that wordpress.org page was probably written by someone that do not get security. Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like “<” to the appropriate HTML entity. Yes, if you do … Read more
“406 Not Acceptable” appearing in SEMrush index audit for WordPress site — how do I identify and fix the cause?
Can I overwrite WP’s ca-bundle.crt? No. This file and any other files in the wp-includes folder should never be updated modified or edited unless it’s to replace them with a newer version of WordPress. If you decide to ignore that and manually update the file anyway there are several consequences: on managed hosts this won’t … Read more
The JSON API will allow for the enumeration of authors (and usernames) for a WordPress site. You can’t turn that off. To protect yourself you should: Use strong passwords (you’re already doing that) Leverage two-factor authentication (either with the community-developed Two-Factor or using WordFence’s own support) Leverage a plugin like Jetpack that also supports brute … Read more
Custom true nonce in conjunction with WP nonce in PWA
The problem with having a “hook” is that the add_action() function would not be defined that early so WordPress would have to be recoded so that the function is available much earlier. Also to use an action hook you would need to add your code inside a theme or a plugin. WordPress must make database … Read more
If you were in the process of making any changes when the bot came by, it may have picked up something bogus from the site. You can request a review in search console, I think they should either green-light it or tell you more specifics on what the problem is.
No commands are safe when ran as root. Even the help screens aren’t safe as root. The reason the –allow-root flag is considered dangerous is not because of what the CLI commands themselves do, but because your entire sites code is loaded when WP CLI runs, but now as root. This would mean any hidden … Read more
Running WordPress multisite login from a subdomain
These are safe. Normally the contents of wp-salt.php is in the wp-config.php. The reason you site became inaccessible is due to the change in wp-config.php to include wp-salt.php. I.e. include(‘wp-salt.php’); You can delete wp-salt.php, but be sure to copy the defines into the wp-config.php were the “include(‘wp-salt.php’);” line is and remove the “include(‘wp-salt.php’);” line. The … Read more