In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway For example, get_the_title() can contain html markup and is not escaped by default. Eitherway post and page titles should … Read more
Yes, there is a great example of how to accomplish this in the top answer for the question: Is moving wp-config outside the web root really beneficial? The section titled “How to move wp-config.php to any location on your server” provides the following solution: But what if you’ve moved [wp-config.php] somewhere else? Easy. Create a … Read more
No, not really. You’re assuming the function that called wp_insert_post() has already performed those checks. But wp_insert_post() may be used in other pages too, not just the edit page, by plugins, or even themes (many of them with security holes). That’s why you should ensure that your code runs only where you want to by … Read more
WordPress uses an HTTP class to make outbound requests. These requests are mainly for plugin, themes and core updates; pull news/rss content; and make third party API requests. There may be many different reasons for disabling outbound requests, security is the primary one. A WP instance with disabled outbound requests is more secure. Many institutions … Read more
Basically, they’re hashing salts. They’re used to make the results of hashing much less predictable. See https://en.wikipedia.org/wiki/Salt_(cryptography) for info on salts. AUTH is used for the /wp-admin authentication cookie, SECURE_AUTH is for the same when using SSL, LOGGED_IN is used for identification to the “front-end” of the site. NONCE is used for the nonces that … Read more
wordpress configuration file is located in the root.In the event that PHP stops functioning on webserver for any reason.we run the risk of this file being displayed in plaintext,which will give our password and database information to visitor. you can safely move wp-config directory up out of root directory.this will stop if from accidentally served. … Read more
Your code is incorrect in some subtle ways but to get why we first need to get back to what is a nonce in wordpress and what does it protect against. A Nonce by the common definition is a number used only once and it is meant to fight replay attacks. In a replay attack … Read more
One of the contributing factors to the use of old, outdated and broken plugins are the website owners. A lot of websites get abandoned, owners are not informed enough or interested enough to spend some time researching alternative plugin, or just keep the WordPress (or any other CMS) updated and secured. So, many websites are … Read more
Once hacked there is no real (at least not easy) way to verify that you have removed all traces of the malware. Good malware will leave an hard to detect backdoor, and there is always the question of whether you have actually removed the attack vector. Therefor the only 100% working way to remove a … Read more
Had you just overwrote site from backup? Not a good way since it may easily leave broken files or even backdoors. It is best to erase site completely, then copy clean WordPress archive and copy of your files from backup there. If possible it’s best to restore database from pre-hack backup as well. If these … Read more