I would suggest to not use WP REST API for this purpose, since it’s being used on homepage and not any remote app/service. The REST API is supposed to grant access to any already publicly available data to a remote developer. Since you’re not providing any public data but registering users from homepage, Ajax might … Read more
Nice Question! Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping. Change the following .htaccess rewrite rule: # uploaded files # RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L] RewriteRule ^files/(.+) dl-files.php?file=$1 [L] Make a … Read more
What you’re doing at the moment is okay, but there are far far better ways to do it. The problem of man in the middle attacks here is that to insert yourself between wordpress.org and a server at a data centre is no easy task, so this scenario is very unlikely. However If you abandon … Read more
You can not set cookies form site A that will be applicable on site B, therefor your “login by proxy” scheme will not work, and can not be made to work. In addition storing passwords in plain text is just a big no-no.
The API handles the nonce for the form part because you’re using the settings_fields call, which outputs the *-options nonce, and you’re passing the data to the options.php file for saving, which checks that nonce for you before saving the settings. This part the Settings API does indeed do for you. However, your tab code … Read more
Many evil things can be done by including an image. The question is how well WordPress filters them. To give you an idea: File names should be checked properly. The actual image data can contain javascript. Also, EXIF data could contain javascript.
See my question and answer again, you linked it already in your question: simple solution for restricting access to (some) uploads/downloads The solution isn’t that hairy the only necessity – besides configuring the plugin correct – is to create a .htaccess, which you could do programmatically. For that you have to automate the creation of … Read more
This maybe just a personal distinction but I consider: data validation to mean is the data ‘correct’? Is it what we expect? data sanitisation to mean is the data *safe to use * Though there can be some blurring, typically data validation will only occur when a user-input is taken, or some data is obtained … Read more
No, but you can just run stripslashes on it.
Those function are used to produce a valid HTML and not to sanitize input. You should use them anytime you are not 100% sure that what you want to output is a valid HTML for that context. Should you escape everything? I guess the _s theme people decided that it is better to be safe … Read more