Custom true nonce in conjunction with WP nonce in PWA
Custom true nonce in conjunction with WP nonce in PWA
security
Hook before DB connection is made
The problem with having a “hook” is that the add_action() function would not be defined that early so WordPress would have to be recoded so that the function is available much earlier. Also to use an action hook you would need to add your code inside a theme or a plugin. WordPress must make database … Read more
How can I find out exactly what Google is finding ‘Deceptive’ about my WordPress site?
If you were in the process of making any changes when the bot came by, it may have picked up something bogus from the site. You can request a review in search console, I think they should either green-light it or tell you more specifics on what the problem is.
Which WP-CLI commands can be safely run with –allow-root flag?
No commands are safe when ran as root. Even the help screens aren’t safe as root. The reason the –allow-root flag is considered dangerous is not because of what the CLI commands themselves do, but because your entire sites code is loaded when WP CLI runs, but now as root. This would mean any hidden … Read more
Running WordPress multisite login from a subdomain
Running WordPress multisite login from a subdomain
wp-salt.php and wp-cli.yml File present in public_html folder
These are safe. Normally the contents of wp-salt.php is in the wp-config.php. The reason you site became inaccessible is due to the change in wp-config.php to include wp-salt.php. I.e. include(‘wp-salt.php’); You can delete wp-salt.php, but be sure to copy the defines into the wp-config.php were the “include(‘wp-salt.php’);” line is and remove the “include(‘wp-salt.php’);” line. The … Read more
Content Security Policy blocking images from installed plugins’ popup info window, as they are from external domains – global fix?
The answer, as mentioned in a comment by @JacobPeattie, was to add the domains to my .htaccess file where I am setting the CSP Headers, (turns out most plugins’ “View Details” link loads images from ps.w.org, which I just learned). A few other plugins loaded images from other domains, so I also added each of … Read more
Successful password resets and suspicious scripts on my WordPress instance
This is a bug in the POST SMTP plugin. It has been reported here, and also the plugin support forum is full of reports of the same issue. The issue has been fixed in version 2.8.8 of POST SMTP.
Fix CVE-2017-5487 vulnerability
When WordPress enabled the REST API in Core in version 4.7 it enabled the endpoint /wp-json/wp/v2/users/ to list all users that have posted something to the site. Therefore that endpoint can be used by an attacker to find some or all of the administrator account usernames to target for password cracking which is a potential … Read more
How to add a nonce check correctly to this specific code?
The first thing is to inline the nonce so that you can use it in the script that calls the ajax action. // plugin or theme php file wp_enqueue_script( ‘your-script-handle’, ‘url/to/your/script.js’, array( ‘jquery’ ), null, true ); wp_add_inline_script( ‘your-script-handle’, ‘const YourAjaxConfig = ‘ . json_encode( array( ‘ajax’ => array( ‘url’ => admin_url( ‘admin-ajax.php’ ), ‘action’ … Read more