wrote something long and decided to delete because the Tl;Dr is use a good password and stop pretending to have a knowledge in how to secure sites, you are more likely to bring down the performance of the site (your reverse DNS code) or lock yourself out then actually preventing an attack. Security is about … Read more
Security – Ajax and Nonce use [closed]
File Upload Permissions
No. This is a security risk. Not only morality question. I checked some of these plugins and found most of all of these are infected. For instance, they will use base64encode functions and evaluate in the end to send info from your web site to URLs in Panama, Iran or like. They may write to … Read more
From the code it seems like your warning comes from doing the redirect too late. redirects should be done, as a rule of thumb, not later then the init action. And after the redirect you should die() (I don’t think the wp_redirect does it for you) As for security, it is not enough to check … Read more
WordPress is also an XML-RPC server. So I guess these bots tried to gain access through the XML-RPC protocol via the xmlrpc.php file in your WordPress root directory. It’s possible to login and most likely your security plugin is picking up failed login attempts when wp_authenticate() is called and the wp_login_failed hook is activated. Here’s … Read more
XMLRPC is as secure as the rest of WordPress. All of the requests need to be authenticated with username and password credentials that exist on your site already. That means, if someone has a login for your site, they can use the XMLRPC interface (if it’s turned on). But anonymous users can’t get in. The … Read more
After studying carefully 🤓 the WordPress REST API Handbook concerning Home / REST API Handbook / Extending the REST API / Routes and Endpoints Home / REST API Handbook / Extending the REST API / Adding Custom Endpoints I realized I made a couple of mistakes. Therefore, I wanted to share with you my findings. … Read more
Hopefully the code will be sufficient to describe the key points, but please do comment if you have any further questions: <?php class WPSE_Submit_From_Front { const NONCE_VALUE = ‘front_end_new_post’; const NONCE_FIELD = ‘fenp_nonce’; protected $pluginPath; protected $pluginUrl; protected $errors = array(); protected $data = array(); function __construct() { $this->pluginPath = plugin_dir_path( __file__ ); $this->pluginUrl = … Read more
I would convert the site to a subsite on a multi-site instance, you can then have an approved list of plugins and themes. This answer might help more. You could also create a new user type that does not have access to the plugins/themes areas and only publish those details.