It’s really, really, really hard. It requires a very complete audit. If you’re very sure the old person left something behind that’ll go boom, or require their re-hire because they’re the only one who can put a fire out, then it’s time to assume you’ve been rooted by a hostile party. Treat it like a … Read more
First, DON’T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I’m assuming the audit is for since it’s a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to … Read more
YOu need to deeply look throughout your site for the ‘infection’/malware code. This would include the following steps: update everything (WP, themes, plugins) change credentials on everything (hosting, FTP, admin-level users) create a new admin user, log in as it, then delete the user called ‘admin’ (or demote to ‘subscriber’) look at all folders for … Read more
SVG files contain code in the XML markup language which is similar to HTML. Your browser or SVG editing software parses the XML markup language to display the output on the screen. However, this opens up your website to possible XML vulnerabilities. It can be used to gain unauthorized access to user data, trigger brute force … Read more
It’s probable that your site was hacked. And that will take some manual (‘by-hand’) investigation. Lots of googles on how to clean a hacked site. But, in general change all site/hosting credentials to strong passwords: hosting, ftp, database, WP users look for WP admin level users that shouldn’t be there look at every file for … Read more
What you’re seeing are probably calls from Pingbacks. If you don’t want them you can either disable them globally in the settings or just for a specific post in the “Discussion” metabox in the sidebar of that post.
Thanks to Jacob’s hint I got the solution. This one is working. Header set Content-Security-Policy “base-uri ‘self’; default-src ‘self’; font-src ‘self’ data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src data: ‘self’ https://secure.gravatar.com; script-src ‘self’ ‘unsafe-inline’ ; style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com; object-src ‘self’; form-action ‘self’; frame-ancestors ‘self’;” The difference is the data: in the ìmg-src section.
No, you don’t have to escape values that cannot be changed by someone else. You should escape output that might be changed by some other source, for example if there is a filter running on the values. Let’s say you are using wp_upload_dir() to find the upload directory – and you absolutely should, because the … Read more
It has nothing to do with WordPress. Your server is configured to refuse access from other domains. All you need to enable CORS Origin. This will allow request from other domains. But it will decrease security. You might want to change the * (allow all) to your sub domain. Just put it in your .htaccess … Read more
There are no known security vulnerabilities in 2.9.2 If any new vulnerabilities are discovered the fix will be packported. (This has not happened but if it did we would get a version 2.9.3) WordPress does not have a backport policy that goes further than the previous major release so it is unknown when the 2.9 … Read more