You can… Learn about file permission (on wordpress) Install WordPress Firewall plugin (version 2 for 3+ versions) (this dissalow access to any folder or file indirectly) Hide Your WordPress Version Try to update plugins & Wp install Login Lockdown Plugin (this stops any brute force attemts) Verify that your theme doesnt show “publish by $username” … Read more
Actually, there’s not too much you can do. If an intruder has direct access to your site – where they can run get_option() or perform direct SQL queries – then you’ve already run into a problem. The safest bet here is to exercise your best judgement when installing new plugins. In other words, the best … Read more
My understanding: They are going to disallow *.php access from external HTTP requests. It should not cause a problem. It’s a common security measure to disallow extension access, and if you are using custom permalink structures, you can get around most of the needs to do so. Since quite a bit of your interactions with … Read more
You should use a nonce to protect yourself from CSRF attacks. Even though you’re not sending anything to the database, I’d suggest using some of the built in data validation functions (there is even a is_email function for you to use!) to strip out any HTML from your email. esc_html( striptags( $your_email_content ) ), for … Read more
Since WP 3.1.3 has come out, we’ve released: 3.1.4 – security update 3.2 3.2.1 – security update 3.3 3.3.1 – security update 3.3.2 – security update On a scale of 1-10, skipping a single security update is about a 3 (bad, but not catastrophic). Skipping 4 security updates, though, would be closer to an 8-9 … Read more
I use http://wordpress.org/extend/plugins/limit-login-attempts/ which blocks IPs when login attempts exceed set limit you set. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. If you’re on a host where you can install and run root code, look at … Read more
First … I assume you have a backup of your SQL to restore from? It seems odd that you have lost only one table – why not all the tables in the database? Not Hacked htaccess rules corrupt / wp supercache / permalinks?? When you say you can’t login .. is there an error? can … Read more
Read about “Nonces”. Create one and append it to your URL: $url=”example.php?filename=whatever&nonce=” . wp_create_nonce(‘my_sensitive_action’); When your request is fulfilled check for it: // here verify if the nonce was used before if(wp_verify_nonce($_GET[‘nonce’], ‘my_sensitive_action’)){ // it’s ok, it wasn’t used before } Also the validity of these nonces has a time limit, like one day or … Read more
You can force all visitors to log in before they are allowed to see the pages. This will not work for attachments. But … if that already is a problem for your site – why did you install WordPress in a publicly accessible directory? You should plan visibility first, then run the installation. Consider HTTP … Read more
Maybe it is too late to hook on init. Try set_current_user or some earlier hook. List is here: https://codex.wordpress.org/Plugin_API/Action_Reference