Tips for finding SPAM links injected into the_content

I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode. My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/ Basically, the attacker slips a bunch of hidden … Read more

How do WordPress Nonces Work?

If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are: always assume Nonces can be compromised. Nonces are a hash made up of numbers and letters. WordPress Verifies any https request with both nonces and user cookies. I believe point #3 is, in short, is how … Read more

Can someone explain the use cases of esc_html?

esc_html() does two things: Checks for invalid UTF8 in a string. Converts a number of special characters into their HTML entities, specifically deals with: &, <, >, “, and ‘. Using it instead of __(), _e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use … Read more

Which KSES should be used and when?

From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more