YOu need to deeply look throughout your site for the ‘infection’/malware code. This would include the following steps: update everything (WP, themes, plugins) change credentials on everything (hosting, FTP, admin-level users) create a new admin user, log in as it, then delete the user called ‘admin’ (or demote to ‘subscriber’) look at all folders for … Read more
Start in the Codex: https://codex.wordpress.org/Hardening_WordPress . Basically, strong passwords on all accounts (hosting, FTP, email, WP users), and ensuring updates on WP/Theme/Plugins are done regularly. Also, carefulness with themes and plugins you use. Look at the support areas of both for other’s issues. Consider avoiding themes/plugins that have not been updated lately, or don’t have … Read more
In my opinion, no: using two plugins that cover the same features is a bad idea. Why? It is very likely that both plugins use the same hooks and filters and so on and will result in conflicts (e.g. .htaccess etc.). JetPack is too overloaded with useless stuff, though it is a high temptation to … Read more
SVG files contain code in the XML markup language which is similar to HTML. Your browser or SVG editing software parses the XML markup language to display the output on the screen. However, this opens up your website to possible XML vulnerabilities. It can be used to gain unauthorized access to user data, trigger brute force … Read more
The comment by ‘warm_tape’ is correct. Use home_url(), then put a die() after the wp_redirect to ensure that the accessed page will ‘die’ and not interfere with your main page.
No, there is nothing you can do if you are unable to modify the HTTP server behavior. The reason is that the HTTP server receives and processes the initial request and then hands it off to PHP. PHP then processes the request and hands the response back to the HTTP server, which then sends it … Read more
If you need to pass username and password for Basic Auth you need to send that in headers e.g. $headers = array(‘Authorization’ => ‘Basic ‘ . base64_encode( YOUR_USERNAME . ‘:’ . YOUR_PASSWORD ); $response = wp_remote_post( $url, array( ‘method’ => ‘POST’, ‘timeout’ => 45, ‘headers’ => $headers ) ); If you need to pass username … Read more
It’s probable that your site was hacked. And that will take some manual (‘by-hand’) investigation. Lots of googles on how to clean a hacked site. But, in general change all site/hosting credentials to strong passwords: hosting, ftp, database, WP users look for WP admin level users that shouldn’t be there look at every file for … Read more
The malware stores an array of PHP fragments to execute at the bottom of its own file, delimited and encoded using the MD5 hash of the filename. It has a specific GUID to control it; on start up it checks all POST and cookie values for properly-encoded commands: PHP serialized arrays, XORed with both the … Read more
If calling, sanitize_text_field(), it actually call an internal function _sanitize_text_fields() and add a filter for override. So First look at _sanitize_text_fields(), which actually do Checks for invalid UTF-8, Converts single < characters to entities Strips all tags <——— including wp_strip_all_tags() here Removes line breaks, tabs, and extra whitespace Strips octets That’s mean if calling sanitize_text_field(), … Read more