security - Read For Learn

Which WP-CLI commands can be safely run with –allow-root flag?

No commands are safe when ran as root. Even the help screens aren’t safe as root. The reason the –allow-root flag is considered dangerous is not because of what the CLI commands themselves do, but because your entire sites code is loaded when WP CLI runs, but now as root. This would mean any hidden … Read more

How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?

Secure way to add JS Script to WordPress filesystem

Thank you @Tom J Nowell letting me think about this. I had to think about it the last day, and this is the safe way to do this. function lwb_jquery() { $message=””; // Multisite Support if( is_multisite()) { $uri = get_stylesheet_directory() . ‘/sites/’ . get_current_blog_id(). ‘/assets/js/lwb-script.js’; $file_path=”[AKTIVES THEME]/sites/” . get_current_blog_id() . ‘/assets/js/lwb-script.js’; if( !file_exists( $uri … Read more

CF7 for radio buttons only, ok?

WordPress.Security.NonceVerification.Recommended

Can a user submit requests to wp-admin/admin.php without logging in?

No, this is a red herring that has nothing to do with the problem, likely from a misunderstanding of what WP user login sessions are tracking. The TLDR: It’s probably because they logged out. The problem is that the user that it was done under hasn’t been logged into in about a year according to … Read more

wp-salt.php and wp-cli.yml File present in public_html folder

These are safe. Normally the contents of wp-salt.php is in the wp-config.php. The reason you site became inaccessible is due to the change in wp-config.php to include wp-salt.php. I.e. include(‘wp-salt.php’); You can delete wp-salt.php, but be sure to copy the defines into the wp-config.php were the “include(‘wp-salt.php’);” line is and remove the “include(‘wp-salt.php’);” line. The … Read more

(How) does WordPress protect direct access of user data?

I guess you are not familiar with WordPress API. WordPress uses nonces to keep track of logged in users and authorized requests. Relatively new feature is also App authentication, which is under the hood basic authentication. However, while WordPress IS secure (nonces are sent in headers and have expiry time), specific plugin you are using … Read more

Content Security Policy blocking images from installed plugins’ popup info window, as they are from external domains – global fix?

The answer, as mentioned in a comment by @JacobPeattie, was to add the domains to my .htaccess file where I am setting the CSP Headers, (turns out most plugins’ “View Details” link loads images from ps.w.org, which I just learned). A few other plugins loaded images from other domains, so I also added each of … Read more

+ More