Of course,someone can editing code plugins via the editor and build the shell or somethings like that but I don’t they can able to hack your database. Just simple, you can permit developer with specific user role. But I think the best way is using an isolated local install for developing the plugin: xampp,etc…
WordPress already disallows the use of JavaScript in the editor for users without the unfiltered_html capability. By default, only the Administrator and Editor roles have this capability. If necessary, you could remove this capability from Editor users as well. (It doesn’t make sense to remove it from Administrators, because they will still have the ability … Read more
The short answer is “yes”, the longer answer is “it depends”. Why do you need to validate? because if you have code, which if used with wrong parameters will delete wordpress (very bad example I know), you should made double sure that it is not triggered by some DB corruption, or more likely, misbehaving filter. … Read more
Responsible Note: As always please don’t take my response as anything more than thoughts based on the information provided. Do Your Own Research Beyond This Question! Core auto-updates: If I was running a “small hosting company with a few hundred sites hosted on cPanel” I would turn auto update WP core on, make it very … Read more
Since WordPress 5.1 (see #43187) it ships with the wp_targeted_link_rel() function, that adds noreferrer and noopener relation values to all anchor elements that have a target. This function is used to filter through the various input data just before saving it, e.g. post title, post content, post excerpt, comment content, term description, link description, link … Read more
There are few scenarios you have to consider. 1. Obtaining your password from database This is almost impossible to do. WordPress stores all passwords as hashes. When you log in, the password you’ve entered in form is hashed and compared with the hash stored in DB. This way you can check if the password is … Read more
With the user-name-based nonces, i think you are trying to protect yourself from CSRF attacks, this should work to some extent (hard to tell without the full source code), that being said the nonces should be assigned to a specific action (not only an action), so, for example, you do not assign it to a … Read more
As mentioned, updates are vitally important, as are good password practices. I manage many WP sites, and I check (and install) updates every day. I also have some security things that I do by default to reduce the ‘footprint’. Among them are to not have a user called ‘admin’, disable xmlrpc, strong passwrods everywhere (host, … Read more
First steps: Take the server offline, if you can access it directly. – The chance of your server being part of a larger scheme at this point is pretty high. If you can’t take it offline, check your authorized_keys files in ~/.ssh/authorized_keys and remove entries that don’t belong to you. (Repeat this step for every … Read more
but I would like to hide all the other information as much as possible since I feel like the more information those hackers know, the less security my site is. 99.999999% of attacks you get will be fully automated bots. Actual humans trying to break in are very rare, and when they do they’ll either … Read more