I think you are referring to two different things.. 1) Verifying the request. You should be using WP Nonces to verify the request and protect it against XSS. That should be a practice for all your forms. you could also add additional layer of security by integrating a reCAPTCHA. 2) Data Encryption when you attempt … Read more
Trust me, don’t DIY this. Cryptography is not for the faint of heart. Use the Google Authenticator plugin. It’s awesome.
Whether or not you lock down a staging site really depends on how much you mind the public accidentally seeing a site that’s a “work in progress”. I’d usually consider it more of a branding decision than a security decision. (This of course wouldn’t apply if you’re in the middle of developing a secure application … Read more
Make a backup of everything you have left, especially your database and wp-content folder. Some hosts simply delete hacked websites and you don’t want to lose your entire work to this. Talk to your hosting company. Good quality providers have staff at hand who know their way around the hosting environment and might be able … Read more
Basic Security Steps Since WordPress is so popular there are a lot of drive by hacks knocking around taking advantage of flaws in basic security. All WordPress users should take the following basic and easy steps to protect themselves:- Do not use wp_ as the database table prefix, use any string of random characters that … Read more
The .htaccess file is read by the Apache server software before it even hands over to WordPress to generate a page. It is by far the best place to have your security headers. That said, WordPress does have a class to modify the headers before they are send to the browser. This class contains a … Read more
On nginx, to block access to the xmlrpc.php file, add this location block to the server block of your configuration file: location ~ ^/(xmlrpc\.php) { deny all; }
I’m not a security expert, but the code you include in your question roughly does this: Check if the request is not for a static page (it can’t insert anything in that) Check if the request is not from scraper bots Ahrefsbot and MJ12bot. If both checks are passed make a connection with the server … Read more
If you give the provider full admin, they can technically do anything to your server that PHP would be able to do (by using the editor part of a given theme to add whatever commands they like). PHP is capable of running command line scripts, just to name one scary permission they would inherit. Depending … Read more
»The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.« (Gene Spafford) The lost password feature might potentially be a risk, but if you are keeping it or not is just … Read more