In a perfect world, you don’t need sanitize your querys because the WordPress ORM avoids sql injections going to the database, but is extremely recommended to clean your input data, particularly if is input data provided by a visitor. For example, you can use something like this: $name = sanitize_text_field( $_POST[‘name’] ); // WP_Query arguments … Read more
Normal cookies, as used by WordPress to keep you logged in for a certain period, are the way to check whether a user is logged in. Even if you close your computer they will be there when you switch it on again. Session tokens are something different. They are meant to transfer information between several … Read more
WordPress FTW! It actually works this way out of the box. If you use the same password on multiple pages, it only has to be entered once.
TLDR: No. It’s all about trust. So there are some very basic checks on wp.org but generally this can happen (and probably also does happen from time to time). Of course if something like this happens and people notice it wp.org can block updates or replace them with something safe. Also have a look at … Read more
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more
PHPMailer is not part of the plugin, it is shipped with WordPress. So it is up to WordPress to keep it up to date. There is a patch already in ticket #37210. In the mean time, you can create a mu-plugin, include the newer version of PHPMailer here, create an instance and assign it to … Read more
Found it while digging around in multisite network admin settings: there is a setting called “Upload file types” (in the database it’s the row with meta_key = “upload_filetypes” in the wp_sitemeta table) which contains a list of allowed filetypes. Adding “ppt” to the list allows them to be uploaded.
In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces. … Read more
Is wp_generate_password() as safe as the salts generated by the recommended https://api.wordpress.org/secret-key/1.1/salt/? Those details can’t be answered as for obvious reasons, the internals are unknown by the public. If we could answer that, then details would be known that allow for reverse engineering the process. This could lead to a decrease of security. Note, that … Read more
Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software. The crucial thing in code security is not whether it’s open … Read more