After upvoting @pieter’s answer…. In recent time I came to the realization that it is much better to handle “bad” data gracefully when it is used (usually it means escaping, but also validation) than at input time. Data corruption can happen not only because of some rouge process “shitting” over your data, but also when … Read more
Just to add to the answer by @birgire, check this post on how to hide the fact that you are using WordPress. I also think that no post basically covers this, but it really help nothing following and applying everything to hide the fact you are using WordPress and to secure WordPress, and your code … Read more
Correct me if I’m wrong, but far as I know, You don’t access directly to any of the files, the apache user does. Meaning, the user browser talks to the server’s httpd process which will get the file from the filesystem. So, i think that if you get a 404 on the browser when directly … Read more
Here is a little snipit of code that I used for my site while it was under construction <?php /* ROUGH METHOD OF DENY ACCESS */ $underconstruct = array(121, 46, 124, 97); if(!is_user_logged_in() && !in_array(get_the_ID(), $underconstruct)) { wp_redirect(get_permalink(121)); exit(); } ?> I put this at the top of my header.php. the $underconstruct array is the … Read more
Though I am no expert in XSS, I do know some of the ways someone can abuse these techniques. For example, I was once pointed to the fact that visitors were able to execute javascript via the search field of a website, because the input of the search field didn’t get stripped of it’s html … Read more
Securing a multi-user permission structure
hSite has no css on mobile [closed]
How to allow internal links using wp_kses filtration
I’m currently working on a plugin to do this on a large scale, since I have multiple sites that I want to sync; but I don’t mind sharing the info with you. I understood [from what you said] that the user’s credentials have already been verified on site2 – so there’s no need to use … Read more
@birgire has a right answer And they can use WPScan for example, with a brute force attack on wp-login.php I recommand to rename your login page, you can do it manually or with a plugin.