Closed. This question needs to be more focused. It is not currently accepting answers. Closed 5 years ago. The community reviewed whether to reopen this question 5 months ago and left it closed: Original close reason(s) were not resolved This question’s answers are a community effort. Edit existing answers to improve this post. It is … Read more
What is the difference, which one should I use? I know that wp_verify_nonce checks the time limit, and check_admin_referer I think calls wp_verify_nonce as well as checking for an admin url segment, but I’m a bit confused on which one I should use and when. Thanks for the clarity. 2 I thought that check_admin_referer checked … Read more
Any way to change the wp-login.php url? It seems insecure that everyone that’s ever used WordPress could easily see if your site is using it, and get right to the login page. There used to be a plugin called “Stealth login,” but it wasn’t updated. (And hence our reluctance to rely on plugins). 4 If … Read more
After a certain amount of time WP logs out all users and forces them to log back in again. For development environments on my local machine this is obnoxious and absolutely unnecessary. Is there an API-driven way of disabling the auto-logout indefinitely? Ideally I’d like something I can add to wp-config.php along with other dev-setup-related … Read more
What is a best way to eliminate xmlrpc.php file from WordPress when you don’t need it? 8 Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone. Add this code snippet for use in functions.php: // Disable use XML-RPC add_filter( ‘xmlrpc_enabled’, ‘__return_false’ ); … Read more
Can I prevent enumeration of usernames on my wordpress site? I can see users at the moment using the WPScan tool. 9 A simple solution I use in a .htaccess: RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ – [L,R=403] It is similar to @jptsetme’s answer, but it works even when the query string … Read more
I’ve run across the following snippet in themes from time to time: if ( ! defined(‘ABSPATH’)) exit(‘restricted access’); It’s at the beginning of some (all?) PHP files in a theme and it’s supposed to prevent direct access of the file by nefarious sources. I see that this isn’t included in Twenty Ten or Eleven and … Read more
I have upgraded my WordPress to 4.7.1, and after that I’ve tried to enumerate users through REST API, which should be fixed, but I was able to retrieve users. https://mywebsite.com/wp-json/wp/v2/users Output: [{“id”:1,”name”:”admin”,”url”:””,”description”:””,”link”:”https:\/\/mywebsite\/author\/admin\/”,”slug”:”admin”,”avatar_urls”:{“24”: … Changelog from latest version: The REST API exposed user data for all users who had authored a post of a public post … Read more
When writing WordPress plugins there is often a need to set up options for which roles on the site have access to certain functionality or content. To do this a plugin dev needs to fetch the list of roles that exist on the site to use in the option. Because custom roles can be created … Read more
Does your cacerts.pem file hold a single certificate? Since it is a PEM, have a look at it (with a text editor), it should start with —–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—– Finally, to check it is not corrupted, get hold of openssl and print its details using openssl x509 -in cacerts.pem -text
