Yes, it appears so. In my experience the best thing to do is re-upload a fresh WordPress core to ensure that all traces have been squashed. It happens… If you aren’t already using security plugins I’d recommend Wordfence and BruteProtect to help keep brute force attacks out as well as checking your core WordPress files … Read more
I think this is nothing to worry about. The redirect target is sanitized and validated a lot. To be honest I think I haven’t seen any part of the WordPress code where so many checks happen for the most obscure attack vectors. Finally when you cast an array to a string Array is returned which … Read more
Escaping is used to produce valid HTML or other formats, and it depends on context. Escaping a url in something like <a href=”https://wordpress.stackexchange.com/questions/215822/<?php echo $url?>”…. is needed in order to replace any “&” characters with & (although browsers will most likely fix it for you if you don’t do it). Escaping a url in an … Read more
Sometimes people who run these bots or do this manual are paid for the amount of accounts they create. So the more accounts they create the more rewards they get. Only after such a run the list goes to the original client who then uses the list of accounts to perform (comment) spam runs or … Read more
Example code in add_meta_box() documentation uses save_post hook (at the very end of wp_insert_post() function) to add custom fields data from metabox. You must be using something like that already in your metaboxes, is it not appropriate place to validate your data?..
Yes, there is a risk! I can put up a check on date to change your password, create a new user and what not. Don’t give access to someone you don’t trust. Hire a professional to do the job. Edit: Okay! Upon request, I have explained two cases in a blog post – http://blog.ashfame.com/?p=903
Your best bet would be a plugin called WP Mail SMTP, though it’s only marked as being compatible as of WP 3.2.1 (but it should reasonably work with WP 3.3.1). Just to define the process … Visitor enters site and fills out form on your page. User submits the form, which is transmitted to your … Read more
WordPress is very clearly engineered for being placed into web-accessible folder. While attempt to move it from web folder could be made, it would be very challenging, especially for admin area which uses direct non-routed URLs to PHP files.
The security risk here is not about the plain text but about translation. You should note that esc_html_e is not only a function for escaping HTML but also for localization (l10n). I.e. other people can translate this String but you don’t know what the translation would be. It is possible that somebody translates the String … Read more
I fixed this by running this command: cd /var/www/html/ sudo chown -Rv www-data:www-data * Changed ownership back to www-data instead of root. This article helped me: http://johnqunknown.me/fixing-wordpress-a-mini-tutorial/