Defining ALLOW_UNFILTERED_UPLOADS isn’t enough anymore: it doesn’t grant the capability, it just permits non-admin users who have the unfiltered_uploads capability to upload any file (except on a multisite). You also need to grant yourself the capability, e.g. from Sebastian’s answer here # # For this, see: wp-includes/capabilities.php > map_meta_cap() # function wpse_6533_map_unrestricted_upload_filter($caps, $cap) { if … Read more
So what’s the point? Surely this would only be an issue if the attacker had already broken in, and turned off php support? If an attacker has already done this then this particular hardening is pointless. An attacker is unlikely to turn off PHP execution though as that would require more effort and would actually … Read more
When someone sends a POST request with a variable php and a base 64 encoded value that is PHP code after decoding it, that PHP code will run with the permissions of all your own PHP files. The attacker can read all database content, create new users, upload files … The second code does the … Read more
wp_insert_comment() is low level function, it only saves passed data without concern for what it contains. If you are looking to replicate sanitizing WP does on comment data (totally good idea 🙂 you are probably looking for higher level wp_new_comment().
This is technically challenging. WordPress must have access to your DB password in plain text. Having access to the wp-config.php contents is already a breach of security in progress. There are alternate approaches to configuration, such as loading credentials via environment variables, but in practice they are used exceedingly rarely because PHP’s configuration file is … Read more
If someone has managed to access the admin area by making it look like they are someone else, isn’t it all over anyway? This to me is more part of your exclusions as this is the main way anyone gains access through WordPress… So not really, if you have a backup, just drop the Database, … Read more
WordPress DOES take care of SQL injection and for you. See the Security section on this page. The wp_insert_post() function runs through sanitize_post(). Be aware that malicious or unintended code can still be inserted: “You may wish, however, to remove HTML, JavaScript, and PHP tags from the post_title and any other fields. Surprisingly, WordPress does … Read more
Security issues arise when you write code that open up possibilities for outsiders to access your database or otherwise compromise your installation. The above code just reads options and content from the database and translates this into static html that will be send to the browser of the page’s visitor. There’s no code (like a … Read more
When a user logs out the current user session is destroyed and no new pages can be loaded for which a user must be logged in. However, when you hit the ‘back’ button on your browser, it typically retrieves the page from the local cache. There is no contact with the server to see if … Read more
Yes, WordPress will sanitise data on its way to the database, so long as you use the APIs. If you’re using the wpdb object however you’ll need to use the prepare method to sanitise. I recommend against writing SQL queries as it bypasses object caches etc, but if you must write your own SQL, use … Read more