It loads a block of markup containing spam (I thought about posting a bit of the source but I don’t want to advertise the content in any way) from a domain that is a close misspelling of the domain– http://jquery.com/— used by jQuery, a reputable and popular Javascript library and one that WordPress includes in … Read more
There are two concepts here: validation – making sure data is valid, i.e. an integer is an integer, a date is a date (in the right format etc). This should be done just before saving the data. sanitisation – making the date safe for its use in the current context (e.g. escaping SQL queries, or … Read more
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value…. In short – perform the sanitisation yourself as … Read more
< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following: Someone sends +ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4- as comment text. It will pass all sanitation unescaped. The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and mysql_real_escape … Read more
##Plugin Necessity## What the necessity of plugins really boils down to is the question, “Am I satisfied that WordPress’s core functionality is all that I need?“ If all you want is a simple blog with some categories and a number of static pages you’re set. But if you want to start integrating interactive maps, calenders … Read more
While I agree with the previous answers, to answer the question you actually asked, what comes to mind is to use one of these constants for wp-config.php: define(‘AUTH_KEY’, ‘redacted’); define(‘SECURE_AUTH_KEY’, ‘redacted’); define(‘LOGGED_IN_KEY’, ‘redacted’); define(‘NONCE_KEY’, ‘redacted’); They are meant to be unique across wordpress installations – and are about the only options for pre-existing keys to … Read more
There is currently a botnet active, attacking WordPress and Joomla sites. And probably more. You should see more blocked logins. If you don’t, there is probably something wrong. But be aware, blocking IP addresses doesn’t help against a bot net with more than 90,000 IP addresses. And if you do that per plugin avoid Limit … Read more
Use Nonces (when not using Settings API) Plugins and Themes should explicitly provide Settings-page nonce checking, if not using the Settings API: WordPress Nonces (Codex) WordPress Nonces (Mark Jaquith) Improving security in WordPress plugins using Nonces (Vladimir Prelovac) 5 tips for using AJAX in WordPress > 3. Use nonces and check for permission (Gary Cao)
I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following: Actually, if the nonce is valid the referrer should not be … Read more
If you are doing this for your own site then using .htaccess might be the easiest way although it could get tricky if you want to make it work for a plugin as there would be lots of different subtle configuration differences to support. Here are some articles that could help; not all are directly … Read more