If you install the following plugin and leave that one running for a while… you can see who logged in since using that plugin: http://wordpress.org/extend/plugins/wp-last-login/ That seems to do what you need. As far as I quickly can see it runs on $this->hook( ‘wp_login’ ) and does: $user = get_user_by( ‘login’, $user_login ); update_user_meta( $user->ID, … Read more
Search the Trac for these kinds of core changes: trac ticket #23291 and trac ticket #23291.2.diff
I agree with Wyck’s comment. If I can upload files, game over. If I couldn’t upload to mu-plugins chances are that I could upload, and overwrite, the theme’s functions.php or Core files instead. Any of those options work as well or better than a mu-plugin file would. The “also modify the database” part is irrelevant … Read more
That is most likely a false positive : https://en.wikipedia.org/wiki/Type_I_and_type_II_errors base64_decode is not bad in of itself : https://en.wikipedia.org/wiki/Base64 The plugin is not smart enough to know a legitimate reason to use base64_decode of which there are many.
It doesn’t matter what function you use to generate the form markup, if you write the code by hand, or if it’s in a modal or not. For it to be secure, you absolutely need an SSL certificate.
I would use the filter_var() function. It has some predefined filters that you can use depending on what kind of data you are expecting such as string, number, etc. So to sanitize for a number: $sanitizedNum = filter_var($yourVar, FILTER_SANITIZE_NUMBER_INT); For a string you would just change “_NUM_INT” to “_STRING”. Wrap those in a custom function … Read more
Duplicate the post.php in your theme folder. Rename that file as any_name.php Enter the following code at the top of that file. < ?php /* Template Name: Any Name */ ?> Add your php codes to that file. Go to admin panel — > Create a new page — > Select your template and publish … Read more
Yes, of course. If the PHP code in a file works when that file called separately, and if there is a vulnerability, it can be exploited. There are two basic rules. They apply not only to WordPress, but to every web site: Use only code that you understand completely. Do not put unused code onto … Read more
Well if your concern is about the theme and data stored in the database, I suggest you also start with a “new install” of the theme. And as far as the DB goes, I’ve had a similar experience where I took the hacked DB and installed it on my localhost, then exported the wp_users, wp_usermeta, … Read more
No overriding benefit, other than collision avoidance and safeguard against unintended modification. Not sure if it makes you feel any better but WP core itself has many dependencies on global variables. I’m not saying that’s a good thing; just a fact. Also remember you have a database and functions to handle storing and retrieving options, … Read more