Well. If I’m not wrong, you are looking for a way to hide what files are in your plugin directory? Just keep an index.php file in your plugin directory. And as an extra layer of security, add this code at the very beginning of all of your PHP files- // If this file is called … Read more
Currently we have the following typecasting in the WP_Query class (see here): $q[‘posts_per_page’] = (int) $q[‘posts_per_page’]; if ( $q[‘posts_per_page’] < -1 ) $q[‘posts_per_page’] = abs($q[‘posts_per_page’]); elseif ( $q[‘posts_per_page’] == 0 ) $q[‘posts_per_page’] = 1; and here: if ( isset($q[‘page’]) ) { $q[‘page’] = trim($q[‘page’], “https://wordpress.stackexchange.com/”); $q[‘page’] = absint($q[‘page’]); } Instead of running the query for … Read more
You shouldn’t move the file because you’d have to change other files which include wp-config.php and these files will be overridden at your next update, but you can move the content of the file ( at least your credentials) to another file two levels up and include() this file in your wp-config.php This solution should … Read more
The _wp_http_referer field is generated by the wp_referer_field() function. I’m not familiar with the hidden send field – however, I’d wager it’s a nonce field. In all likelihood this pair of hidden inputs was generated by a call to the wp_nonce_field() function with ‘send’ as the $name argument and the $referer argument set to true. … Read more
I agree that the Better Search and Replace plugin is great for search/replace of the WP database. But be aware that there are many other things you need to do to recover a hacked site. There are many places to get that info, but when I do it, I change all credentials/passwords: database, FTP, hosting, … Read more
I am not sure why you would like to obfusicate your wp-config.php file. It is not accessible from the outside world and WordPress needs to be able to read the file. If you are going to obfusicate it’s quite easy to get it de-obfusicated. Since you need to alter the WordPress core (not recommended) to … Read more
Safe against/for what? Is “a legitimate user can input any HTML” a safety issue? If you might handle data from kind-of-but-not-really trusted users, how about giving admins the possibility to define which tags/attributes to strip out (optionally: per user group / role) and your plugin does the rest, or run the content through a filter … Read more
Drilling a hole in the drive enclosure which passes through all the platters will make it impossible to run the drive. Most modern HDDs don’t have air inside the enclosure, and you’ve let what was in there escape. You’ve filled the cavity with tiny pieces of drill swarf, which will be on everything including the … Read more
By default, editors and admins in a single site installation have the unfiltered_html capability, which means they can insert any JavaScript and forms. If you want to disallow that, you can remove that capability from the editor role as described in Why is javascript allowed in my post content? or using a plugin like Members. … Read more
First thing is: a good plugin should always remove its trace when uninstalled completely. Any changes, whether plugin install, enabling new feature etc. should not be done on live server. We developers always do tests on a local server. And a good one for anybody could be Local by Flywheel. If you are desperate to … Read more