Articles of security

Block access to wp-admin

I’m attempting to use a .htaccess file to block access to the wp-admin folder. I’ve read through the Brute Force Attacks doc (https://codex.wordpress.org/Brute_Force_Attacks) and I’ve added the block below, using my ip addresses, to the .htaccess file and placed it in the wp-admin folder: # Block access to wp-admin. ErrorDocument 401 default order deny,allow allow […]

Changing Table Prefix for an Existing WordPresss Site

Hoping someone can assist with WordPress table prefix for an already established site. What is the best approach in changing the existing table prefix within both DB and wp-config file to reflect new table prefix. Actually, it’s more the backend DB changes required. Is there a decent plugin or can someone pls point me to […]

<meta name=“generator” content=“WordPress 4.4.2” /> neccessary?

Hello fellow WordPressers Today, I realized that most WordPress sites have this small footprint saying: <meta name=”generator” content=”WordPress 4.4.2″ /> where it indicates what “system” have made this current page. Now three questions popped into my mind: If I remove this line, what is the disadvantages? If I leave this line alone, what is the […]

Restricting user login by IP address

I have a website that is login required in order for users to view the website. I have set up one user for all internal members to use to view the website, however i want to limit just that user to our specific IP address. I can see you can limit access site-wide to an […]

How to safely allow user upload on CPTs?

I have a form with a WP Media to allow user uploads for a custom post type on the front end. Every time I try to upload as a user I can the message You don’t have permission to attach files to this post. Investigating it further, I get denied action in the file ajax-actions.php […]

Security issues with WP sites

I have just had to deal with a few of my WordPress websites being hacked. First time put an index.html file in the cpanel of each site and replenished my admin user. Once I felt I cleaned this up, it’s happened once again but it changed my title tag to “Hacked by Bala Sniper” and […]

Is it safe to manually sign a user in using AJAX?

I’m adding a modal login to my theme. The most direct route is to create a template and include wp_login_form(); in it. This will load the core login that can be customized a bit later, using CSS or jQuery. However it requires the page to reload to verify the credentials. My thought was to send […]

How to properly sanitize/secure a WP Query coming from the front end

I have an element in my front end that looks like this: <div class=”infinite-scroll” data-query-args='{“post_type”:”post”,”tax_query”:[{“taxonomy”:”category”,”field”:”term_id”,”terms”:62}]}’></div> It’s a container for triggering an infinite scroll that I made. Since I want it to work with multiple queries and multiple front end situations, the simplest way to make it work was to put the JSON encoded WP query […]

How to prevent wp-login brute force attack from thousand of different IP?

This question already has an answer here: Prevent Brute Force Attack 5 answers

Embed WordPress Admin in an iframe

I am trying to embed the admin “new post” WordPress page into an iframe: <iframe height=”500px” frameborder=”0″ width=”740px” src=”my_wordpress_domain/wp-admin/post-new.php”/> For some reason the iframe loads a blank page. The link itself works in a separate tab and so does the wordpress home page. Is this a security issue, if so, how can I circumvent it?