security - Read For Learn

How to delete Passwrd Protected posts cookies when a user logged out from the site

The post password cookie is set with: setcookie( ‘wp-postpass_’ . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST[‘post_password’] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); in the wp-login.php file. We can then use the clear_auth_cookie hook, in the wp_clear_auth_cookie() function, to clear it on logout: /** * Clear the Post Password Cookie on logout. * * @link http://wordpress.stackexchange.com/a/198890/26350 */ … Read more

Using esc_url with a hard coded url

I you think you need it. For example, you are using the title in a URL and you are getting the title dinamically; so you never know exactly if the title is valid to be used in URL or not. So, it is better to use it. Just one example: it is very common that … Read more

Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?

You need to have a super great reason to disable CORS, as no real reason was given here the answer should be “do not do it, it is not secure”. You assume that no one can craft a feed link which will give him a write access. This might be true, but you should not … Read more

Verify if user is wordpress logged in from another app since wordpress 4.0

Ok i’ve found the solution. In fact, as i haven’t noticed, there is always the hashed mdp, but for now, the logged_in cookie is structured like this : %login%|%timeout%|%sessionId%|%passhached% instead of : %login%|%timeout%|%passhached% This is like this since wordpress 4.0, and the wp_session_cookie integration, the auth method is the same that before but there is … Read more

ajax nonce verification failing

To verify nonces in Ajax requests, check_ajax_referrer() should be used instead of wp_verify_nonce(): Crete the nonce: $nonce = wp_create_nonce( ‘vote-nonce-‘ . get_the_ID() ); Include it in JavaScript: jQuery(document).ready(function(){ jQuery(“.post-voting”).click(function(){ vote_nonce = <?php echo $nonce; ?> vote_id = jQuery(this).data(‘vote-id’); jQuery.post( vote_ajax.url, { action: ‘submit_vote’, vote_id: vote_id, vote_nonce: vote_nonce }, function( data ) { alert( jQuery.parseJSON(data) ); … Read more

Sniffing wordpress user’s credentials

The login process itself is not as important, it is a one time thing that with the right settings you can do once a year. What is important is the authentication cookies that are being sent. As long as they are not encrypted it doesn’t matter at all how much defense you put on the … Read more

XML-RPC errors they know my username?

user names in wordpress in general are not considered as being a secret and there are all kinds of ways to get or guess them. Passwords are a secret, always use a strong one

Definitive wordpress directory ownership and permissions on linux

If your aim is security, the only directory writable by the web server should be uploads. Yes, it means no easy updates, but in a secure environment the web server should not be able to write to directories in which there is executable code. If you have so many updates that SFTP becomes too much … Read more

SELinux security vs WordPress updates

No. First there is the practical problem of enabling your OS being influenced by the web server, something that should never be possible. (a plugin will trigger an update and make you open to all attacks) Second, on a more philosophical level, what is the point of hardening your security if in the end you … Read more

Woocommerce reviews xss issue [closed]

Go ahead and disable WooCommerce and comment on a post; you can do the same thing because you’re logged in as admin. Admin users are able to post unfiltered content. If you repeat the test logged out, you’ll notice you’re not able to exploit anything. See this trac ticket from WordPress https://core.trac.wordpress.org/ticket/33402 And this article … Read more

+ More