First of all, report whoever is doing it. You obviously could block anything with a query-string that contains screw-you, but that’ll only help in this case. Maybe Drop any requests with HTTP/1.0 (browser don’t use it, and “good” bots like google don’t either, but if you need to provide access to special tools, you might … Read more
It isn’t normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content and easily writable is uploads, or whatever they are customized to. If it appears malicious, behaves malicious, and security tool thinks its malicious — it’s a safe guess that it is. It also … Read more
You could use call kses_remove_filters() before saving and call kses_init_filters() afterwards, but pay attention it will also remove filtering from title, excerpt and comments, So what you should do is just unset the content filters. // Post filtering remove_filter(‘content_save_pre’, ‘wp_filter_post_kses’); remove_filter(‘content_filtered_save_pre’, ‘wp_filter_post_kses’); and after the post is saved // Post filtering add_filter(‘content_save_pre’, ‘wp_filter_post_kses’); add_filter(‘content_filtered_save_pre’, ‘wp_filter_post_kses’);
sanitizing have nothing to do with escaping, and escaping is not a cure to everything. The role of escaping is to convert a string to a proper HTML. What is a proper HTML representation of a string might depend upon the context and that is the reason you have several escaping functions esc_html,esc_url and esc_attr. … Read more
If you have access to the PHPMyAdmin login and access: The wp_users table from the list of tables. Then locate your username under the user_login column and click edit. The user_pass is a long list of numbers and letters which is the MD5 hash encrypted version of your password. Select and delete the hash and … Read more
How do I authenticate WP users from a chrome extension?
Nope, you don’t need to escape hard-coded URLs.
The log-in credentials are processed in wp_signon(), and if they are valid wp_set_auth_cookie() will send a cookie in the HTTP response body. The name of that cookie is set in a constant named SECURE_AUTH_COOKIE or AUTH_COOKIE. Both names start with wordpress_. But they don’t have to. You can define these constants in your wp-config.php and … Read more
Wordfence should be adequate to protect your wordpress back-end from being bruteforced. However, I guess the answer to this would depend on how it got hacked in the first place. It could be related to plugins/wordpress not up to date, badly coded plugins, insecure code, bad server configuration, etc. I’d find the root cause of … Read more
When WordPress logs you in, it creates a cookie on your system to keep you logged in if you want. However, being logged in from another location doesn’t have much meaning in this context. When you go back to your WP site, WordPress will check for the existence of this authentication cookie on your system. … Read more