But if you protect wp-login.php, how would a hacker even get into the dashboard anyways? An attacker could try to hijack or forge a valid authentication cookie. Recently there was a possibly vulnerability which made it »easier« to forge such a cookie: CVE-2014-0166 It was fixed with Version 3.7.3/3.8.3 How does “Code A” compare to … Read more
Just to continue few important things on the excellent answer @MarkKaplun provided that should be accepted. disable-functions is PHP world. Here is the more broad list: exec, passthru, shell_exec, system, proc_open, popen, show_source, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_getpwuid, posix_uname, pclose, dl, disk_free_space, diskfreespace, disk_total_space, pcntl_exec, proc_close, proc_get_status, proc_nice, … Read more
It’s not completely clear how your provider is handling the the resource overage, but the situation described in the question can be reproduced by setting up wp-config.php to connect to an empty database. From the looks of it, someone would be able to proceed with the WordPress installation. This solution will prevent WordPress from being … Read more
Use bcrypt. http://codahale.com/how-to-safely-store-a-password/
Does WordPress core has this function defined somewhere? While I haven’t used it, you are probably looking for wp_salt or wp_generate_password. wp_salt is located in wp-includes/pluggable.php. can these salts be generated randomly Yes, of course. are there any specific rules for creating them There is no specific rule. The generic rule is to create long, … Read more
Replacing just the URL is not enough. You have to tell WordPress what to do with the new URL. Sample code, creates a log-out URL like example.com/logout=1 and redirects to front page or custom URL after logging the user out: add_filter( ‘logout_url’, ‘t5_custom_logout_url’, 10, 2 ); add_action( ‘wp_loaded’, ‘t5_custom_logout_action’ ); /** * Replace default log-out … Read more
.doc files can contain executable scripts, and there is no way to make sure they are safe. The same applies to SVG and some other file types. If WordPress would accept .doc files from any user with the capability upload_files, these files could be used to send malicious code to visitors.
You should be able to filter out some tests by using the filter site_status_tests Quoting the WordPress documentation: Usage: add_filter(‘site_status_tests’, function (array $test_type) { unset($test_type[‘direct’][‘theme_version’]); // remove warning about Twenty* themes unset($test_type[‘async’][‘background_updates’]); // remove warning about Automatic background updates return $test_type; }, 10, 1); You can get the list of tests from the WP_Site_Health->get_tests() method … Read more
Hi @Syom: Often hackers get access because you use the name “admin” for your administrator and you have an easy to hack password. Or because you don’t update your software and they leverage some of the security holes that have been found and patched. Here’s a set of slides that go indepth to explaining how … Read more
There’s an app plugin for that, Limit Login Attempts. Some more info available in this wp beginner post: http://www.wpbeginner.com/plugins/how-and-why-you-should-limit-login-attempts-in-your-wordpress/