I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode. My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/ Basically, the attacker slips a bunch of hidden … Read more
If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are: always assume Nonces can be compromised. Nonces are a hash made up of numbers and letters. WordPress Verifies any https request with both nonces and user cookies. I believe point #3 is, in short, is how … Read more
Use the admin-ssl plugin. For stuff outside of wp, use rewriite rule in apache
esc_html() does two things: Checks for invalid UTF8 in a string. Converts a number of special characters into their HTML entities, specifically deals with: &, <, >, “, and ‘. Using it instead of __(), _e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use … Read more
From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more
In a perfect world, you don’t need sanitize your querys because the WordPress ORM avoids sql injections going to the database, but is extremely recommended to clean your input data, particularly if is input data provided by a visitor. For example, you can use something like this: $name = sanitize_text_field( $_POST[‘name’] ); // WP_Query arguments … Read more
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more
Is wp_generate_password() as safe as the salts generated by the recommended https://api.wordpress.org/secret-key/1.1/salt/? Those details can’t be answered as for obvious reasons, the internals are unknown by the public. If we could answer that, then details would be known that allow for reverse engineering the process. This could lead to a decrease of security. Note, that … Read more
Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software. The crucial thing in code security is not whether it’s open … Read more
This question really deserves some attention. WordFence looks like one of the most popular plugins for security nowadays. Compared with the iThemes security it is like 2.6:3.2 where iThemes Security (former Better WP Security) won. Of course these were thousand of 5 stars. The author of the WordFence wrote this section: My WordPress site is … Read more