajax.php is part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is in wp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to “enumerate … Read more