This highly depends on your capabilities as a developer and you are addressing multiple questions in one go: Your servers need to be secured, might benefit from DDos mitigation systems like a CDN or like large hosters offer (AWS, GCE, etc.) Your user(s) input, both frontend and backend, should be validated, sanitized and escaped before … Read more
In general, like with any other theme or plugin on your system, there is nothing built-in that can prevent all attack vectors Shortcodes are a kind of macros for generating HTML. Shortcodes that don’t do more than that should generally be safe. The biggest problem with shortcodes is that their insertion and “execution” do not … Read more
/wp-json/ is the base part of the WordPress REST API https://developer.wordpress.org/rest-api/ An authors ID isn’t a big deal. I would imagine on your theme, every time the post authors name shows, within the HTML showing the name, there’d be element classes containing the authors ID. It’s normal to have shown in publicly viewable source code, … Read more
This depends on what is it that you are developing. If it is a plugin, you have to store such settings in options as the last thing site owner should be asked to do is to modify their config file. If it is your own site, just make it a constant that is declared in … Read more
Users are means of authentication and authorization. This should not be confused in any way with whatever information is displayed on the front end. By default wordpress core is guilty of not understanding the distinction, but in some contexts like comments it should be easy to add a “name” field to the comment form for … Read more
Can they for example simply copy the cookie and “be” logged in as the user who was the original cookie owner? Yes! with the cookie they basically have your login session. You do not want 3rd parties to get the cookie. Keep in mind there is more than 1 cookie, for frontend and for backend. … Read more
iframes get stripped out for security reasons, you shouldn’t be trying to put embed codes directly into post content, there are other methods, such as oembed or shortcodes. If you have the unfiltered_html capability, you can add them via the classic editor, but this capability is extremely dangerous. It also means any users who don’t … Read more
So what’s the point? Surely this would only be an issue if the attacker had already broken in, and turned off php support? If an attacker has already done this then this particular hardening is pointless. An attacker is unlikely to turn off PHP execution though as that would require more effort and would actually … Read more
When someone sends a POST request with a variable php and a base 64 encoded value that is PHP code after decoding it, that PHP code will run with the permissions of all your own PHP files. The attacker can read all database content, create new users, upload files … The second code does the … Read more
WordPress DOES take care of SQL injection and for you. See the Security section on this page. The wp_insert_post() function runs through sanitize_post(). Be aware that malicious or unintended code can still be inserted: “You may wish, however, to remove HTML, JavaScript, and PHP tags from the post_title and any other fields. Surprisingly, WordPress does … Read more