The point of that code is to prevent any PHP inside the file from being executed if the file is accessed directly outside a WordPress context. ABSPATH is defined by WordPress, so if it’s missing when the file is accessed you can tell that it’s not running in a WordPress context. So the only place … Read more
By default WordPress sends an HTTP header to prevent iframe embedding on /wp_admin/ and /wp-login.php: X-Frame-Options: SAMEORIGIN That’s a security feature. If you want to remove this header remove the filters: remove_action( ‘login_init’, ‘send_frame_options_header’ ); remove_action( ‘admin_init’, ‘send_frame_options_header’ ); But you should really use the multisite feature as Tom J Nowell suggested.
No, it is not. Use esc_html__( ‘string’, ‘text_domain’ ) instead (two underscores). Translated strings are unknown input. Unknown input is per default malicious. You don’t know where the language file comes from. It doesn’t even have to be the one you provided, because the path can be filtered or changed with a symlink. Even if … Read more
Since version 3.4 (or earlier?) WordPress sends a special HTTP header (not in HTML) on login and admin pages: X-Frame-Options: SAMEORIGIN So your browser will show you some text built into the browser, not sent from WordPress. From wp-includes/default-filters.php: add_action( ‘login_init’, ‘send_frame_options_header’, 10, 0 ); add_action( ‘admin_init’, ‘send_frame_options_header’, 10, 0 ); You could create a … Read more
Links: http://codex.wordpress.org/Hardening_WordPress http://perishablepress.com/press/tag/security/ (lots of great articles) http://www.wpsecure.net/secure-wordpress/
There are several options/plugins to do that but nothing can provide you with 100% security. Following good practices, daily/weekly backups and using themes/plugins that follow good code practices will usually help you to stay away of troubles. But again nothing will give you 100% security. As for plugins you can try several that will give … Read more
ca-bundle.crt File It is an SSL Certificate file which WordPress uses as default for secure connections (https) when WordPress make request using HTTP API This file is used in /wp-includes/class-http.php file. It is a WordPress default file (never remove anything from WP core!) so removing it will cause problem for the class to work properly.
In a general sense, any well maintained platform can be used to to create a website with good security. It has to be noted that you will never build a website which is completely secured against hacking and spamming, no matter which platform you use and no matter what genius or pro you are. Hackers … Read more
There is no definite answer as each plugin, whether available in a repo or not, should be handled on its own merit. Also, who says that that plugin caused your site to get hacked, it might have being a loophole in another plugin or even your theme. Just in general, one should avoid using plugins … Read more
esc_html() and esc_textarea() are, appropriate to their names, escaping functions and really meant for display rather than sanitizing or validating. I would use wp_kses() or wp_kses_post() (which is just wp_kses() with the global $allowedposttags) to sanitize input from a wp_editor() field before saving.