The resources you have available to spend on WordPress security for your website usually vary vastly whether you’re an international corporation or just a hobbyist blogger. But since most attacks are automated by bots looking for vulnerabilities, a lot of the threats are the same. Here are some WordPress security measures that bloggers and small business with limited resources easily can take.
If you google “functions.php” you get about 7 million results. I bet most of them contain bad advice: “How to add functionality to your WordPress site”. Some of them continue even worse: “[…] without using a plugin”. For your own good, don’t edit functions.php to add custom functionality to your WordPress site. You can use mu-plugins to do that.
As you may know, WordPress sends out email notifications from time to time. Actually, as of WordPress 4.8.1, there are 24 different occasions when WordPress will send an email message. Don’t you think it would be useful to have a reference of all outgoing WordPress emails?
During WordCamp Europe 2017 in Paris, there was a Q&A session with Matt Mullenweg. I wanted to ask him a question, but due to high demand and restricted time, I never got to ask him. I guess Matt is a busy person, so I don’t expect him to actually answer this question himself. But maybe someone in the WordPress community has answers, insights or ideas? A person is the CEO of one of the most important WordPress-related companies....
UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier), is a string that identifies a piece of information in computer systems. WordPress use GUIDs to identify each individual post, but use URLs (kind of) for GUIDs, and thus does not follow the standard definition (RFC 4122) of a UUID (or GUID).
This weekend I was at WordCamp Berlin, met a lot of great people, and watched a lot of interesting presentations. WordCamps are actually quite informal by themselves, but at the afterparties, people are really letting their shoulders down and it often seems like people are long-time personal friends. If you open up to it, it won’t take long until people will give you feedback on whatever you have released in public.
WordPress doesn’t use a nonce for the login form, which opens up for you to perform a WordPress session donation attack.
If you’re utilizing the browser cache correctly, you’ll gain huge performance benefits for your users, as well as save bandwidth and server capacity which equals to saving money. To do this right, you must create unique URLs for all versions of your resources, and tell them to never ask for the content again by telling the browsers that the assets are immutable resources.
Inspired by how Facebook assists their users when they log in, I decided to implement something like the same for WordPress.
So, you’ve launched your WordPress site on a non-www domain, like example.com, but since then found out that running it on on www, like www.example.com, is better and want to move? You’re in luck, because it is really easy.