To prevent brute force attacks, there are some security measures you need to implement on your site Prevent the discovery of usernames Limit login attempts Change the default login page URL Implement two-factor authentication Implement HTTP authentication Use a firewall Implement Geoblocking If you use a username and password that’s long and unique, it will … Read more
There are many ways to infect a site – and many ways to hide that infection from the ‘popular’ security plugins. One way to detect malicious code is via a file-hash-compare function. You may need to write your own though (I did, but it’s not perfect). That function would compare each file’s hash with a … Read more
that looks good in my eyes. but i just had the same issue, that’s why i stumbled over your question. i fixed it in my case with if (!wp_verify_nonce($_POST[‘nonce’], ‘nonce’)) { die(__(‘Security Check failed’, ‘textdomain’)); } at the very beginning of my ajax action. no idea, where the 403 issue came from, since it worked … Read more
At our company we use a good handful of plugins, most notably WooCommerce. The way that we have things integrated, and the systems built around that, mean that doing wholesale updates are usually going to involve a lot of fixes and debugging. But, in eCommerce, staying up to date with security fixes is a MUST. … Read more
wp-login.php should not require additional effort from you to secure. However, I don’t think that’s what you client is asking for. My question therefore is does WordPress require further development to stop SQL injections etc on login forms? And do I need to apply input sanitation to the login fields? To wp-login.php, no, you don’t. … Read more
One approach (avoiding PHP timeouts) for a local Linux Cron Job (for exact timing) is creating a WP-CLI command (does not run in the browser), like: <?php /* Plugin Name: WP-CLI Foo */ function foo_command( $args ) { // Adjust to your needs … WP_CLI::success( $args[0] ); } WP_CLI::add_command( ‘foo’, ‘foo_command’ ); and the corresponding … Read more
Is there a way to globallly apply esc_html( … ) to all inputs and anchors to filter out XSS markup? No, by the time you have output it’s too late, any damage has already been done. Even if you could do this, you wouldn’t want to, escaping is highly contextual. Escaping is about enforcing assumptions, … Read more
To achieve this we can prevent admins from being authenticated into the site even with correct login and password unless they are using the WordPress default form instead of the WooCommerce login page. First, we need to distinguish between one form and the other when processing the login request, to do so we need to … Read more
What you’re seeing are probably calls from Pingbacks. If you don’t want them you can either disable them globally in the settings or just for a specific post in the “Discussion” metabox in the sidebar of that post.
You probably wouldn’t. If you did it would be to make sure it was in place already if in future you decided to make the variable dynamic or filterable. In this case I would suggest it for similar reasons to #1. You may know where $class is coming from now, but this may change in … Read more