If your aim is security, the only directory writable by the web server should be uploads. Yes, it means no easy updates, but in a secure environment the web server should not be able to write to directories in which there is executable code. If you have so many updates that SFTP becomes too much … Read more
No, I would expect wp_user_update to have been what gets used, but I find your motives dubious, and cannot think of a reasonable use for what you want to do But if you really want to go down this path, use the pre_user_pass filter. I would also note that there is a reason why passwords … Read more
You can use .htaccess to ban IP’s that you don’t want to access your website. If you are attacked from the same IP over the prolonged period of time, and with great frequency, banning the IP is the best solution. Simples way to ban IP in .htaccess is (replace 123.123.123.123 with IP you want to … Read more
The codex states: Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated … Read more
I would do the following things – 1) Check if any malicious content lives on the site. You can use free tools like – https://sitecheck.sucuri.net/ 2) Change folder permission of your WordPress installation to 755 if it’s not set to that already. Also change the wp-config.php file permission to 755 to be on the safe … Read more
I don’t think that’s possible using .htaccess alone. Even if it were, what would be the usefulness of keeping a secret which would be displayed in plain text in the URL bar?
The WP-Security plugin is pretty good for this, and a few other wordpress security related things, it is my solution to lock down basics on security for every wordpress install I do.
If you are printing the URL out, say to the front end… that is, it is to be displayed as a normal URL to a visitor etc. then: esc_url() If you are going to use the URL in, say, a WordPress redirect (or anything else that sends http header ‘location’, then you will need: esc_url_raw() … Read more
Your plugin users will need to register their site at https://www.google.com/recaptcha/admin to use the reCAPTCHA API. Once registered, users will need to provide you with their Site Key and Secret Key. The Site Key allows you to display the reCAPTCHA on your Registration form. The Secret Key is used to confirm the reCAPTCHA field input.
Nothing (you will ruin some web stats that look at it, but you probably son’t care about that) Nothing No. Evil people don’t care what is the value otherwise the easiest security measure would have been to change it instead of actually upgrading anything.