What could a hacker do with my wp-config.php

localhost refers to the machine it’s running on. For example on my own site tomjn.com localhost is 127.0.0.1 as it always is. This doesn’t mean the hacker doesn’t know where to connect, it means the hacker replaces localhost with tomjn.com. Of course if I have a proxy sitting in front this won’t work, but keep … Read more

Are Nonces Useless?

Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more

Filter any HTTP request URI?

Less than an answer, but just a list of things straight from my experience with it – maybe you’ve overlooked something. Debugging the request & its results Without diggin’ too deep into the update process, but the WP HTTP API uses the WP_HTTP class. It also offers a nice thing: A debug hook. do_action( ‘http_api_debug’, … Read more

Why does WordPress need my private ssh key to update?

Essentially, WordPress needs to connect back to the server where it is actually running on. There are several possible ways WordPress can use to write files and thus “overwrite” itself during an upgrade. From a security perspective, the important part of this process is that the new files must have the same ownership as the … Read more