The parent directory (which I don’t have access to) uses htpasswd, but I can override this for my directory only by adding Satisfy Any to .htaccess. This fixes the issues I was having. I’m ok with disabling the authentication temporarily to run a scan and turning it back on afterwards. More info on disabling htpasswd … Read more
Yes, this seems to be appropriate use of insert() method, which does call prepare() method on data internally. Note that %s is considered to be default for it and can simply be omitted, if no other data and formats are involved.
My process for cleaning a hacked site includes changing all credentials (user/pass) on hosting, FTP, WP (don’t use an admin-level user called ‘admin’) updating everything- from the repository – WP, themes, plugins. Remove old/unused plugins and themes use FTP of file manager to check every folder for files that look out of place (look at … Read more
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
The web installer writes configuration data into that file. It needs write access for that. I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
There is no “WordPress Firewall”. A firewall acts either on the network or on the host, never on a later stage such as a specific software running on a server. Everything that claims to be a firewall specific for WordPress is a scam. See the linked Wikipedia article for the details.
I recommend these basic things: Never touch core files! Always update core and plugins Use strong passwords Don’t use abondoned plugins or themes Use a well maintained security plugin (like wordfence?) Of course you can use more security tools and settings for server e.g., but this should be the basic.Maybe there are more things to … Read more
Figured this out after finding this page: http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/ That page contains the instructions I was looking for, exactly! I tweaked the dl-file.php code slightly to meet my needs: if ( !current_user_can( ‘read_private_posts’ ) || !is_user_logged_in() ) {
WordpPress “out of the box” is not GDPR complaint. Even putting aside the integration with non complaint services like akismet and gravatar, just storing comments will probably require to give users the ability to delete them, but there is no real way to identify which users created which comment as comment authors are never verified. … Read more