Hide wp-login.php but not the widget
Hide wp-login.php but not the widget
security
Is it necessary to use a WordPress nonce when allowing users to download public data?
Nonces are used to verify that a request is allowed from the sender. For public data, all GET requests are allowed, if they match existing public content. So no, do not use a nonce for that. You have nothing to do if the nonce validation fails. That’s always a good indicator for unnecessary information.
WordPress exploited theme is causing high io load on server
WordPress exploited theme is causing high io load on server
Can I make an ajax response cross-domain?
Can I make an ajax response cross-domain?
How can I create a private site that is inaccessible from the outside?
My security solutions so far: WordPress Make all new posts private (in WordPress) Don’t use any modules, the more third party software I add the less secure the repo becomes Two factor authentication ( this would break the no third party module rule above) Apache Force https (in .htaccess) Protect web repository using .htpasswd (in … Read more
wp-config.php file and code injection
wp-config.php file and code injection
404 errors in log showing urls with ‘GET’, plus and numerical code
Maybe it is just a stupid bot. I have daily 404s from different IP adresses trying to access urls like http://www.example.com/http://facebook.com/ or http://www.example.com/sms:+43123456789. The user agent of the bot I always see is something like Java/… This bot tries to follow all links, href, src, etc he can find. Check if you maybe have the … Read more
SWF in wordpress post
SWF in wordpress post
using .htaccess only for wordpress security no plugins
Yes, you can use a htaccess. In fact, I often recommend htaccess based protections over plugins because they do not depend upon PHP code or WordPress. The use a completely independent system – Apache. The more important question is: Do your htaccess rules protect against the threats you with to mitigate? Some protections may require … Read more
Validating values using Settings API?
No, you don’t need to validate/clean/escape because of security flaws in wordpress. WordPress use prepared statements by default. However, you can validate by yourself that the content is what you expecting. For example if you only want numbers you can use is_numeric() or is_float(). Or match the input value to an array of predefined strings.