Running WordPress multisite login from a subdomain
Running WordPress multisite login from a subdomain
security
wp-salt.php and wp-cli.yml File present in public_html folder
These are safe. Normally the contents of wp-salt.php is in the wp-config.php. The reason you site became inaccessible is due to the change in wp-config.php to include wp-salt.php. I.e. include(‘wp-salt.php’); You can delete wp-salt.php, but be sure to copy the defines into the wp-config.php were the “include(‘wp-salt.php’);” line is and remove the “include(‘wp-salt.php’);” line. The … Read more
(How) does WordPress protect direct access of user data?
I guess you are not familiar with WordPress API. WordPress uses nonces to keep track of logged in users and authorized requests. Relatively new feature is also App authentication, which is under the hood basic authentication. However, while WordPress IS secure (nonces are sent in headers and have expiry time), specific plugin you are using … Read more
Content Security Policy blocking images from installed plugins’ popup info window, as they are from external domains – global fix?
The answer, as mentioned in a comment by @JacobPeattie, was to add the domains to my .htaccess file where I am setting the CSP Headers, (turns out most plugins’ “View Details” link loads images from ps.w.org, which I just learned). A few other plugins loaded images from other domains, so I also added each of … Read more
Unknown phantom user “wordpress” created with admin privileges
It could be that you have the Post SMTP plugin installed. There is an exploit in this plugin: https://patchstack.com/database/vulnerability/post-smtp The issue has been fixed in version 2.8.8 and above.
Successful password resets and suspicious scripts on my WordPress instance
This is a bug in the POST SMTP plugin. It has been reported here, and also the plugin support forum is full of reports of the same issue. The issue has been fixed in version 2.8.8 of POST SMTP.
Fix CVE-2017-5487 vulnerability
When WordPress enabled the REST API in Core in version 4.7 it enabled the endpoint /wp-json/wp/v2/users/ to list all users that have posted something to the site. Therefore that endpoint can be used by an attacker to find some or all of the administrator account usernames to target for password cracking which is a potential … Read more
How to add a nonce check correctly to this specific code?
The first thing is to inline the nonce so that you can use it in the script that calls the ajax action. // plugin or theme php file wp_enqueue_script( ‘your-script-handle’, ‘url/to/your/script.js’, array( ‘jquery’ ), null, true ); wp_add_inline_script( ‘your-script-handle’, ‘const YourAjaxConfig = ‘ . json_encode( array( ‘ajax’ => array( ‘url’ => admin_url( ‘admin-ajax.php’ ), ‘action’ … Read more
Is it a good idea to restrict the REST API
You can use the rest_dispatch_request filter to catch the /wp/v2/users routes before they deliver their data to the user. add_filter( ‘rest_dispatch_request’, ‘wpse425815_authenticate_user_route’, 10, 4 ); /** * Forces authentication on the wp/v2/user route(s). * * @param mixed $result The current result. * @param WP_Request $request The REST request. * @param string $route The requested route. … Read more
Verify Cryptographic Authenticity after Downloading Releases (Signatures)
If you downloaded the latest version then your download URL would have been: https://wordpress.org/wordpress-6.5.3.zip You can find the md5 hash for this file by adding .md5 to the end of that URL, like this: https://wordpress.org/wordpress-6.5.3.zip.md5 The md5 hash for this file is: ad3b0a21dec368341d64906e86db49f7 So, theoretically, you should be able to get the md5 hash of … Read more