/wp-json/ is the base part of the WordPress REST API https://developer.wordpress.org/rest-api/ An authors ID isn’t a big deal. I would imagine on your theme, every time the post authors name shows, within the HTML showing the name, there’d be element classes containing the authors ID. It’s normal to have shown in publicly viewable source code, … Read more
This depends on what is it that you are developing. If it is a plugin, you have to store such settings in options as the last thing site owner should be asked to do is to modify their config file. If it is your own site, just make it a constant that is declared in … Read more
Users are means of authentication and authorization. This should not be confused in any way with whatever information is displayed on the front end. By default wordpress core is guilty of not understanding the distinction, but in some contexts like comments it should be easy to add a “name” field to the comment form for … Read more
You can use wp_login_failed action for that purpose… It’s called at the end of wp_authenticate, if user credentials were incorrect. function my_log_brute_force( $username ) { $ip_address = $_SERVER[‘REMOTE_ADDR’]; // store that info somewhere file_put_contents( ‘bf-log.txt’, date(‘c’) . “\t{$ip_address}\t{$username}\n”, FILE_APPEND ); } add_action( ‘wp_login_failed’, ‘my_log_brute_force’ ); Also this article may be helpful: Getting real IP address … Read more
Here’s an easy way to enumerate user names (using standard WP install): just use a URL like this: https://www.example.com/?user=1 . (Added Note: you might need to use an actual page/post URL, as in https://www.example.com/a-real-page?user=1 .) You’ll get back info about that user account (the first user account, which will be the admin-level user), and then … Read more
“Not Secure” warning refers to the lack of security for the connection to the page that you are visiting. It suggests that the information sent and received with that page can be exploited by the hackers. Have you done the follow things? Getting an SSL certificate Installing your certificate through your web host Changing your … Read more
Can they for example simply copy the cookie and “be” logged in as the user who was the original cookie owner? Yes! with the cookie they basically have your login session. You do not want 3rd parties to get the cookie. Keep in mind there is more than 1 cookie, for frontend and for backend. … Read more
Well I typed up an answer yesterday then deleted it, hoping that someone more confident in their answer would come along. But I will at least share my understanding. …which is, that all content being put into the page should be sanitized, and as lately as possible. This means you want to use those functions … Read more
iframes get stripped out for security reasons, you shouldn’t be trying to put embed codes directly into post content, there are other methods, such as oembed or shortcodes. If you have the unfiltered_html capability, you can add them via the classic editor, but this capability is extremely dangerous. It also means any users who don’t … Read more
The directives in .htaccess (on your application server) would seem to be working as expected. Yet I keep getting requests on that file. Blocking the request in .htaccess doesn’t stop the request reaching your server (and being logged). As you can see from the log entry, it is being “blocked” and your server is responding … Read more