No, I would expect wp_user_update to have been what gets used, but I find your motives dubious, and cannot think of a reasonable use for what you want to do But if you really want to go down this path, use the pre_user_pass filter. I would also note that there is a reason why passwords … Read more
You can use .htaccess to ban IP’s that you don’t want to access your website. If you are attacked from the same IP over the prolonged period of time, and with great frequency, banning the IP is the best solution. Simples way to ban IP in .htaccess is (replace 123.123.123.123 with IP you want to … Read more
The codex states: Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated … Read more
I would do the following things – 1) Check if any malicious content lives on the site. You can use free tools like – https://sitecheck.sucuri.net/ 2) Change folder permission of your WordPress installation to 755 if it’s not set to that already. Also change the wp-config.php file permission to 755 to be on the safe … Read more
I don’t think that’s possible using .htaccess alone. Even if it were, what would be the usefulness of keeping a secret which would be displayed in plain text in the URL bar?
The WP-Security plugin is pretty good for this, and a few other wordpress security related things, it is my solution to lock down basics on security for every wordpress install I do.
If you are printing the URL out, say to the front end… that is, it is to be displayed as a normal URL to a visitor etc. then: esc_url() If you are going to use the URL in, say, a WordPress redirect (or anything else that sends http header ‘location’, then you will need: esc_url_raw() … Read more
Your plugin users will need to register their site at https://www.google.com/recaptcha/admin to use the reCAPTCHA API. Once registered, users will need to provide you with their Site Key and Secret Key. The Site Key allows you to display the reCAPTCHA on your Registration form. The Secret Key is used to confirm the reCAPTCHA field input.
Nothing (you will ruin some web stats that look at it, but you probably son’t care about that) Nothing No. Evil people don’t care what is the value otherwise the easiest security measure would have been to change it instead of actually upgrading anything.
Sadly it’s not uncommon to receive many rogue login attempts. If you have a strong password policy this actually shouldn’t worry you too much. If there is a limited amount of people with logins and they work from fixed addresses, you can block acces to that page by writing a rule in your .htaccess that … Read more