The functions that generate, validate and clear auth cookies are all pluggable (meaning you can write your own versions of them). Just note that some of them may need to return something specific (like the user ID). wp_generate_auth_cookie() (generates your cookies) wp_set_auth_cookie (actually sets the cookies) wp_validate_auth_cookie() (validates your cookies) wp_parse_auth_cookie (parses an auth cookie, … Read more
You can use this code in your functions.php to restrict users below admin level from changing their passwords: if ( is_admin() ) { add_action( ‘init’, ‘disable_password_fields’, 10 ); } function disable_password_fields() { if ( ! current_user_can( ‘activate_plugins’ ) ) { $show_password_fields = add_filter( ‘show_password_fields’, ‘__return_false’ ); } } The admin should probably register each user … Read more
What web server you use? If use nginx, you can try this to secure your wp-admin : location ~ ^/(wp-login\.php$) { root /var/www/wordpress/; allow 127.0.0.1; allow Your-ip-address; allow Your-second-ip-address; deny all; Other way to secure your wp-admin from brute force attacks is to add this lines to your nginx.conf : Limit Request limit_req_status 403; limit_req_zone … Read more
If you can use google authentication to connect as admin, then accessing published site pages are no different than connecting to a different user role. Make a new user role (say subscriber) and make your pages accessible to that particular role based users only. Make sure they don’t have access to anything else than these … Read more
No, it is not safe as it means that any security breach might end up in your code being changed. Alternatives: There is nothing wrong in using SFTP to upload changed plugins. If it is something that might take long time, you can manually put wordpress into maintenance mode by adding a file named .maintenance … Read more
[pedantic mode] fail2ban obviously do not prevent attacks. The only way to prevent attacks is by sending the people that originate them to jail or give them some other incentive to stop. More to the point, fail2ban suffers from having only a single point of reference while attackers control many sources. To have an effective … Read more
wp-config.php includes files, it’s not just a config file, and WordPress isn’t built to allow putting the file 2 levels up. However, WordPress already supports loading wp-config.php from 1 level up. With all of this in mind though, this is only really a protection if you’re worried about mis-configuring your server. Unless PHP execution is … Read more
According to Codex: The only current officially supported version is WordPress 5.0.3. Previous major releases before this may or may not get security updates as serious exploits are discovered. So, as you can see, the official version is that only the newest version is supported and only that version guarantees that you’ll get security updates. … Read more
Yes, it’s a good practice to sanitize input and escape output. It’s important to use the correct function, though, so that you don’t inadvertently mess up your data. Since it’s for a URL, use esc_url_raw() (it is specifically for db usage). (Note: it may seem odd using a function with the “esc_” stem for sanitizing, … Read more
current_user_can checks whether current user has a specific capability. And only that… It won’t protect you from XSS attacks – so it would be a good idea to check some nonces too – this way you can be certain that user wants to perform given action. Let’s say there’s a link to delete a post. … Read more