Which Versions of WordPress Ship with the Patched TimThumb?
TimThumb has never been bundled with WordPress, it is/was entirely a third-party theme/plugin issue.
security
Admin can enter JavaScript – potential security risk?
The answer is in your question. I try this when login as admin and editor. The roles have the unfiltered_html capability that allows them to put whatever HTML they choose, including <script> tags, where ever they choose. Is is a security risk? Only if you give folks you don’t trust admin and/or editor roles. Or … Read more
Security: blocking direct access of php files
In my opinion, the only way to do this (within the context of WordPress) is: if ( ! defined( ‘ABSPATH’ ) ) // Or some other WordPress constant exit; The second technique is vague and does give the same level of checking (it only checks that the filename of the main PHP file matches itself, … Read more
Limit Login Attempts BEFORE PHP is executed?
If the “attack” is distributed, the only thing you can do is to change the url of the login endpoint. This should be easy to do with web server config (block /login and friends, map some other “slug” to wp-login.php). This will also break the automatic redirect from /wp-admin to /login which is a good … Read more
Is it Ok to restrict Access-Control-Allow-Origin for /wp-json requests?
First of all, this is intentional behaviour, as relayed in a Slack discussion described in this ticket (this has likely been discussed in other places, but that’s the first I found): tl;dr: CORS is built for CSRF protection, but WordPress already has a system for that (nonces), so we “disable” CORS as it gets in … Read more
Is WordPress MultiSite secure & how much can it scale? [closed]
Is WordPress MultiSite secure & how much can it scale? WordPress.com — single best example of WordPress Multisite at a large scale. Period. As for the expertise to be able to maintain and manage the cluster — which you should question yourself — it’s a different story. By creating admins for each subdomain, what security … Read more
Restrict Access in Admin Panel
I believe the correct solution here is to just update the $capability component of the admin_menu items rather than just remove them from the menu structure. Try this: /** Set ‘administrator’ cap for particular menu items **/ function update_admin_menu() { global $menu, $submenu; $menu[10][1] = ‘administrator’; // Media foreach( $submenu[‘upload.php’] as &$item ) { $item[1] … Read more
How to connect my wordpress plugin to a remote database securely?
I’d recommend setting up an API, and also ensuring the sites are HTTPS (have an SSL certificate) to encrypt communication between the servers. If you don’t have one already, there are free certifiers such as https://letsencrypt.org/
Is disabling test_form in wp_handle_upload a security concern?
I wouldn’t say security concern – since you’re using this plugin within the admin (I presume after the user has been authenticated i.e. after admin_init), then already you’ve got protection against any Jon Doe posting a form to your script. What it does provide, is an additional layer of authentication. All it really boils down … Read more
correct tags for validating input types
There’s much more than just those three functions. As it would be too much to write 5 blog posts (or even a whole book) about it, I’m just going to give you some reads as starting points: One of the rare good articles on WP Tuts+ 1) QueryPosts.com is the way to read source code, … Read more