If you have a non-static request like: example.tld/some-slug/ then you will need to run WordPress to see if that slug is available. The webserver (nginx/apache) doesn’t know that, because WordPress will have to inform us about that through the 404 response header. If your site has only few pages, then you could tell the webserver … Read more
Ok, seems I was on the right track… I still haven’t found a WordPress function that achieves what I need, but the closest I have found is to use the get_allowed_mime_types function. I created the following function which checks if the file is within the get_allowed_mime_types array and if so returns true (file processed using … Read more
Additionally to using htaccess, you can disable the XML-RPC function by adding the following to your child theme’s functions.php: # Set XML-RPC features to false add_filter( ‘xmlrpc_enabled’, ‘__return_false’ ); add_filter( ‘pre_option_enable_xmlrpc’, ‘__return_zero’ );
Specific to nonce there is nothing to worry about as there is a third private parameter which is kept in secret (one of the keys added in your wp_config.php file). In general, there is no such thing as “closed source”, and all code can be read and interpreted by anyone that is willing to dedicate … Read more
A.) By default WordPress allows short passwords but “Confirm use of weak password” must be checked. B.) Disable security plugins or change their settings if possible as they can and do override whatever WordPress implements by default. C.) The latest consensus about passwords suggests the strongest passwords are extra long easy to remember phrases like: … Read more
I’ve noticed this once myself (can’t remember if it was the same plugin). The captcha sat there, but just submitting the form didn’t trigger an error and worked perfectly, logging me in. My #1 advise: use a plugin to rename wp-login.php to something else. It will effectively stop these bots (and delay an attacker that … Read more
Generally speaking, if you don’t want WordPress to update itself or any plugins, don’t give the web server write permissions to any of the WordPress files outside of folders like wp-content/uploads. You’ll need to be careful with this and test thoroughly, though, as some plugins, like WordFence, have folders they need to write to for … Read more
As long as a plugin is blocking excess login attempts, then I am not sure that additional protection is needed. The plugin should be protecting against the attempts at credential guessing. There will always be login attempts on sites, even if they aren’t WP sites. You could look at your access logs (filtering by a … Read more
http://www.example.com/ar/shop-listing/health-beauty~@/#$&&&%%$%3Cscript%3E/ In this particular URL, everything after the # (hash) is the fragment identifier and is not sent to the server by the browser, so cannot be blocked server-side in .htaccess. The server only sees: /ar/shop-listing/health-beauty~@/ If the # was to be removed from this URL then this would be a wholly invalid URL (because … Read more
After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this: $the_comment = get_comment_text(); echo ‘<p>’ . esc_html($the_comment) . ‘</p>’; Instead of simply using the function like this: comment_text(); Why even have these handy functions in the first place, … Read more