WP_DEBUG

Notes about WordPress Gutenberg themes development.

.htaccess (1) ACF (6) admin (1) ajax (2) api (1) API interactivity (1) block (18) block_style (2) colors (2) constante (1) context (1) conventions (2) cron (1) css (5) custom post type (1) data (1) debug (2) define (1) file_API (1) functions.php (5) git (4) hook (7) i18n (2) js (2) layout (1) loop (1) media (1) media library (1) menu (2) navigation (1) patterns (1) performance (2) post (1) query (3) readmore (1) responsive (1) rest api (1) scss (1) security (7) spacing (1) sql (1) svg (1) taxonomy (1) theme (1) theme.json (11) typo (2) URL (1) wp-config.php (6) wp cli (3) wp function (7)

  • Hardening WordPress

    #
    Read more
    • replace wp_ db prefix
    • rename folders wp-content, uploads, plugins, wp-admin, wp-include
    define('UPLOADS', 'media' ); // we renamed uploads and moved it level up
define('WP_CONTENT_DIR', '/path/to/wordpress/dir/content'); // no host name, no trailing slash
define('WP_CONTENT_URL', 'http://example.com/content');
define('WP_PLUGIN_DIR', '/path/to/wordpress/dir/content/mod'); // no host name, no trailing slash
define('WP_PLUGIN_URL', 'http://example.com/content/mod');
    • change cookie’s names
    define('USER_COOKIE', 'my_user_cookie' );
define('PASS_COOKIE', 'my_pass_cookie' );
define('AUTH_COOKIE', 'my_auth_cookie' );
define('SECURE_AUTH_COOKIE', 'my_sec_cookie' );
define('LOGGED_IN_COOKIE', 'my_logged_cookie' );
define('TEST_COOKIE', 'my_test_cookie' );

    Sources:

    • https://wpcerber.com/turn-wordpress-into-fort-knox/
    • https://developer.wordpress.org/advanced-administration/security/hardening/

  • file permission

    #
    Read more
    # before setup
chown www-data:www-data  -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \;  # rwxr-xr-x
find . -type f -exec chmod 644 {} \;  # rw-r--r--

# after setup
chown <username>:<username>  -R * 
chown www-data:www-data wp-content

    Source:

  • Input / output

    #
    Read more

    Never trust user’s inputs, even from admin or database.

    Validation checks an input over a list of requirements.

    in_array( mixed $needle, array $haystack, bool $strict = false ): bool
ctype_alnum( mixed $text ): bool
strlen( string $string ): int
...

    https://developer.wordpress.org/apis/security/data-validation/

    Sanitizing cleans a input, removing / transforming all unwanted piece of data.

    // For text inputs:
sanitize_text_field( string $str ): string 

// Use specific sanitazing functions like for e.g.:
sanitize_email( string $email ): string

    https://developer.wordpress.org/apis/security/sanitizing/

    Escaping ouputs is the process of securing output data by stripping out unwanted data. It is best to do the output escaping as late as possible, ideally as data is being outputted.

    esc_html( string $text ): string // will remove HTML tags
esc_url( string $url, string[] $protocols = null, string $_context = 'display' ): string
esc_attr( string $text ): string
esc_js( string $text ): string

// escaping with localization
esc_html_e( 'Hello World', 'text_domain' );
// can become ->
echo esc_html( __( 'Hello World', 'text_domain' ) );

    https://developer.wordpress.org/apis/security/escaping/

    Source: https://developer.wordpress.org/apis/security/common-vulnerabilities/

  • REST API /users/

    # ,
    Read more

    To enumerate users :

    curl -L http://$1/wp-json/wp/v2/users

    To prevent this :

    add_filter( 'rest_endpoints', function( $endpoints ) {

    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }

	if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }

	return $endpoints;

});