First: Remove those 777 permissions. You need this only in cases with conflicting ownership. Try to run PHP as FastCGI – for example per .htaccess: AddHandler php-cgi .php # or AddHandler php-fastcgi .php Set up a notification mail for every 404 request. You will be surprised how many attacks the average blog gets each day. … Read more
As pointed out in the comments by @kaiser, your question is very similar to this question. In fact, the question itself holds the answer. To disable all feeds add the following code… function itsme_disable_feed() { wp_die( __( ‘No feed available, please visit the <a href=”‘. esc_url( home_url( “https://wordpress.stackexchange.com/” ) ) .'”>homepage</a>!’ ) ); } add_action(‘do_feed’, … Read more
You can safely move it as far as I know…. but what do you mean folder? Up one level would already be a folder…. if your site is in html, or public_html or whatever, you place the wp-config file in whatever folder holds your html or public_html folder like if your path is /home/content/u/s/e/user/html/ And … Read more
The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012. The library is available for free on Github: https://github.com/dropbox/zxcvbn An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ But the short version is that it analyzes patterns in the password instead of being a simple “does … Read more
This article has a bunch of great answers to your questions. I highly recommend checking it out to learn more about the scale of this issue, but I can give a quick rundown. SVG, since it’s XML based, makes it really hard to decipher what is and what isn’t malicious. At one end, it opens … Read more
Have you tried updating the permissions for your WordPress files to 755 or 777? UPDATE 1 Thanks to @anu in the comments (~/Sites assumes you put websites are in the Mac’s default website directory): cd ~/Sites sudo chmod -R 777 * I just checked my httpd.conf file, which has the path /Applications/XAMPP/etc/httpd.conf and here is … Read more
What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert … Read more
According to the WP_Session_Tokens class documentation, this token is used to validate the user’s session. It does this by checking the provided token against the existing session tokens stored in the user meta table for that user. Session tokens are generated using the wp_generate_password function, and are 43 characters long. So no, it should not … Read more
If I follow the description right the vulnerability refers to PHP applications which read, trust, and use HTTP_PROXY environment value (which might be compromised). From quick search through WordPress core source code I found no instances of that value being accessed. Since WP ships its own HTTP client implementation its also not affected by upstream … Read more
Why not just disable comments and registration? This comes to mind also: (Redirect all requests to login page or admin pages to homepage. A little irreversible.) $currentURL = $_SERVER[“HTTP_HOST”] . $_SERVER[“REQUEST_URI”]; if (strpos($currentURL, ‘wp-admin’ ) or strpos($currentURL, ‘wp-login’ )) { header( ‘Location: ‘.site_url() ); } Caution: this stops you from logging in also. Edit: And … Read more