WordPress filter that hook after each action/filter hook
Check also if it was added by JavaScript. To list all the functions hooked wp_footer, this might help: global $wp_filter; var_dump( $wp_filter[‘wp_footer’] );
security
not logged in users can’t submit form
Problem solved. There was a conflict with the Ninja Popups Plugin because it tries to capture any form submit. The Contributer of the Mailchimp for WordPress Plugin helped me here: https://wordpress.org/support/topic/buddypress-and-mailchimp-form-doesnt-work-together/#post-9397642
When is wp_set_password() called or how to capture a password
No, I would expect wp_user_update to have been what gets used, but I find your motives dubious, and cannot think of a reasonable use for what you want to do But if you really want to go down this path, use the pre_user_pass filter. I would also note that there is a reason why passwords … Read more
How to combat flooding admin-ajax.php?
You can use .htaccess to ban IP’s that you don’t want to access your website. If you are attacked from the same IP over the prolonged period of time, and with great frequency, banning the IP is the best solution. Simples way to ban IP in .htaccess is (replace 123.123.123.123 with IP you want to … Read more
Security threat with `home_url`?
The codex states: Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated … Read more
WordPress not seeing .htaccess rules
apache “AllowOverride” was set “None” but changing it to “All” made no effect : I changed the “AllowOverride” in the “apache2.conf” file. It’s still not clear where exactly you are setting AllowOverride. This directive can only be used in a directory context. ie. Inside a <Directory> container in your main server or VirtualHost config. You … Read more
wp-admin folder, brute force, and password protection
Protecting only wp-admin won’t help a lot, at least it won’t protect your from brute-force attacks. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses … Read more
WordPress custom login form using Ajax
A few issues I can see but no guarantee it’ll entirely fix the problem(s) – can you ensure WP_DEBUG and WP_DEBUG_LOG are defined as true in your wp-config.php – any errors during runtime should then appear in wp-content/debug.log. You have ! isset( $_POST ) as a conditional to check the request, but this will always … Read more
How do I test to ensure that my wp-config file is protected?
The old method works for me, and any requests result in a 403 status response instead of execution of the php script. I’ve not checked your 2nd method, but if it works it will similarly respond with 403 denied/forbidden. To test you simply have to insert the URL of your “wp-config.php” in the address bar … Read more
WP Admin AJAX Security – using POST to include a relative URL
If you use nonces properly, it won’t be possible to make the site to process fake request… So this part should be secure, but… There is still one security flaw in your approach… What if I can make you to run my JS script in your browser, while you’re logged in as admin? It is … Read more