Protect HTML in Comment
Add this to your functions.php. I’m not sure if this does any pre-processing though. add_filter(‘comment_text’, ‘wp_filter_nohtml_kses’);
security
What permissions should I give directories if I want to make WordPress more secure?
The WP-Security plugin is pretty good for this, and a few other wordpress security related things, it is my solution to lock down basics on security for every wordpress install I do.
WordPress Security – How to block alternative WordPress access
I figured I’d just look in the Android application’s source code to see how it communicates. You can quickly see XML-RPC in the source. So another way to access the blog is using WordPress XML-RPC support. It was improved and enabled by default in version 3.5 very recently. I don’t understand why they brought it … Read more
Is WordPress vulnerable to “comment posting forgery”?
This is a false alarm. Many “Security Programs” do that. That’s called FUD. WordPress does not check the Referer header, because it is often empty, and real spammers send the site URL as Referer anyway. But all comment field are sanitized, so no harmful code will be injected. Install an anti-spam plugin, and everything is … Read more
Form Post results in 404 Not Found [duplicate]
I figured it out. Turns out that using the field name was the culprit. It appears that name and other field names like attachment, attachment_id, etc will cause WordPress to produce a 404 error. There’s a whole list of reserved terms in the Codex.
Is there a way to create a URL (new WP page) that can only be accessed from a specific source?
Only way to base access on url users come from is to rely on $_SERVER[‘HTTP_REFERER’], but as official php docs says: Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted. One chance is to use a secret key and … Read more
How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
If you are printing the URL out, say to the front end… that is, it is to be displayed as a normal URL to a visitor etc. then: esc_url() If you are going to use the URL in, say, a WordPress redirect (or anything else that sends http header ‘location’, then you will need: esc_url_raw() … Read more
How to create a private login page for admin.?
Login pages are not made of wood and continuous attacks do not weaken them. The whole point of having strong passwords is that however many attacks are performed against the user the probability of successful guess in your lifetime is zero. Best way to protect your user accounts are by having strong password. If you … Read more
Evaluations of two wordpress security plans against php code injection attack
First, both of these things (updates and sane file permissions) are neither “OR” choice or optional. That is what you just do, because if you don’t sooner or later (even if significantly later) you are going to have problems because of it. Relatively I would say updates are more important, because faulty file permissions tend … Read more
Registration Plugin – Recaptcha integration
Your plugin users will need to register their site at https://www.google.com/recaptcha/admin to use the reCAPTCHA API. Once registered, users will need to provide you with their Site Key and Secret Key. The Site Key allows you to display the reCAPTCHA on your Registration form. The Secret Key is used to confirm the reCAPTCHA field input.