»The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.« (Gene Spafford) The lost password feature might potentially be a risk, but if you are keeping it or not is just … Read more
You cannot be 100% sure you are safe. Check this Security reading from WordPress. That been said, there are some things you can do. Keeping WordPress Updated Keeping theme and plugins Updated Use Strong Passwords You can use a Security Plugin, although it’s arguable. When a client request it I use Sucuri. Change the Default … Read more
The plugin has a filter drh_allow_rest_api which determines whether the current user has full access and can skip the whitelist check. By default this is just is_user_logged_in(): /** * Allow carte blanche access for logged-in users (or allow override via filter) * * @return bool */ private function allow_rest_api() { return (bool) apply_filters( ‘dra_allow_rest_api’, is_user_logged_in() … Read more
Check to see if a person is logged in: <IfModule mod_rewrite.c> RewriteCond %{REQUEST_FILENAME} (.*) RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_([a-zA-Z0-9_]*) [NC] RewriteRule .* – [F,L] </IfModule> The same applies as it did 10 years ago. This code in .htaccess doesn’t have anything to do with how WordPress might be setting cookies. And this does not “check to see … Read more
I would definitely not advise you to enforce this policy. For example, I can enumerate through your list of authors by simply entering yoursite.com/?author=1, yoursite.com/?author=2, etc into my browser. This will take me to your author pages. If your users were savvy enough, they might have set their public display name in Users/Your Profile to … Read more
This isn’t a question of quantity. You have to understand what each plugin does to say whether it is necessary or not. Let’s say we have three “security” plugins: One enforces strong passwords. One blocks aggressive log-in attempts. One sends you an email when your PHP version is behind the latest security release. Having these … Read more
I know that when i disable the WordPress updates its mainly to allow me to first test the updates and then go and update in my clients sites instead of them just clicking links around and usually messing things up.
First of all, report whoever is doing it. You obviously could block anything with a query-string that contains screw-you, but that’ll only help in this case. Maybe Drop any requests with HTTP/1.0 (browser don’t use it, and “good” bots like google don’t either, but if you need to provide access to special tools, you might … Read more
It isn’t normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content and easily writable is uploads, or whatever they are customized to. If it appears malicious, behaves malicious, and security tool thinks its malicious — it’s a safe guess that it is. It also … Read more
You could use call kses_remove_filters() before saving and call kses_init_filters() afterwards, but pay attention it will also remove filtering from title, excerpt and comments, So what you should do is just unset the content filters. // Post filtering remove_filter(‘content_save_pre’, ‘wp_filter_post_kses’); remove_filter(‘content_filtered_save_pre’, ‘wp_filter_post_kses’); and after the post is saved // Post filtering add_filter(‘content_save_pre’, ‘wp_filter_post_kses’); add_filter(‘content_filtered_save_pre’, ‘wp_filter_post_kses’);