security - Read For Learn

What to use instead of wp_kses() in user output

Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more

Full path disclosure on rss-functions.php

PHP files in the wp-includes directory should not be accessible from the outside, they should only be included by wordpress code. Therefor an easy fix to this is to use .htaccess rules to block access to *.php files that are under the wp-includes directory

What’s the difference between esc_* functions?

esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more

Will there be security updates for 3.1 once 3.2 is released?

WordPress backports security updates usually 1-3 versions back but they don’t promise anything. The WordPress LTS philosophy is that LTS = “Long Term Suckage“ The Long Term Suckage theory is: While I like the theory of LTS, what happens in practice is it covers up the incompetence of IT or developers because they put off … Read more

What is the ideal setup to address security concerns?

If you have FTP access to your server, the most secure setup is not having your themes or plugins directory writable by your webserver and instead having WordPress update files using FTP. When you go to update a plugin, WordPress will prompt you for your FTP details. The FTP method is a lot slower than … Read more

Why are passwords exportable as plain text in WordPress?

You cannot export passwords as plaintext in WordPress, because they are not stored in plaintext. What you see here is obviously the result of a very bad plugin. Fields like Payment, Sex or Company are not even part of the regular WordPress tables. For the future: Do not install plugins without prior tests and reviews … Read more

Why does WordPress have more than one salt?

I posted the question on the wordpress slack and the answer I got https://wordpress.slack.com/archives/core/p1447905339001506 is that the difference is semantic and not practical and there is no reason to prefer the usage of one over the others (except for semantics of course)

Why escape if the_content isnt?

If I were a hacker with access to the database, wouldn’t I just add my code to a post’s content? If you’ve got access to the database, chances are that you’ve got enough access that escaping isn’t going to stop you. Escaping is not going to help you if you’ve been hacked. It’s not supposed … Read more

What is the difference between esc_html filter vs attribute_escape filter?

It would appear that out of the box, there isn’t a difference function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); /** * Filters a string cleaned and escaped for output in HTML. * * Text passed to esc_html() is stripped of invalid or special characters * before … Read more

Are Nonces Useless?

Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more

+ More