Searching for non-SSL references in the code base is a smart idea and you should probably report any you find on hackerone.com (the place to disclose WordPress vulnerabilities). I also suggest you review the WordPress Security page on wordpress.org. To answer your question, I would say WordPress has been audited extensively for various security vulnerabilities … Read more
A detailed why or how is not going to be possible with the limited information you’ve provided. For a detailed forensic investigation we would need more than just an IP and arbitrary Username, in fact we would need everything… DB, access logs, changelogs, codebase – quite literally everything you’ve got and even then it’s not … Read more
On a multisite install, go to the Network Admin area and add the webm file extension to the allowed extensions list. On a single-site install, add this to your wp-config.php file: define(‘ALLOW_UNFILTERED_UPLOADS’,true); That will allow administrator level users to upload files without the file type restrictions. The underlying problem is that webm hasn’t been added … Read more
You could try hooking into template_include and showing the user a completely different page containing the login form (without changing the URL) if the post is password protected. Combine that WordPress’ built in post password functionality and you have something really close to what you want (blocking an entire page). You could also use {{insert … Read more
Search the Trac for these kinds of core changes: trac ticket #23291 and trac ticket #23291.2.diff
No overriding benefit, other than collision avoidance and safeguard against unintended modification. Not sure if it makes you feel any better but WP core itself has many dependencies on global variables. I’m not saying that’s a good thing; just a fact. Also remember you have a database and functions to handle storing and retrieving options, … Read more
Of course,someone can editing code plugins via the editor and build the shell or somethings like that but I don’t they can able to hack your database. Just simple, you can permit developer with specific user role. But I think the best way is using an isolated local install for developing the plugin: xampp,etc…
Since WordPress 5.1 (see #43187) it ships with the wp_targeted_link_rel() function, that adds noreferrer and noopener relation values to all anchor elements that have a target. This function is used to filter through the various input data just before saving it, e.g. post title, post content, post excerpt, comment content, term description, link description, link … Read more
With the user-name-based nonces, i think you are trying to protect yourself from CSRF attacks, this should work to some extent (hard to tell without the full source code), that being said the nonces should be assigned to a specific action (not only an action), so, for example, you do not assign it to a … Read more
As mentioned, updates are vitally important, as are good password practices. I manage many WP sites, and I check (and install) updates every day. I also have some security things that I do by default to reduce the ‘footprint’. Among them are to not have a user called ‘admin’, disable xmlrpc, strong passwrods everywhere (host, … Read more