WordPress salts set in config and database

From the WordPress Codex: The secret key is located in two places: the database in case the secret key isn’t defined in the second place, which is in the wp-config.php file. If you are going to set the secret key, then you must do so in the wp-config.php file. The secret key in the database … Read more

Is /wp-login.php?redirect_to[] exploitable?

I think this is nothing to worry about. The redirect target is sanitized and validated a lot. To be honest I think I haven’t seen any part of the WordPress code where so many checks happen for the most obscure attack vectors. Finally when you cast an array to a string Array is returned which … Read more

Encrypt emails?

Your best bet would be a plugin called WP Mail SMTP, though it’s only marked as being compatible as of WP 3.2.1 (but it should reasonably work with WP 3.3.1). Just to define the process … Visitor enters site and fills out form on your page. User submits the form, which is transmitted to your … Read more

how can i embed wordpress backend in iframe

By default WordPress sends an HTTP header to prevent iframe embedding on /wp_admin/ and /wp-login.php: X-Frame-Options: SAMEORIGIN That’s a security feature. If you want to remove this header remove the filters: remove_action( ‘login_init’, ‘send_frame_options_header’ ); remove_action( ‘admin_init’, ‘send_frame_options_header’ ); But you should really use the multisite feature as Tom J Nowell suggested.