vs WordPress Security

In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway For example, get_the_title() can contain html markup and is not escaped by default. Eitherway post and page titles should … Read more

Moving wp-config.php up 2 levels

Yes, there is a great example of how to accomplish this in the top answer for the question: Is moving wp-config outside the web root really beneficial? The section titled “How to move wp-config.php to any location on your server” provides the following solution: But what if you’ve moved [wp-config.php] somewhere else? Easy. Create a … Read more

How does the “authentication unique keys and salts” feature work?

Basically, they’re hashing salts. They’re used to make the results of hashing much less predictable. See https://en.wikipedia.org/wiki/Salt_(cryptography) for info on salts. AUTH is used for the /wp-admin authentication cookie, SECURE_AUTH is for the same when using SSL, LOGGED_IN is used for identification to the “front-end” of the site. NONCE is used for the nonces that … Read more

wp-config.php modified?

Once hacked there is no real (at least not easy) way to verify that you have removed all traces of the malware. Good malware will leave an hard to detect backdoor, and there is always the question of whether you have actually removed the attack vector. Therefor the only 100% working way to remove a … Read more

Relative security of different releases of WordPress

are the updated newer major-versions significantly more secure than updated older ones? This is quite ambiguous. How significant or insignificant security changes might be, it is totally irrelevant. There might or might not be significant security enhancements between minor and major versions or even major versions as such. To really know how significant changes are … Read more