security - Read For Learn

How to expire all wordpress user passwords instantly?

Some underlying functionality borrowed from http://wordpress.org/extend/plugins/auto-expire-passwords/ , and tweaked. Untested, but along the lines of what you are looking for, so YMMV. function custom_forced_password_reset( $user ) { update_user_meta( $user->ID, ‘password_was_force_reset’, true ); } add_action( ‘password_reset’, ‘custom_forced_password_reset’ ); // Ensure all new register users have the flag set function custom_forced_password_user_register($user_id){ update_user_meta( $user_id, ‘password_was_force_reset’, true ); } … Read more

What is the most secure way to set up the MySQL user in WPMU?

I am setting up Subdomain based MU on my domain. Just remember, what used to be called “WordPress MU” is now “WordPress Multisite.” It’s not a separate application, just a configuration setting you use within WordPress. Will I be better off setting the MySQL user’s domain as localhost, 127.0.0.1 or with a wildcard %.mydomain.com? Which … Read more

About WordPress site security

Akismet comes pre-installed with WordPress. You will, however, need to activate it from the ‘Plugins’ menu and sign up for an API key (free plans are available). And no, captchas are not needed (Akismet catches almost everything), but you can find a plugin to add one if you wish. If you’re concerned about sercurity, I … Read more

wordfence scan warning on W3 Total Cache [closed]

That security hole in W3 Total Cache was associated with data leaking through an exploit, and not explicitly with hackers changing code (that could happen afterwards, of course, but what you show isn’t this). The exploit has been fixed so just make sure your plugin is up to date. If unsure, disable / delete the … Read more

Using esc_html with HTML purifier and CSSTidy: Overkill?

If you worry only about the admin panel then esc_html will be enough as it will convert every “<” into < eliminating the possibility of having a valid HTML tags inserted. But if you add the CSS to the generated HTML you might need to strip any HTML tag it may contain by using the … Read more

Why Better WP security plugin returns 418 I’m a Teapot “error”?

That is the response it gives when it you have the “Intrusion Detection” or the “Login Limits” features enabled, and the plugin has intentionally blocked you. It can block you by either username or by IP address. The plugin can be configured to email somebody when a lockout occurs with the reason for that lockout. … Read more

Why are xmlrpc.php and wp-cron.php being called so often?

We experienced this just last night. xmlrpc.php Lots of traffic to xml-rpc.php is a classic sign of a WordPress pingback attack. By default, pingbacks are turned on in WP. A non-malicious user/website uses this mechanism to notify you that your website has been linked-to by them, or vice versa. A malicious user can exploit this. … Read more

Strange Search Queries in Apache Status

I’m sure you’ve googled ‘khabarnaak’ – it’s a Pakistani talk show. It’s more likely to be an automated scraper trying to find content rather than an attack. The request does not look like it has been crafted for a WordPress site. Two ways to stop it are: Block the IPs making the request. Add ‘Deny … Read more

Is it safe to enqueue a font style without putting http or https?

Yes this is fine and is a good practice, especially if your site may switch between HTTPS/HTTP (like for a shopping cart etc) that way you are not loading mixed content. As long as the CDN you are pulling from offers both HTTPS and HTTP you’re fine, which they do.

Downloading File from Outside Web Root

What you have there is production ready. However, there is room for some minor improvements, so I will point those out for you. Also see my notes below regarding X-Sendfile and X-Accel-Redirect. Replace these lines: ob_clean(); flush(); with the following: while (@ob_end_clean()); The point is, if there is something already in the output buffer, you … Read more

+ More