Here is a modified checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes): Plugins should prefix all options, custom functions, custom variables, and custom constants with plugin-slug. Plugins should implement Plugin Options and Plugin Settings pages deliberately, rather … Read more
admin-ajax.php is part of the WordPress AJAX API, and yes, it does handle requests from both backend and front. Try not to worry about the fact that it is in wp-admin. I think that is a strange place for it too, but it is not a security problem in itself. How this relates to “enumerate … Read more
It loads a block of markup containing spam (I thought about posting a bit of the source but I don’t want to advertise the content in any way) from a domain that is a close misspelling of the domain– http://jquery.com/— used by jQuery, a reputable and popular Javascript library and one that WordPress includes in … Read more
There are two concepts here: validation – making sure data is valid, i.e. an integer is an integer, a date is a date (in the right format etc). This should be done just before saving the data. sanitisation – making the date safe for its use in the current context (e.g. escaping SQL queries, or … Read more
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value…. In short – perform the sanitisation yourself as … Read more
< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following: Someone sends +ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4- as comment text. It will pass all sanitation unescaped. The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and mysql_real_escape … Read more
##Plugin Necessity## What the necessity of plugins really boils down to is the question, “Am I satisfied that WordPress’s core functionality is all that I need?“ If all you want is a simple blog with some categories and a number of static pages you’re set. But if you want to start integrating interactive maps, calenders … Read more
While I agree with the previous answers, to answer the question you actually asked, what comes to mind is to use one of these constants for wp-config.php: define(‘AUTH_KEY’, ‘redacted’); define(‘SECURE_AUTH_KEY’, ‘redacted’); define(‘LOGGED_IN_KEY’, ‘redacted’); define(‘NONCE_KEY’, ‘redacted’); They are meant to be unique across wordpress installations – and are about the only options for pre-existing keys to … Read more
There is currently a botnet active, attacking WordPress and Joomla sites. And probably more. You should see more blocked logins. If you don’t, there is probably something wrong. But be aware, blocking IP addresses doesn’t help against a bot net with more than 90,000 IP addresses. And if you do that per plugin avoid Limit … Read more
Use Nonces (when not using Settings API) Plugins and Themes should explicitly provide Settings-page nonce checking, if not using the Settings API: WordPress Nonces (Codex) WordPress Nonces (Mark Jaquith) Improving security in WordPress plugins using Nonces (Vladimir Prelovac) 5 tips for using AJAX in WordPress > 3. Use nonces and check for permission (Gary Cao)