The easiest way is to use if ( current_user_can( ‘capability’ ) ) // do stuff. You’ll find more about capabilities in the codex. You can also inspect the data some user has attached with normal var_dump() and else. I also got a pretty old plugin for that. But I’m not sure if it still works … Read more
I’ve used this to add webm support to the wordpress 3.3.1 uploader. add_filter(‘upload_mimes’, array(&$this, ‘addUploadMimes’), 1, 1); public function addUploadMimes($mimes){ $mimes = array_merge($mimes, array( ‘webm’ => ‘video/webm’ )); return $mimes; } I had to make it run with a high priority to stick.
The security of plugin updates via .org really falls on the shoulders of WordPress to provide a secure repository and method for plugin authors to safeguard assets. Since 2011 they have improved the system for notification on plugin changes, so plugin authors are notified when their code is altered, this is a good change though … Read more
Why would you want to protect them all? Not all of them need protecting, in my humble opinion. In any event, these are good to have in your .htaccess file: 1: restrict access to wp-config.php <Files wp-config.php> order allow, deny deny from all </Files> 2: restrict access to .htaccess itself <Files .htaccess> order allow,deny deny … Read more
Due to WP admin architecture this would be really inconvenient list to compile and maintain reliably. My best educated guess is that many (but possibly not all and not just) of these files would need to require admin bootstrap (wp-admin/admin.php) to function. I ran a quick search on respective directive with following results: C:\server\www\dev\wordpress\src>ack –files-with-matches … Read more
You can add this to .htaccess file, it will redirect all author requests looking for a number ( Author ID ) to the homepage: #Disable Author Pages <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) [NC] RewriteRule ^(.*)$ http://%{HTTP_HOST}/? [L,R=301,NC] </IfModule> The PHP / WordPress way, you could use Template Redirect: … Read more
There’s a slight disconnect between your question title and the actual question. It sounds like you’re using a plugin (or developing a plugin?) that allows for some front-end sorting. If it’s a plugin you’re using and the query string parameter is not sanitized, you need to notify that plugin’s developer, because that’s a security issue. … Read more
WordPress URL/Folder ReWrite using Htaccess
Allowing user to control code is explicitly unsafe operation. As you note the purpose of sanitization is pretty much to not let user slip in anything executable and/or with malicious intent. To “sanitize” executable code you would need programmatic understanding of it (code parser) and criteria engine to distinguish what is safe and what is … Read more
I think you are referring to two different things.. 1) Verifying the request. You should be using WP Nonces to verify the request and protect it against XSS. That should be a practice for all your forms. you could also add additional layer of security by integrating a reCAPTCHA. 2) Data Encryption when you attempt … Read more