That security hole in W3 Total Cache was associated with data leaking through an exploit, and not explicitly with hackers changing code (that could happen afterwards, of course, but what you show isn’t this). The exploit has been fixed so just make sure your plugin is up to date. If unsure, disable / delete the … Read more
If you worry only about the admin panel then esc_html will be enough as it will convert every “<” into < eliminating the possibility of having a valid HTML tags inserted. But if you add the CSS to the generated HTML you might need to strip any HTML tag it may contain by using the … Read more
We experienced this just last night. xmlrpc.php Lots of traffic to xml-rpc.php is a classic sign of a WordPress pingback attack. By default, pingbacks are turned on in WP. A non-malicious user/website uses this mechanism to notify you that your website has been linked-to by them, or vice versa. A malicious user can exploit this. … Read more
What you have there is production ready. However, there is room for some minor improvements, so I will point those out for you. Also see my notes below regarding X-Sendfile and X-Accel-Redirect. Replace these lines: ob_clean(); flush(); with the following: while (@ob_end_clean()); The point is, if there is something already in the output buffer, you … Read more
Ok, seems I was on the right track… I still haven’t found a WordPress function that achieves what I need, but the closest I have found is to use the get_allowed_mime_types function. I created the following function which checks if the file is within the get_allowed_mime_types array and if so returns true (file processed using … Read more
A.) By default WordPress allows short passwords but “Confirm use of weak password” must be checked. B.) Disable security plugins or change their settings if possible as they can and do override whatever WordPress implements by default. C.) The latest consensus about passwords suggests the strongest passwords are extra long easy to remember phrases like: … Read more
Generally speaking, if you don’t want WordPress to update itself or any plugins, don’t give the web server write permissions to any of the WordPress files outside of folders like wp-content/uploads. You’ll need to be careful with this and test thoroughly, though, as some plugins, like WordFence, have folders they need to write to for … Read more
The easiest way is to use if ( current_user_can( ‘capability’ ) ) // do stuff. You’ll find more about capabilities in the codex. You can also inspect the data some user has attached with normal var_dump() and else. I also got a pretty old plugin for that. But I’m not sure if it still works … Read more
Why would you want to protect them all? Not all of them need protecting, in my humble opinion. In any event, these are good to have in your .htaccess file: 1: restrict access to wp-config.php <Files wp-config.php> order allow, deny deny from all </Files> 2: restrict access to .htaccess itself <Files .htaccess> order allow,deny deny … Read more
You can add this to .htaccess file, it will redirect all author requests looking for a number ( Author ID ) to the homepage: #Disable Author Pages <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) [NC] RewriteRule ^(.*)$ http://%{HTTP_HOST}/? [L,R=301,NC] </IfModule> The PHP / WordPress way, you could use Template Redirect: … Read more