One plugin-free layer of protection you could implement is to route your traffic through a site like CloudFlare that has built in brute force protection. The free version is a great layer of protection with paid tiers if you need the added features. I have used this for several of my sites. I am with … Read more
You can easily check what this PHP code is doing by replacing the eval with an echo and running it. It’s safer to run this not on your production website, I’ve run it here on repl.it: https://repl.it/repls/IrresponsibleBelovedKernel which results in the below being printed: @ini_set(‘error_log’, NULL); @ini_set(‘log_errors’, 0); @ini_set(‘max_execution_time’, 0); @set_time_limit(0); $approvals = False; foreach … Read more
I wonder if there is a way to hide a WordPress Plugin’s source code from users. I know wordpress is open source but i dont want the users be able to access and see my plugins source code if possible. No. In order to load the plugin it has to be runnable, and if it … Read more
how real is this security problem? You shouldn’t be concerned by this unless you’re retrieving user agents and making raw SQL queries. I recommend you avoid both of those, but for unrelated reasons. If you are piping raw user agents into raw SQL queries, and you would know if you were doing this as it’s … Read more
No, you don’t need to escape hardcoded values. As I understand it, if the URL doesn’t have an input via admin, it should be okay. Not necessarily. There’s many more potential sources of potentially malicious (or just accidentally broken) output that need to be accounted for, such as: Translations. Query strings ($_GET) Cookies. WordPress filters. … Read more
If I choose to leave this up to WP, what should I actually put in wp-config.php? Sounds like something you can easily find out. My guess: if you don’t have the define(‘AUTH_KEY’, ..) etc. statements, the system will not work. Some sources (this SO answer, for example) appear to state that putting the keys and … Read more
In fact to be super pedantic, I think the correct code is actually: echo ‘<option value=”‘ . esc_attr( $folder ) . ‘”>’ . esc_html( $folder ) . ‘</option>’; Since the first variable is an attribute, and the second is encased in html, although I wold bet that the code you have would pass review, and … Read more
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.) Codex article on … Read more
Hm, core WP files are usually die properly if opened directly. It probably slipped developers to include check in this one or something. The simple ways to fix this (and not really WP-specific) would be to: configure PHP on server to not display errors by default; restrict access to file with .htaccess or other means.
It really doesn’t do much in that scenario. If you’re going to leave that message as a string constant instead of something that is system or user generated, you’re fine using one of the other translation functions: __() or _x(). esc_html__() is a little overkill for that particular line of code. Edit: The main reason … Read more