security - Read For Learn

Protecting direct access to PDF and ZIP unless user logged in (without plugin)

RewriteCond %{REQUEST_FILENAME} -s RewriteRule ^wp-content/uploads/([^/]*\.(pdf|zip))$ filecheck.php?file=$1 [QSA,L] This actually looks OK, except if you have additional subdirectories within the /uploads directory? An alternative is to include an additional condition on the original rule that only rewrites the request if the request ends in .pdf or .zip. For example: RewriteCond %{REQUEST_URI} \.(pdf|zip)$ [NC] RewriteCond %{REQUEST_FILENAME} -s … Read more

Subscribe to email for security fixes?

There is a plug-in that will send you an email whenever an update becomes available (security updates and otherwise). This will be one of the easiest ways to get notified via email: Update Notifier Alternatively, there are usually emails on the WP-Testers email list immediately following an update. You can always subscribe to that to … Read more

Tips for finding SPAM links injected into the_content

I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode. My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/ Basically, the attacker slips a bunch of hidden … Read more

Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]

Does it need it? Probably not (other than this edge case, props @bravokeyl). Should you add it? In my opinion, yes: From a coding/architecture POV, you’re declaring “this file needs WordPress”. Any direct hit to one of your theme’s files (curious users, bots, “script kiddies” etc.) has the potential to leak a little bit of … Read more

How can I lock down an old wordpress install I don’t intend to update?

With a dynamic CMS like WordPress, there is no real way to “lock it down.” As the web evolves, formerly unknown security holes are discovered and patched in new versions. In reality, unless you’re always running the latest version of WordPress (currently 3.0.4), your site is in some way vulnerable. If you don’t intend to … Read more

How do WordPress Nonces Work?

If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are: always assume Nonces can be compromised. Nonces are a hash made up of numbers and letters. WordPress Verifies any https request with both nonces and user cookies. I believe point #3 is, in short, is how … Read more

Is there a way to force ssl on certain pages

Use the admin-ssl plugin. For stuff outside of wp, use rewriite rule in apache

Can someone explain the use cases of esc_html?

esc_html() does two things: Checks for invalid UTF8 in a string. Converts a number of special characters into their HTML entities, specifically deals with: &, <, >, “, and ‘. Using it instead of __(), _e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use … Read more

WordPress and PHP Sessions – Security and Performance

This has very little to do with wordpress, but if this answer will help eliminate the usage of session, it might be worth it…. Sessions are stored on the hard disk of the server. This is problematic in a shared hosting scenarion because the session directory is most likely readable and writable by all process … Read more

Which KSES should be used and when?

From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more

+ More