You can create a file called custom_logout.php and place it in the root wordpress directory. This contains <?php require_once(“wp-load.php”); //load wordpress wp_logout(); //logout exit(); //end page ?> Then in your subdomain site open the url with an anchor tag <a href=”http://youwebsite.com/custom_logout.php”>Logout</a> You can’t create a whitelist easily because it would involve checking where the user … Read more
The only way to do this would be to whitelist the allowed arguments, being very careful to limit them so as not to introduce an DOS attack vector. Having said that, this is not how most infinite scroll implementations are built, and you may have better results relying on the WP API rest api instead … Read more
I went for the solution as suggested by @Rup in the comments. Replacing the two nonce functions, wp_create_nonce() and wp_verify_nonce() to prefix a nonce with a 1 or a 0 for logged-in and logged-out users respectively. The logged out nonces work by IP rather than User ID and session Token. Thus, allowing for nonces to … Read more
From the WordPress Codex: The secret key is located in two places: the database in case the secret key isn’t defined in the second place, which is in the wp-config.php file. If you are going to set the secret key, then you must do so in the wp-config.php file. The secret key in the database … Read more
Yes, it appears so. In my experience the best thing to do is re-upload a fresh WordPress core to ensure that all traces have been squashed. It happens… If you aren’t already using security plugins I’d recommend Wordfence and BruteProtect to help keep brute force attacks out as well as checking your core WordPress files … Read more
I think this is nothing to worry about. The redirect target is sanitized and validated a lot. To be honest I think I haven’t seen any part of the WordPress code where so many checks happen for the most obscure attack vectors. Finally when you cast an array to a string Array is returned which … Read more
Yes, there is a risk! I can put up a check on date to change your password, create a new user and what not. Don’t give access to someone you don’t trust. Hire a professional to do the job. Edit: Okay! Upon request, I have explained two cases in a blog post – http://blog.ashfame.com/?p=903
Your best bet would be a plugin called WP Mail SMTP, though it’s only marked as being compatible as of WP 3.2.1 (but it should reasonably work with WP 3.3.1). Just to define the process … Visitor enters site and fills out form on your page. User submits the form, which is transmitted to your … Read more
WordPress is very clearly engineered for being placed into web-accessible folder. While attempt to move it from web folder could be made, it would be very challenging, especially for admin area which uses direct non-routed URLs to PHP files.
The security risk here is not about the plain text but about translation. You should note that esc_html_e is not only a function for escaping HTML but also for localization (l10n). I.e. other people can translate this String but you don’t know what the translation would be. It is possible that somebody translates the String … Read more