Headers Content-Security-Policy CSP Major Issue
Headers Content-Security-Policy CSP Major Issue
security
Is there any risk setting WordPress file permissions and FS method to ‘direct’ on localhost?
Is there any risk setting WordPress file permissions and FS method to ‘direct’ on localhost?
Rules in .htaccess only if the requested URL is /wp-admin
Try something like this instead: <If “%{THE_REQUEST} !~ m#\s/wp-admin#”> Header add Content-Security-Policy “default-src ‘self’;” Header add Content-Security-Policy “script-src ‘self’;” </If> This should set the two headers only when the requested URL does not start with /wp-admin. The check is against THE_REQUEST (as opposed to REQUEST_URI) since REQUEST_URI changes when the URL is rewritten by the … Read more
Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
Try visiting the list of users, and re-change your role to administrator. WP may have messed up the permissions array during the upgrade.
Best practices for securing a Buddypress installation?
Kit, I’d say that if you make extensive use of Exec-PHP what you really need is a developer that can make stuff happen without it. In reality, that plugin is a crutch that is easily replaced with proper widgets, plugins and template code. So, the best advice I can give you about securing that plugin … Read more
What may be causing failure of auto-install features in WordPress (v3.0.3)?
The Could not create directory. /public_html error message can be related to multiple issues. Most of them are related to your file-system. This includes the type of filesystem (e.g. NTFS under windows based servers) and the access settings for those. You have not named any in your question, so I assume some linux based host … Read more
Detect session/cookie variable in wordpress to prevent access to documents
It might not be very light solution but it might be much more straightforward approach to load WP core and use current_user_can() and related stuff for determining user permissions.
Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
You have to do a lot by yourself. But you also have to check the core code by yourself to see if the current function you’re using is validating it and in which way.
Is there a way to hide WordPress behind a web visible directory?
Symlink will not give you extra security. Since a symlink just links to the directory you want. So if you want to move wp-admin then there will not be much security there since when a users visit’s wp-admin it will still load the files.
Changing Table Prefixes – once done, am I good to go going forward?
I do this on every WP site I set up, and while it’s no panacea for SQL issues moving forward as it’s more obscurity than security, it does make me feel all warm and fuzzy inside. 🙂 I have never had issues with it since I started the practice two years ago. A key to … Read more