Is this meant to be used on sites in production? Yes. Many sites have been already using it. Is there a security risk to allowing endpoints to be viewed by anyone, such as /wp-json/wp/v2/users/ which shows all users registered to the site? No. Server responses have nothing to do with security, nothing you can do … Read more
Yes, it does. See Ticket #16778 wordpress is leaking user/blog information during wp_version_check(). All the details are in /wp-includes/update.php: if ( is_multisite( ) ) { $user_count = get_user_count( ); $num_blogs = get_blog_count( ); $wp_install = network_site_url( ); $multisite_enabled = 1; } else { $user_count = count_users( ); $user_count = $user_count[‘total_users’]; $multisite_enabled = 0; $num_blogs = … Read more
This really wouldn’t have anything to do with WordPress intrinsically. It would be related to some plugin or code that passes values based on post data or anything that can request back-end HTTP to another application. The problem is you are open for XSS and SQL injection. Do you have user input fields i.e. POST … Read more
Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given. The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport … Read more
Header names are not case sensitive. From RFC 2616 – “Hypertext Transfer Protocol — HTTP/1.1”, Section 4.2, “Message Headers”: Each header field consists of a name followed by a colon (“:”) and the field value. Field names are case-insensitive. The updating RFC 7230 does not list any changes from RFC 2616 at this part.
I am getting this strange thing on my Ubuntu 12.04 64-bit machine when I do a wget I have encountered this problem earlier when I got it for any web pages (and not http), which required me to add my nameserver to /etc/resolv.conf. However, here that doesn’t seem to be the problem, instead it is … Read more
I found this blog post which cleared up a few things. To quote the most relevant bit: Mixed Active Content is now blocked by default in Firefox 23! What is Mixed Content?When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits a … Read more
The values are sent in the request body, in the format that the content type specifies. Usually the content type is application/x-www-form-urlencoded, so the request body uses the same format as the query string: When you use a file upload in the form, you use the multipart/form-data encoding instead, which has a different format. It’s more complicated, but … Read more
See documentation: http://www.php.net/manual/en/function.curl-setopt.php CURLOPT_CONNECTTIMEOUT – The number of seconds to wait while trying to connect. Use 0 to wait indefinitely.CURLOPT_TIMEOUT – The maximum number of seconds to allow cURL functions to execute. also don’t forget to enlarge time execution of php script self:
One solution to this was posted in the PHP documentation comments: http://www.php.net/manual/en/function.curl-exec.php#80442 Code example: Warning: As noted in the comments below, this may not be reliable when used with proxy servers or when handling certain types of redirects. @Geoffrey’s answer may handle these more reliably.