I am using a plugin which makes its code publicly available. Therefore, anyone can see the $action and $name parameters used to generate the nonces. Does this make my site more vulnerable since this reduces the added security provided by these parameters? Should I thus replace these parameters with my own values for them? Thanks. … Read more
I’ve implemented some AJAX functionality for my plugin and it works fine as long as I’m not logged in as admin – then wp_verify_nonce fails. It works for unauthorized users and authorized regular users too. Here’s my PHP class (I removed everything that is not relevant to the issue): class My_Ajax { function __construct() { … Read more
After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered. I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I … Read more
I would like to implement a plugin that requires new users to reply to an email, to verify their email address, on registration. I am already doing extensive codex research, but I am very new and would appreciate some hints, especially regarding keeping the user inactive until they have verified their email. The rest I … Read more
I’ve reinstalled my server and I am getting these messages: [user@hostname ~]$ ssh root@pong @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. … Read more
I can see that wp_nonce_field generates a value in the hidden field. <input type=”hidden” id=”message-send” name=”message-send” value=”cabfd9e42d” /> But wp_verify_nonce isn’t using that value as far as I can tell, but I may be wrong. It looks like it’s using a session token for verification. $expected = substr( wp_hash( $i . ‘|’ . $action . … Read more
