Will there be security updates for 3.1 once 3.2 is released?

WordPress backports security updates usually 1-3 versions back but they don’t promise anything. The WordPress LTS philosophy is that LTS = “Long Term Suckage“ The Long Term Suckage theory is: While I like the theory of LTS, what happens in practice is it covers up the incompetence of IT or developers because they put off … Read more

What is the ideal setup to address security concerns?

If you have FTP access to your server, the most secure setup is not having your themes or plugins directory writable by your webserver and instead having WordPress update files using FTP. When you go to update a plugin, WordPress will prompt you for your FTP details. The FTP method is a lot slower than … Read more

Why does WordPress have more than one salt?

I posted the question on the wordpress slack and the answer I got https://wordpress.slack.com/archives/core/p1447905339001506 is that the difference is semantic and not practical and there is no reason to prefer the usage of one over the others (except for semantics of course)

Improve wordpress security by hiding non public resources

Using remove_action() can be remove unnecessary links for example: remove_action(‘wp_head’, ‘rsd_link’); //removes EditURI/RSD (Really Simple Discovery) link. remove_action(‘wp_head’, ‘wlwmanifest_link’); //removes wlwmanifest (Windows Live Writer) link. remove_action(‘wp_head’, ‘wp_generator’); //removes meta name generator. remove_action(‘wp_head’, ‘wp_shortlink_wp_head’); //removes shortlink. remove_action( ‘wp_head’, ‘feed_links’, 2 ); //removes feed links. remove_action(‘wp_head’, ‘feed_links_extra’, 3 ); //removes comments feed.

comment_post_ID 0 (cannot remove from dashboard)

I’m sorry can’t comment here but i’ll try to help. wp_handle_comment_submission function handing comments posting contains exact check for post_id: $post = get_post( $comment_post_ID ); if ( empty( $post->comment_status ) ) { … return error_happened; } i.e. (1) it passes through , or (2) comment was added other than default way of posting comments. For … Read more

Securing Admin Accounts – Username Discovery

If you have pretty permalinks enabled WordPress will redirect all calls to /?author=1 to the author archive with the user name, eg.: /author/bob/. And then the visitor will know the author name. Use Login Lockdown, that plugin does not reset accounts, it will block IP addresses.

Why escape if the_content isnt?

If I were a hacker with access to the database, wouldn’t I just add my code to a post’s content? If you’ve got access to the database, chances are that you’ve got enough access that escaping isn’t going to stop you. Escaping is not going to help you if you’ve been hacked. It’s not supposed … Read more