Nonces are one time use limited life unique numbers. You can clone them but the problem you’ll see is that once sent back to the server and validated, the other clones will become invalid. You have a few ways to handle this. Generate all your boxes on the server and discard the Javascript. Use Ajax … Read more
It is a good practice to include index.php, with and without a wordpress context. Appach 2.4+ IIRC will add a log message about a missing file if someone access the directory itself, which makes reading the error log more annoying. As for the reason you quote, obviously this do not have any security related impact, … Read more
I have setup WP instance with 2 different database, one for read only and other for admin purpose. But once the admin make the changes, then the ADMIN-DB should be copied and added to SLAVE-DB server. // check if url contains wp-login or wp-admin and then create DB configuration for Master DB else Slave DB. … Read more
The .htaccess file is read by the Apache server software before it even hands over to WordPress to generate a page. It is by far the best place to have your security headers. That said, WordPress does have a class to modify the headers before they are send to the browser. This class contains a … Read more
On nginx, to block access to the xmlrpc.php file, add this location block to the server block of your configuration file: location ~ ^/(xmlrpc\.php) { deny all; }
By default WordPress doesn’t allow to embed the admin pages into a frame. From wp-includes/default-filters.php: add_action( ‘admin_init’, ‘send_frame_options_header’, 10, 0 ); To enable embedding, remove the action in a plugin: remove_action( ‘admin_init’, ‘send_frame_options_header’ ); Be aware of the security implications. I wouldn’t do that.
Question 1. so where it is defined before Answer: It is defined in WordPress core. Here a quick online reference or for a local reference take a look at the following file in the root of WordPress: wp-settings.php. In that file (around line 18) following code is shown: define( ‘WPINC’, ‘wp-includes’ ); Question 2. and … Read more
I’m not a security expert, but the code you include in your question roughly does this: Check if the request is not for a static page (it can’t insert anything in that) Check if the request is not from scraper bots Ahrefsbot and MJ12bot. If both checks are passed make a connection with the server … Read more
If you give the provider full admin, they can technically do anything to your server that PHP would be able to do (by using the editor part of a given theme to add whatever commands they like). PHP is capable of running command line scripts, just to name one scary permission they would inherit. Depending … Read more
I had to also change the owner of the root web directory. chown apache:apache . # or chown apache:apache /var/www/html Edit by Otto: Chloe, as you asked for more information than I could reasonably put into a comment, I’m appending this on to your answer. I hope that is okay. If not, feel free to … Read more