Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more
There is no absolutely safe way to store such information permanently. You have two options to increase security a little bit: Use the options table and encrypt the data Use a strong encryption method, and bind it to either: your password when you want to use the API call only when you are logged in, … Read more
We have to look a bit deeper here to get an answer to your question. So, bloginfo is a simple wrapper around get_bloginfo. <?php function bloginfo( $show=” ) { echo get_bloginfo( $show, ‘display’ ); } Notice the second argument display. Let’s see what that does. <?php function get_bloginfo( $show = ”, $filter=”raw” ) { // … Read more
esc_html() is more or less lossless — it just turns HTML markup into encoded visible text, so that it’s not rendered as markup by browser. Semantically it’s escape, so it’s meant to be used to make output to page safe. sanitize_text_field() however actually removes all HTML markup, as well as extra whitespace. It leaves nothing … Read more
Essentially, WordPress needs to connect back to the server where it is actually running on. There are several possible ways WordPress can use to write files and thus “overwrite” itself during an upgrade. From a security perspective, the important part of this process is that the new files must have the same ownership as the … Read more
You don’t have to do anything. On WP load: ‘init’ hook -> kses_init() -> kses_init_filters() Later: wp_insert_post() -> sanitize_post() -> sanitize_post_field() -> ‘content_save_pre’ -> wp_filter_post_kses() Similarly for post titles, comment text etc. Conclusion: wp_insert_post() is very sanitized. 🙂
You don’t really need to remove these files. It’s much easier to just block access to them. If you are using pretty URL’s you already have an .htaccess file. Using .htaccess to block the files is secure and you only have to add a directive once. Blocking files is done by adding a directive to … Read more
No, there is no security risk. Both files do sanity checks before anything happens. If WordPress is already installed: install-helper.php returns just a blank page. install.php says WordPress is installed and you should log in: You can forbid access to both files with a simple rule in your .htaccess above the permalink rules: RedirectMatch Permanent … Read more
If you check the documentation on Data Validation it has following to say about the function: Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols […], eliminates invalid characters, and removes dangerous characters. There you have it — … Read more
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value…. In short – perform the sanitisation yourself as … Read more