security - Read For Learn

Force SSL on a single page which is used as iFrame

You are getting redirected because of the automatic redirection to the canonical address of the page which is http://…. You will need to use the redirect_canonical filter https://developer.wordpress.org/reference/hooks/redirect_canonical/ to tell wordpress to not redirect for that page.

Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?

In short: YES, is a big time threat. Explained: Little time has passed since I asked this question but now I have found that the safer and most useful file permissions for wordpress are the following: Directories: 755 Owner can: Read, write and execute. Group and public can: Read and execute. Read-only files:644 Owner can: … Read more

PHP Code Sniffer – WordPress VIP Coding Standards

You can use filter_input to sanitize your $_POST array. $nonce = filter_input( INPUT_POST, ‘revv_meta_box_nonce’, FILTER_SANITIZE_STRING ) use empty() to check $nonce has a value or not. You can use the same for second issue $foo = filter_input( INPUT_POST, ‘foo’, FILTER_SANITIZE_STRING ) change 3rd parameter based on your expected data in $_POST[‘foo’]. check this doc for … Read more

What is more secure checking capabilities of user or checking role of user in WordPress plugin development

I would always go for the role “check”. As in your case: if ( current_user_can( ‘vendor’ ) ) { // do stuff } Or of course the distributor role as created by you. This way you can be sure that one is not interfering with the other and you can assign each role to its … Read more

Filter and validate user role in registration

You can use wp_dropdown_roles()

Can I rename the wp-admin folder?

Unfortunately it’s not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac. If you’d really like to see this be revisited I’d suggest: Present your case on wp-hackers but be forewarned your … Read more

Require confirmation of current user’s email before updating database and before send_email_change_email

I found an answer here i will give this a try.. Confirmation required on email change

Is it possible to only have the admin interface bind to the local loopback?

What is the best practice for restricting a section to logged in users?

I think the answer is “it depends” — on how flexible and/or “slick” you want the solution to be. The quickest/easiest thing to do would be to create a custom post type (there are tried/true plugins out there that can help establish this) — and then in your theme functions.php (or in a very simple … Read more

My site thinks it’s secure when it is fact not

wp_config was set up to force SSL by overwriting $_SERVER[‘HTTPS’], I respolved the issue. I assume someone was trying to make SSL work behind the proxy at one point. It would actually be a much better solution ( specifically for asset links ) to use the double slash //

+ More