The only way that I have found (and used) to get rid of ‘unauthorized’ code is to manually check everything. This includes changing access credentials for hosting, ftp, databases, admin-level users. Strong passwords, of course. reinstalling everything (themes, plugins, custom code) from known good sources via a manual FTP process. Also, reinstalling WP from the … Read more
I suspect that there is malware files on your system that is allowing those user registrations. There are lots of googles/bings/ducks on how to clean a hacked system. (I use my own procedure here.) What I would do is these things: change all credentials everywhere (hosting, FTP, admin etc) create a new admin user with … Read more
There are many precautions you can (and should) follow. Select good hosting/server. Set strong passwords for your hosting and FTP accounts. Don’t use servers that allow remote connections to the DB. If you want to host multiple sites on one server, make sure they’re separated (so one site can’t access files from other sites – … Read more
Yes. This is not secure at all. You’re putting user input directly into a database query. You need to use $wpdb->prepare() if you’re inserting user input into SQL: $post_slug = $request->get_param( ‘slug’ ); $query = $wpdb->prepare( “select * from wp_posts where post_name=%s and post_status=”publish” limit 1;”, $post_slug ); $results = $wpdb->get_results( $query );
Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit. Other things to consider: Change WordPress admin user passwords – done Change Hosting account user password Change FTP passwords Change MySQL db user password – done Change the db table prefix Update your wp-config nonces/salt Check your directory/file … Read more
Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
You have two way to proceed: 1) Use the .htaccess file to exclude the folder from begin listed 2) Exclude the json files from crawlers scan by adding them inside the robots.txt file.
It looks like one of your plugins/themes is vulnerable and allows anyone to modify your database. For example ThemeGrill themes have such vulnerability lately. Another possibility is that your site got hacked and there’s some backdoor placed on it. In both cases you should: check all your site clean it update it secure it.
I have found a solution. This plugin gives the option of set SSL on or off based on post or page https://really-simple-ssl.com/downloads/really-simple-ssl-per-page/
Security of your WP site is more than that (admin user, database password), although that is a good start. I’d create admin-level user that is not named ‘admin’, with a strong password. You could even change the user id so that it’s not #2 (it’s easy enough to enumerate users by id). create a strong … Read more