WordPress DOES take care of SQL injection and for you. See the Security section on this page. The wp_insert_post() function runs through sanitize_post(). Be aware that malicious or unintended code can still be inserted: “You may wish, however, to remove HTML, JavaScript, and PHP tags from the post_title and any other fields. Surprisingly, WordPress does … Read more
how real is this security problem? You shouldn’t be concerned by this unless you’re retrieving user agents and making raw SQL queries. I recommend you avoid both of those, but for unrelated reasons. If you are piping raw user agents into raw SQL queries, and you would know if you were doing this as it’s … Read more
If I choose to leave this up to WP, what should I actually put in wp-config.php? Sounds like something you can easily find out. My guess: if you don’t have the define(‘AUTH_KEY’, ..) etc. statements, the system will not work. Some sources (this SO answer, for example) appear to state that putting the keys and … Read more
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.) Codex article on … Read more
Hm, core WP files are usually die properly if opened directly. It probably slipped developers to include check in this one or something. The simple ways to fix this (and not really WP-specific) would be to: configure PHP on server to not display errors by default; restrict access to file with .htaccess or other means.
It really doesn’t do much in that scenario. If you’re going to leave that message as a string constant instead of something that is system or user generated, you’re fine using one of the other translation functions: __() or _x(). esc_html__() is a little overkill for that particular line of code. Edit: The main reason … Read more
In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway For example, get_the_title() can contain html markup and is not escaped by default. Eitherway post and page titles should … Read more
Yes, there is a great example of how to accomplish this in the top answer for the question: Is moving wp-config outside the web root really beneficial? The section titled “How to move wp-config.php to any location on your server” provides the following solution: But what if you’ve moved [wp-config.php] somewhere else? Easy. Create a … Read more
Basically, they’re hashing salts. They’re used to make the results of hashing much less predictable. See https://en.wikipedia.org/wiki/Salt_(cryptography) for info on salts. AUTH is used for the /wp-admin authentication cookie, SECURE_AUTH is for the same when using SSL, LOGGED_IN is used for identification to the “front-end” of the site. NONCE is used for the nonces that … Read more
Once hacked there is no real (at least not easy) way to verify that you have removed all traces of the malware. Good malware will leave an hard to detect backdoor, and there is always the question of whether you have actually removed the attack vector. Therefor the only 100% working way to remove a … Read more