Any extra code on your server is a theoretical security risk. Instead of checking each plugin and theme if they are security risk even if they are not active, it is much easier to just delete them. This of course should not prevent you from backuping them first in case you will decide that you … Read more
Yes, nonces should always be used when an authenticated user is triggering an action via a GET/POST request. One of the main purposes of the nonce is it ensure that the current user actually intended to trigger this request. It prevents the security vulnerability known as Cross-Site Request Forgery (CSRF), where an attacker can trick … Read more
Trust me, don’t DIY this. Cryptography is not for the faint of heart. Use the Google Authenticator plugin. It’s awesome.
What you did wrong here was to prepare those items in the first place. You only run “data” variables through prepare(). You don’t run table names, or sort directions, or limits through it. These are part of the SQL command itself, they are not data that refers to information which is stored in a column … Read more
Placing the htaccess file in the wp-admin directory did not work for me so I went a different route and it seems to be working very well. Below is what I have in my main htaccess file: <files wp-login.php> # set up rule order order deny,allow # default deny deny from all allow from x.x.x.x … Read more
By the time admin_init rolls around you should know if you’re doing AJAX or not. If you’re not, then check the IP. Keep in mind that anyone can fake that number. add_action(‘admin_init’, function() { if(defined(‘DOING_AJAX’) && DOING_AJAX) { return; // ignore ajax }; $ip = $_SERVER[ ‘REMOTE_ADDR’ ]; if($ip !== ‘10.0.0.0’) { wp_die(__(‘You are not … Read more
Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie. While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for … Read more
Whether or not you lock down a staging site really depends on how much you mind the public accidentally seeing a site that’s a “work in progress”. I’d usually consider it more of a branding decision than a security decision. (This of course wouldn’t apply if you’re in the middle of developing a secure application … Read more
Make a backup of everything you have left, especially your database and wp-content folder. Some hosts simply delete hacked websites and you don’t want to lose your entire work to this. Talk to your hosting company. Good quality providers have staff at hand who know their way around the hosting environment and might be able … Read more
Basic Security Steps Since WordPress is so popular there are a lot of drive by hacks knocking around taking advantage of flaws in basic security. All WordPress users should take the following basic and easy steps to protect themselves:- Do not use wp_ as the database table prefix, use any string of random characters that … Read more