There are a few things you can do to make more secure: First the Ajax call it self should be made with a WordPress nonce like you said: <script type=”text/javascript” > jQuery(document).ready(function($) { var data = { action: ‘ACTION_NAME’, Whatever_data: 1234, _ajax_nonce: <?php echo wp_create_nonce( ‘my_ajax_nonce’ ); ?> }; $.post(ajaxurl, data, function(response) { alert(‘Got this … Read more
It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com. When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from. This theoretically prevents bots submitting POST requests directly to wp-login.php as … Read more
This question really deserves some attention. WordFence looks like one of the most popular plugins for security nowadays. Compared with the iThemes security it is like 2.6:3.2 where iThemes Security (former Better WP Security) won. Of course these were thousand of 5 stars. The author of the WordFence wrote this section: My WordPress site is … Read more
Well, ended up fixing this after hours of banging my head against ones keyboard. Fixed by making the first parameter of my hooked function a value instead of a reference – curious when nearly all hooks in wordpress pass the error object by reference! function validatePasswordReset( &$errors, $userData ) { return validateComplexPassword( $errors ); } … Read more
Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more
PHP files in the wp-includes directory should not be accessible from the outside, they should only be included by wordpress code. Therefor an easy fix to this is to use .htaccess rules to block access to *.php files that are under the wp-includes directory
esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
In that function we find a hook: return apply_filters( ‘template_directory_uri’, $template_dir_uri, $template, $theme_root_uri ); So, yes, the URI can be changed by plugins, and you should escape its returned value. The same principle applies to all WordPress URI functions, like get_home_url(), get_site_url() and so on. Keep in mind that there are not only good plugin … Read more
WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS. I use the PHP filter_input function then escape it as I would any untrusted variable. $url = filter_input( INPUT_GET, ‘some_query_string’, FILTER_VALIDATE_URL ); echo ‘<a href=”‘. esc_url( $url ). ‘”>Click Me</a>’; The PHP filter input accepts: Validate filters Sanitize filters Other filters Additional Filter flags
I think the easiest way, since you’re already using the wp_editor function is going to be to just include the media buttons in the WP_Editor instance – this way you’ll have the native functions, including the “Insert into post” button, built in for free. How you do this obviously depends on the plugin you’re trying … Read more