Nulled theme basically mean cracked/hacked. The distributors of such themes often hide popups/ads inside to earn money, which you can’t see until a user complains about it or you check the website on google speed test for example where you see the image of the website, they aren’t secure at all, and it is not … Read more
I’d tackle this problem on three layers: plugins, core and filesystem. Most security problems arise via 3rd party plugins and themes, so as Ambitious Amoeba notes the best thing you can do is choose those wisely. You should also be sure to update to the latest version of WordPress, because they always patch the big … Read more
Unfortunately it’s not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac. If you’d really like to see this be revisited I’d suggest: Present your case on wp-hackers but be forewarned your … Read more
How to get WordPress to save upload file beyond web root [closed]
This is the most specific solution I could find as it disables only the single function being attacked. functions.php: function Remove_Unneeded_XMLRPC( $methods ) { unset( $methods[‘wp.getUsersBlogs’] ); return $methods; } add_filter( ‘xmlrpc_methods’, ‘Remove_Unneeded_XMLRPC’ ); found this at: http://www.cryptobells.com/more-wordpress-xmlrpc-brute-force-attacks/ For a broader solution there is a WordPress plugin called “Disable XML-RPC” which does precisely that, disables … Read more
Usually, you don’t need it. But … there is at least one edge case: If a theme file is a template part, and it is using global variables from the calling context (parent file), and register_globals is on, and it is just using these variables without any security check … … an attacker can call … Read more
Basic auth is a very common username/password authentication method and it’s as strong as the username-password combination and the encryption of the protocol you’re using. The weakness of basic auth is that if you use it with plain http instead of https then the username and password is susceptible to a man-in-the-middle attack. You can … Read more
I found a few references to edit_user as a capability, one of which is this: // Allow user to edit itself if ( ‘edit_user’ == $cap && isset( $args[0] ) && $user_id == $args[0] ) break; http://core.trac.wordpress.org/browser/tags/3.5.2/wp-includes/capabilities.php#L1005 I believe the comment in that block of code answers this question. Per @PatJ, it looks like map_meta_cap … Read more
After submitting the form and before redirecting to new page, reset the current user’s password. A simple wp_update_user(array(‘ID’ => $userid, ‘user_pass’ => ‘YourNewPaSSword’)); will do everything for you.
There’s no need to do it the way you mean. There are ways to host multiple SSL websites on a single domain both with Apache and Nginx, and it’s much easier to implement than your idea. Check out these tutorials: https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04 https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04