is_email() VS sanitize_email()

is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more

Are the default salts secure?

Is wp_generate_password() as safe as the salts generated by the recommended https://api.wordpress.org/secret-key/1.1/salt/? Those details can’t be answered as for obvious reasons, the internals are unknown by the public. If we could answer that, then details would be known that allow for reverse engineering the process. This could lead to a decrease of security. Note, that … Read more

How do I technically prove that WordPress is secure?

Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software. The crucial thing in code security is not whether it’s open … Read more

WordPress Ajax Data Security

There are a few things you can do to make more secure: First the Ajax call it self should be made with a WordPress nonce like you said: <script type=”text/javascript” > jQuery(document).ready(function($) { var data = { action: ‘ACTION_NAME’, Whatever_data: 1234, _ajax_nonce: <?php echo wp_create_nonce( ‘my_ajax_nonce’ ); ?> }; $.post(ajaxurl, data, function(response) { alert(‘Got this … Read more

Does this .htaccess security setting really work?

It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com. When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from. This theoretically prevents bots submitting POST requests directly to wp-login.php as … Read more