No you don’t need esc_attr() function to print out fixed static text. You only need it to print out dynamic or generated text, so that if the attributes have any special characters that may break your HTML, esc_attr will escape that properly. In your particular case, you can just write: echo ‘<label><input type=”checkbox” id=”custom_header” name=”custom_header” … Read more
UPDATE: When I first posted my answer I missed the crux of the question; my answer was about .htaccess security in general and is now listed below the double line (look down if it interests you.) Unfortunately I don’t have specific experience with securing /wp-admin/ using .htaccess so I’ll simply list the two resources I … Read more
Any that return data. If a function outputs internally, then it’s taken responsibility for escaping if a function returns the data for use, it will be unescaped to avoid double escaping, it’s your responsibility This is because you should always late escape so that there is no doubt if a variable is escaped. If the … Read more
WordPress backports security updates usually 1-3 versions back but they don’t promise anything. The WordPress LTS philosophy is that LTS = “Long Term Suckage“ The Long Term Suckage theory is: While I like the theory of LTS, what happens in practice is it covers up the incompetence of IT or developers because they put off … Read more
If you have FTP access to your server, the most secure setup is not having your themes or plugins directory writable by your webserver and instead having WordPress update files using FTP. When you go to update a plugin, WordPress will prompt you for your FTP details. The FTP method is a lot slower than … Read more
You cannot export passwords as plaintext in WordPress, because they are not stored in plaintext. What you see here is obviously the result of a very bad plugin. Fields like Payment, Sex or Company are not even part of the regular WordPress tables. For the future: Do not install plugins without prior tests and reviews … Read more
I posted the question on the wordpress slack and the answer I got https://wordpress.slack.com/archives/core/p1447905339001506 is that the difference is semantic and not practical and there is no reason to prefer the usage of one over the others (except for semantics of course)
Using remove_action() can be remove unnecessary links for example: remove_action(‘wp_head’, ‘rsd_link’); //removes EditURI/RSD (Really Simple Discovery) link. remove_action(‘wp_head’, ‘wlwmanifest_link’); //removes wlwmanifest (Windows Live Writer) link. remove_action(‘wp_head’, ‘wp_generator’); //removes meta name generator. remove_action(‘wp_head’, ‘wp_shortlink_wp_head’); //removes shortlink. remove_action( ‘wp_head’, ‘feed_links’, 2 ); //removes feed links. remove_action(‘wp_head’, ‘feed_links_extra’, 3 ); //removes comments feed.
I’m sorry can’t comment here but i’ll try to help. wp_handle_comment_submission function handing comments posting contains exact check for post_id: $post = get_post( $comment_post_ID ); if ( empty( $post->comment_status ) ) { … return error_happened; } i.e. (1) it passes through , or (2) comment was added other than default way of posting comments. For … Read more
If you have pretty permalinks enabled WordPress will redirect all calls to /?author=1 to the author archive with the user name, eg.: /author/bob/. And then the visitor will know the author name. Use Login Lockdown, that plugin does not reset accounts, it will block IP addresses.