I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following: Actually, if the nonce is valid the referrer should not be … Read more
If you are doing this for your own site then using .htaccess might be the easiest way although it could get tricky if you want to make it work for a plugin as there would be lots of different subtle configuration differences to support. Here are some articles that could help; not all are directly … Read more
By default, the “Remember Me” checkbox makes you get remembered for 14 days. This is filterable though. This code will change that value: add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_1_year’ ); function keep_me_logged_in_for_1_year( $expirein ) { return 31556926; // 1 year in seconds }
Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone. Add this code snippet for use in functions.php: // Disable use XML-RPC add_filter( ‘xmlrpc_enabled’, ‘__return_false’ ); // Disable X-Pingback to header add_filter( ‘wp_headers’, ‘disable_x_pingback’ ); function disable_x_pingback( $headers ) { unset( $headers[‘X-Pingback’] ); … Read more
A simple solution I use in a .htaccess: RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ – [L,R=403] It is similar to @jptsetme’s answer, but it works even when the query string is /?dummy&author=5, and the search pattern for RewriteRule is very fast: You often see a capture ([0-9]*) in regular expressions for this. … Read more
Usually, you don’t need it. But … there is at least one edge case: If a theme file is a template part, and it is using global variables from the calling context (parent file), and register_globals is on, and it is just using these variables without any security check … … an attacker can call … Read more
This code snippet will hide the users, posts, and comments endpoint results and give 404 as the result, while the rest of the API calls keep running as they were. ::UPDATE:: add_filter(‘rest_endpoints’, function(){ $toRemove = [‘users’, ‘posts’, ‘comments’]; foreach($toRemove as $val) { if (isset($endpoints[‘/wp/v2/’.$val])) { unset($endpoints[‘/wp/v2/’.$val]); } if(isset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’])) { unset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’]); } } return $endpoints; }); … Read more
Roles are stored in the global variable $wp_roles. The ideal function is get_editable_roles() from /wp-admin/includes/user.php function get_editable_roles() { global $wp_roles; $all_roles = $wp_roles->roles; $editable_roles = apply_filters(‘editable_roles’, $all_roles); return $editable_roles; } The “editable” part is because it offers other plugins a chance to filter the list in case someone other than admin has ‘edit_users’ privilege (and … Read more
This is just, how I understood the idea of the WordPress File API. If it is wrong, please downvote 🙂 Okay. If you upload a file, this file has an owner. If you upload your file with FTP, you login and the file will be owned by the FTP user. Since you have the credentials, … Read more
Unfortunately it’s not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac. If you’d really like to see this be revisited I’d suggest: Present your case on wp-hackers but be forewarned your … Read more