I have created a plugin wherein I have a custom post type. I am using post_content for some simple text. I do not need to offer any fancy editing or insertion of data for this field, so I looked for a way to remove the buttons from the tinyMCE editor. I never found a very good solution so I removed the editor from the custom post type supports in the register function. 'supports' => array('title','revisions','thumbnail'), Then to create an area …

I use a .htaccess basic auth on my WC site to help prevent hackers accessing wp-login, which works well... except with WooCommerce if a logged in customer wants to logout from their account - upon clicking the logout link - they are greeted by the Basic Auth popup asking them to "authorise" (generated by our .htaccess). On Woocommerce dashboard: Hello MrTest (not MrTest ? Log out) << clicking on "Log out" brings up the Basic Auth login box.... how can …

The wordpress site is suddenly having a problem where on some (not all) of the pages, when you click preview page or update changes it gives an error message: "The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 9641638102880218190" This can be circumvented by entering the preview url directly into the browser or clicking "open in new tab" when you click the preview button. However you cannot right click …

I am in need of a function that automatically generates and returns salts for Wordpress wp-config.php (Don't link me to their API, I'm looking for offline solution). Does Wordpress core has this function defined somewhere? If it doesn't, can these salts be generated randomly or are there any specific rules for creating them? Edit: This is what I ended up with: $keys = array('AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY', 'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT'); $salts = ''; foreach ($keys as $key) { $salt …

First of all I do not have a lot of experience with wordpress plugins, but I am developing a plugin which has to connect and send data to a remote database ( which it is already doing ). But at this point of time my connection is not secure at all because all the database info is shown for the admin of the site. This is my code at the moment, it works and all but how can I make …

I'm trying to fix up my code to meet the WordPress VIP Coding Standards. I'm getting a couple of issues that I'd like to see go away, but i'm not sure what the best strategy is. The first issue is when i'm verifying a nonce while saving metabox data: $nonce = isset( $_POST['revv_meta_box_nonce'] ) ? $_POST['revv_meta_box_nonce'] : ''; The error i'm getting here is 'Processing data without nonce verification'. Which is pretty silly since i'm just storing the nonce in …

I know there are a thousand questions about this all over the place and trust me I've been trying every possible solution for years [not an overstatement] and each and every one is either missing a crucial piece or simply doesn't work [in my experience]. I'm looking for a solid, complete, and open minded solution for the wordpress directory user / group ownership and permissions on linux. The requirements are the ones that I think everyone should be looking for: …

Not very familiar with WordPress so I'm not sure what's causing this. Essentially, we have a few image assets stored under wp-content. When we access some assets (i.e. cmssubdomain.apex.com/wp-content/image.png) we are getting some peculiar behavior around the Referer request header: It works if accessed without the Referer header It works if accessed with the Referer header as long as the value matches the cms subdomain It fails once the Referer header is set to a value different than the subdomain …

When writing WordPress plugins there is often a need to set up options for which roles on the site have access to certain functionality or content. To do this a plugin dev needs to fetch the list of roles that exist on the site to use in the option. Because custom roles can be created we cannot assume the default roles are the only ones available. What is the best way to fetch the list?

I've been trying to submit a plugin for review and I keep having problems with the echo line. The last version I sent was like this. <option value=""> <?php _e( '- Default', MF_TEXT_DOMAIN ); ?> </option> <?php foreach ( $folders as $folder ) { $folder = trim( $folder ); $folder = esc_attr( $folder ); echo "<option value=\"{$folder}\">{$folder}</option>"; } ?> And the WordPress response was: This is not escaped: echo "<option value=\"{$folder}\">{$folder}</option>"; $folder MUST be escaped when it's echo'd. Now I'm …

In WordPress they recommend that I should escape any part of the code of my plugin that shows data to the user, I have made most of the corrections but this specific case I don't know how to escape that echo. Please help. <option value=""> <?php _e( '- Default', MF_TEXT_DOMAIN ); ?> </option> <?php foreach ( $folders as $folder ) { $folder = trim( $folder ); echo "<option value=\"{$folder}\">{$folder}</option>"; } ?>

Today we noticed that one of our website has started showing random Google Ads on our website when we have not added any Google Ads to our website. I would appreciate if someone can help in case they have faced such scenario. I am not sure at this point if website is hacked or shared hosting server is compromised. Any points or steps i should follow to get rid of these ads on website

this might not be the right place as it's a question about a function snippet that relates also to the server and log files. I have been trying to block access to my site from bad query attempts which show up on my server logs attempting to access pages that don't exist. I found a snippet online with claims that it may stop these kinds of requests, but with very little explanation as to what it exactly does. So can …

Probably a dumb question... the hardening doc suggests setting up your web server so that it prevents access to wp-config.php. If you do this, and a client tries to access the file, Apache returns 403 Forbidden, as expected. If you don't do this, Apache returns 200 Ok with an empty file. This is also as expected, because none of the php code in this file produces any output. So what's the point? Surely this would only be an issue if …

I'm using wp_upload_bits to upload JSON files to my WP's upload folder. I get the error "Sorry, this file type is not permitted for security reasons" Is it safe to upload JSON file anyway?

I'm auto-generating WordPress (5.9.3) sites on a VPS. I could, as part of the generation script, create random strings for the various keys and salts in wp-config.php. However, there doesn't appear to be any unequivocal statement in the docs that this is actually necessary, and various sources appear to state that WP will generate the keys and salts anyway if there are none in wp-config.php. Two questions: If I choose to leave this up to WP, what should I actually …

I've read many WordPress Security blog articles where the Security Experts are recommending some special steps to take care when somebody is concerned about their WordPress site's security. One of them is: WordPress Security Tips: Remove unnecessary plugins, that are not in use. A plugin that has security holes, whether by code, structure or db connections, can be fatal for a site even if it's activated on a site. On the other hand, a well structured, well coded, and securely …

I am working on a simple blog on marketing niche. However, few others have shown interest and is willing to join as authors. We know that in wordpress the importance to keep the login url unguessable. The login url is still wp-admin that redirects to wp-login. Haven't changed it yet as I'm testing the theme. So, i was wondering if there's any way to create a separate login page where authors can login and publish articles on their own without …

I have created a web site, I want to activate minor updates (for security) on it and disable major updates (to avoid problems with themes or plugin or my functions.php which could become incompatible with the major new release). Is it safe to do so? Will update against system vulnerabilities be done on the old major version by WordPress team, even if there is a new major version? Thanks

I moved it back and the website started working again. I tried moving wp-config to secure my wordpress site here is what i did: created another file config.php downloaded wp-config and copied all the code in it to config.php cleaned all the code in wp-config.php and wrote this: <?php include('domains/mydomain.com/conf/config.php'); i wrote my real domain name instead of mydomain.com uploaded config.php to /domains/mydomain.com/conf uploaded wp-config.php to /domains/mydomain.com/public_html before moving wp-config.php, i modified .htaccess to forbid public access to wp-config.php what …