The TLDR No, it is not, for various reasons, but fundamentally it’s a security via obfuscation, a misleading/bad concept Breaking it Down Question by Question I have downloaded a theme from WordPress theme directory (abc) and i renamed it to (xyz). Great, .org plugins have a review process and get taken down or adjusted if … Read more
You do cite experience with WP going back farther than that of mine… Yet I do not see these issues as that major. What scale of sites are we talking about? It’s fairly slow I feel this is bit too much of generalization. Slow can be put in context of specific hardware, tasks and level … Read more
As suggested by @Jeff Mattson, hours of research and testing suggest that this is probably due to mod_security. I also investigated the likelihood of it being due to Suhosin, but I don’t think it’s to blame. Here’s the deal. It doesn’t really help if we verify that the problem is due to mod_security. We don’t … Read more
Yes, you can do this and it does not matter if plugins are different for the two sites, as you are not not using the same tables or anything. Still, if you use plugins that are badly written and build resource urls on top the home url, these will have issues (404 errors mostly).
That is basically the way WordPress does it and pretty much the only way to do it, simply have your receiving PHP function create a new nonce add send it back with your response, then just update the value on your JS before the next round.
Searching this Stack, I can see two possible solutions for this question (not tested). One The answer is not fully developed, but can provide some insight. Restricting access to files within a specific folder Two How to Protect Uploads, if User is not Logged In? Frank Bueltge’s answer seems interesting but the code is quite … Read more
As already suggested in a comment above of mine, technically a (cookie based) session is limited to one IP at a time by using the Safer Cookies (WordPress Plugin). This does not prevent another login with the same username and password because it is a feature of WordPress to allow you to login multiple times … Read more
First: Remove those 777 permissions. You need this only in cases with conflicting ownership. Try to run PHP as FastCGI – for example per .htaccess: AddHandler php-cgi .php # or AddHandler php-fastcgi .php Set up a notification mail for every 404 request. You will be surprised how many attacks the average blog gets each day. … Read more
The PHP files in the wp-includes directory will do nothing when accessed directly. They are designed to be include()‘d in an existing PHP script, such as on the front-end or in the dashboard. Your Options -Indexes entry in the .htaccess file simply prevents a list of the files in a directory when no index.php is … Read more
1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function. To be more accurate, the lifetime is controlled by filter apply_filters( ‘nonce_life’, DAY_IN_SECONDS ); 2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to add_filter(‘nonce_life’,create_function(‘$v’, ‘return 60*5;’)); to shorten the … Read more