< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following: Someone sends +ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4- as comment text. It will pass all sanitation unescaped. The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and mysql_real_escape … Read more
By default, the “Remember Me” checkbox makes you get remembered for 14 days. This is filterable though. This code will change that value: add_filter( ‘auth_cookie_expiration’, ‘keep_me_logged_in_for_1_year’ ); function keep_me_logged_in_for_1_year( $expirein ) { return 31556926; // 1 year in seconds }
Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone. Add this code snippet for use in functions.php: // Disable use XML-RPC add_filter( ‘xmlrpc_enabled’, ‘__return_false’ ); // Disable X-Pingback to header add_filter( ‘wp_headers’, ‘disable_x_pingback’ ); function disable_x_pingback( $headers ) { unset( $headers[‘X-Pingback’] ); … Read more
A simple solution I use in a .htaccess: RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ – [L,R=403] It is similar to @jptsetme’s answer, but it works even when the query string is /?dummy&author=5, and the search pattern for RewriteRule is very fast: You often see a capture ([0-9]*) in regular expressions for this. … Read more
This code snippet will hide the users, posts, and comments endpoint results and give 404 as the result, while the rest of the API calls keep running as they were. ::UPDATE:: add_filter(‘rest_endpoints’, function(){ $toRemove = [‘users’, ‘posts’, ‘comments’]; foreach($toRemove as $val) { if (isset($endpoints[‘/wp/v2/’.$val])) { unset($endpoints[‘/wp/v2/’.$val]); } if(isset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’])) { unset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’]); } } return $endpoints; }); … Read more
Roles are stored in the global variable $wp_roles. The ideal function is get_editable_roles() from /wp-admin/includes/user.php function get_editable_roles() { global $wp_roles; $all_roles = $wp_roles->roles; $editable_roles = apply_filters(‘editable_roles’, $all_roles); return $editable_roles; } The “editable” part is because it offers other plugins a chance to filter the list in case someone other than admin has ‘edit_users’ privilege (and … Read more
If you have a good full backup of your website, restore your site from it (recommended). Install and set up WordFence plugin (as in case of no backup). If you don’t have good backup: Immediately delete all files from this list. Get a clean copy of your version of WordPress, and clean copy of your … Read more
Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit. Other things to consider: Change WordPress admin user passwords – done Change Hosting account user password Change FTP passwords Change MySQL db user password – done Change the db table prefix Update your wp-config nonces/salt Check your directory/file … Read more
The biggest WordPress giveaways are between the <head> </head> tags. Example WordPress head content output by The Twentyten Theme and how to remove: <link rel=”profile” href=”http://gmpg.org/xfn/11″ /> Remove directly from header.php <link rel=”stylesheet” type=”text/css” media=”all” href=”http://example.com/wp-content/themes/twentyten/style.css” /> Hide WordPress by calling your stylesheet from another location and change the wp-content directory. WordPress requires your theme … Read more
Short answer: yes The answer to this question is yes and to say otherwise is probably irresponsible. Long answer: a real-world example Allow me to provide a very real example, from my very real server, where moving wp-config.php outside the web root specifically prevented its contents from being captured. The bug: Take a look at … Read more