You can’t. Any secrets you put into your pages or JavaScript can be read out of the downloaded files by the client. Instead, you probably want to either: Move the secrets into your server-side code and have your server code make requests to external APIs using the secrets, and use WordPress nonces and login cookies … Read more
You need to use strlen() to determine the length of a variable, so your second if condition is invalid. As it is, this question is not really related to WordPress, so likely off-topic.
A detailed why or how is not going to be possible with the limited information you’ve provided. For a detailed forensic investigation we would need more than just an IP and arbitrary Username, in fact we would need everything… DB, access logs, changelogs, codebase – quite literally everything you’ve got and even then it’s not … Read more
so you need to make sure you are using the hook “admin_enqueue_scripts”. this only loads the script on the admin side. admin_enqueue_scripts is the proper hook to use when enqueuing scripts and styles that are meant to be used in the administration panel. Despite the name, it is used for enqueuing both scripts and styles. … Read more
On a multisite install, go to the Network Admin area and add the webm file extension to the allowed extensions list. On a single-site install, add this to your wp-config.php file: define(‘ALLOW_UNFILTERED_UPLOADS’,true); That will allow administrator level users to upload files without the file type restrictions. The underlying problem is that webm hasn’t been added … Read more
Make sure to protect your file directories, don’t make them writable by you only! Red up: http://codex.wordpress.org/Hardening_WordPress And download: http://wordpress.org/extend/plugins/wp-security-scan/
For a fully-working solution, you will need to modify certain hard-coded urls in core files, which is not fun to have to do each time WP is upgraded. One easier option is to protect the wp-admin folder with an .htaccess file. You could basically deny all IP addresses and whitelist the few IP’s that you … Read more
Take a look here: http://ma.tt/2011/08/the-timthumb-saga/ I assume you know who Matt is. Also, Matt mentioned this guy in that link, and he’s got some updates on the issue posted to his site http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/ The short is, there’s now TimThumb 2.0 which is fixed. It’s available here http://code.google.com/p/timthumb/
You could try hooking into template_include and showing the user a completely different page containing the login form (without changing the URL) if the post is password protected. Combine that WordPress’ built in post password functionality and you have something really close to what you want (blocking an entire page). You could also use {{insert … Read more
At first, read something about WordPress Ajax API and about Roles and Capabilities – capability to “edit_posts” has even Contributor. I would suggest to check for ‘delete_others_posts’ to prove the user is at least Editor. Or use capability of ‘manage_options’ (has Administrator, not Editor). Further, there is a check ajax referer function for you to … Read more