security - Read For Learn

Content-Security-Policy blocks WordPress check boxes from being activated

Thanks to Jacob’s hint I got the solution. This one is working. Header set Content-Security-Policy “base-uri ‘self’; default-src ‘self’; font-src ‘self’ data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src data: ‘self’ https://secure.gravatar.com; script-src ‘self’ ‘unsafe-inline’ ; style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com; object-src ‘self’; form-action ‘self’; frame-ancestors ‘self’;” The difference is the data: in the ìmg-src section.

should I escape a literal url added in functions.php

No, you don’t have to escape values that cannot be changed by someone else. You should escape output that might be changed by some other source, for example if there is a filter running on the values. Let’s say you are using wp_upload_dir() to find the upload directory – and you absolutely should, because the … Read more

Is it safe to upload JSON files to upload folder?

JSON files are really data files: they are not a security threat per se, it’s simply that WordPress doesn’t include them in its whitelist. It really depends on who can upload the data and what you do with the data. After all, an Excel file with macros can be a security risk, and yet WordPress … Read more

Website show Google Ads when we have no Google Ads linked to our website

probably your website is hacked. The first thing to do is: if you still have access to your website and can log in, try to put it in maintenance mode (you can use any free plugin). change your password and delete any unknown user. if your hosting has a Malware Removal Service, use it to … Read more

404/500 error on content images if Referer header is from another domain [closed]

It has nothing to do with WordPress. Your server is configured to refuse access from other domains. All you need to enable CORS Origin. This will allow request from other domains. But it will decrease security. You might want to change the * (allow all) to your sub domain. Just put it in your .htaccess … Read more

reCaptcha doesnt appear in comment (manual or plugin)

As I see you are using reCaptcha v3 as the examples you try and it will not appear until the user score is under the minimum you added into the configuration but it is still working and checking the user score before he submits your form. anyway if you configured the plugin correctly you may … Read more

How can i ensure that SQL statements are not displayed if an enduser types the wrong variable name in the URL

There’s two separate problems here: You have code that causes an error. That error is exposing information to end users that you don’t want to expose. The problem that’s causing #2 is that you have error printing enabled in a production environment, which is against best practice. Error reporting is controlled by a PHP configuration … Read more

Privilege escalation bugs in 2.9?

There are no known security vulnerabilities in 2.9.2 If any new vulnerabilities are discovered the fix will be packported. (This has not happened but if it did we would get a version 2.9.3) WordPress does not have a backport policy that goes further than the previous major release so it is unknown when the 2.9 … Read more

Spam injected in w3 total cache page cache [closed]

It is prolly injected in your files. Look at the plugin files, search for eval or base64.

How can I password protect a WordPress site without requiring users to log in?

You could add a statement to the end that require them to answer a question if they dont have a cookie set and sets a cookie when they do, allowing them access to the site. I’m on my phone but something like this. <?php if($_POST[‘q’] == ‘answer’) { // set cookie } elseif($_COOKIE[‘q’] != ‘cookie’) … Read more

+ More