multi page password protection
WordPress FTW! It actually works this way out of the box. If you use the same password on multiple pages, it only has to be entered once.
WordPress FTW! It actually works this way out of the box. If you use the same password on multiple pages, it only has to be entered once.
TLDR: No. It’s all about trust. So there are some very basic checks on wp.org but generally this can happen (and probably also does happen from time to time). Of course if something like this happens and people notice it wp.org can block updates or replace them with something safe. Also have a look at … Read more
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more
PHPMailer is not part of the plugin, it is shipped with WordPress. So it is up to WordPress to keep it up to date. There is a patch already in ticket #37210. In the mean time, you can create a mu-plugin, include the newer version of PHPMailer here, create an instance and assign it to … Read more
Found it while digging around in multisite network admin settings: there is a setting called “Upload file types” (in the database it’s the row with meta_key = “upload_filetypes” in the wp_sitemeta table) which contains a list of allowed filetypes. Adding “ppt” to the list allows them to be uploaded.
In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces. … Read more
Is wp_generate_password() as safe as the salts generated by the recommended https://api.wordpress.org/secret-key/1.1/salt/? Those details can’t be answered as for obvious reasons, the internals are unknown by the public. If we could answer that, then details would be known that allow for reverse engineering the process. This could lead to a decrease of security. Note, that … Read more
Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software. The crucial thing in code security is not whether it’s open … Read more
There are a few things you can do to make more secure: First the Ajax call it self should be made with a WordPress nonce like you said: <script type=”text/javascript” > jQuery(document).ready(function($) { var data = { action: ‘ACTION_NAME’, Whatever_data: 1234, _ajax_nonce: <?php echo wp_create_nonce( ‘my_ajax_nonce’ ); ?> }; $.post(ajaxurl, data, function(response) { alert(‘Got this … Read more
It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com. When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from. This theoretically prevents bots submitting POST requests directly to wp-login.php as … Read more