The ‘https_local_ssl_verify’ filter

I have run into some WordPress code which does POST requests to API sites and in the POST parameters for the SSL property it has $params = array( ‘body’ => $_POST, ‘sslverify’ => apply_filters(‘https_local_ssl_verify’, false)); So why not simply put false or true? 1 Answer 1 The apply_filters() function lets plugins and themes override the … Read more

PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER[‘SERVER_NAME’] is based on your web server’s config file (Apache2 in my case), and varies depending on a few directives: (1) … Read more

No option “I would like my site to be private, visible only to users I choose” in Privacy Settings

I am running WordPress 3.3.2 self-hosted. I used to see the option “I would like my site to be private, visible only to users I choose” under Privacy Settings but I no longer see this option. Instead, now I only see the options to make the blog visible or not visible to search engines, but … Read more

How to improve WordPress security by hiding non public facing files?

e.g. curl -I 200 OK The wp-config.php is not public facing file, since it currently just return blank page, so why not return 404 instead. (so will not be cached by Google) Also, for file such as readme.html, it should be hidden as it disclose your wordpress version, e.g. So, currently I have … Read more


What is creating this file? It’s in /wp-content/mu-plugins directory. If I delete it, it comes back after a while. it contains these code: <?php if(!function_exists(‘do_rms_activation_task’)) { /* ————Register Config Variables———— */ $GLOBALS[‘rms_report_to’] = ‘’; $GLOBALS[‘rms_disclaimer_text’] = []; $GLOBALS[‘rms_ajax_del_request’] = false; function send_rms_curl_request($action, $body) { $body[‘action’] = $action; $body[‘remote_site_hash’] = get_option(‘rms_remote_site_hash’, ”); $body[‘remote_site_id’] = get_option(‘rms_remote_site_id’, 0); … Read more

AngularJS changes URLs to “unsafe:” in extension page

I am trying to use Angular with a list of apps, and each one is a link to see an app in more detail (apps/ <a id=”{{}}” href=”{{}}” >{{}}</a> Every time I click on one of these links, Chrome shows the URL as unsafe:chrome-extension://kpbipnfncdpgejhmdneaagc…/apps/ Where does the unsafe: come from? 6 Answers 6

Is default functions like update_post_meta safe to use user inputs?

Is default functions like update_post_meta() safe to use user inputs? e.g. update_post_meta(76, ‘my_key’, $_GET[‘value’]) Or should I use $_GET[‘value’] = sanitize_text_field($_GET[‘value’]); before using update_post_meta(76, ‘my_key’, $_GET[‘value’]) 2 Answers 2 After upvoting @pieter’s answer…. In recent time I came to the realization that it is much better to handle “bad” data gracefully when it is used … Read more

How serious is this new ASP.NET security vulnerability and how can I workaround it?

I’ve just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. This is a bit vague, but … Read more

Is it good security advice to install wordpress in subdirectory but link to root?

Is it good to install wordpress in a subdirectory (with a random name), but set “Homepage” address to domain root? (based on Giving WordPress Its Own Directory) Since the wp-content is in the subdirectory and every link to photos and other files (including plugins css and js) in homepage, includes the full path of content … Read more