You could create a dummy user (with no rights) and log in every visitor using this dummy user. This could be done pretty easily: wp_set_auth_cookie($uid, true); wp_set_current_user($uid); But in my opinion that’s a rather flawy workaround. Your main problem is that all pages for not-logged-in users come from the page-cache. That also means that all … Read more
As pointed out in the comments by @kaiser, your question is very similar to this question. In fact, the question itself holds the answer. To disable all feeds add the following code… function itsme_disable_feed() { wp_die( __( ‘No feed available, please visit the <a href=”‘. esc_url( home_url( “https://wordpress.stackexchange.com/” ) ) .'”>homepage</a>!’ ) ); } add_action(‘do_feed’, … Read more
Option 1 – Process some data on your system I wouldn’t place all of the plug-in’s processing on your own server, but pick one or two vital functions and keep them hosted on your system. Then require an API key for each site that uses the plug-in so that they can communicate with your server. … Read more
About changing the login url, i already did by mysel. It help me protect my site and prevent brute force You can change it in htaccess. But you also need to add the filter to replace old login url in wordpress. Example to my website: File .htaccess: RewriteRule ^signin(.*) wp-login.php?%{QUERY_STRING} In your theme or custom … Read more
You can safely move it as far as I know…. but what do you mean folder? Up one level would already be a folder…. if your site is in html, or public_html or whatever, you place the wp-config file in whatever folder holds your html or public_html folder like if your path is /home/content/u/s/e/user/html/ And … Read more
Short answer: No. You can use normal strings for actions, md5’ing them doesn’t change anything. The nonce is built from three main pieces of information: Time: The current time() divided by 43200 is worked into the nonce. This is what lets the nonce be changed every 12 hours (43200 seconds in 12 hours). The action … Read more
The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012. The library is available for free on Github: https://github.com/dropbox/zxcvbn An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ But the short version is that it analyzes patterns in the password instead of being a simple “does … Read more
You should pass the special wp_rest nonce as part of the request. Without it, the global $current_user object will not be available in your REST class. You can pass this from several ways, from $_GET to $_POST to headers. The action nonce is optional. If you add it, you can’t use the REST endpoint from … Read more
If you know the sub-net of your VPN you could restrict access to /wp-admin via .htaccess using standard Apache rules. <Directory /var/www/wp-admin/> Order deny,allow Allow from 192.168.1.0/24 Allow from 127 </Directory> Obviously you’d need to adjust the directory and IP address subnet to suit your needs. To restrict access to a specific file: <Files _FILE_.php> … Read more
This article has a bunch of great answers to your questions. I highly recommend checking it out to learn more about the scale of this issue, but I can give a quick rundown. SVG, since it’s XML based, makes it really hard to decipher what is and what isn’t malicious. At one end, it opens … Read more