Overview — Why partially block xmlrpc.php and how this helps WordPress exposes an XML-RPC endpoint at /xmlrpc.php that implements a set of remote methods (wp., pingback., blogger., system. and others). That endpoint is useful for legitimate clients (the official mobile apps historically, some remote publishing tools, some plugins such as Jetpack in older modes) but […]
Introduction This is a comprehensive, implementation-ready tutorial for hardening HTTP security headers for WordPress sites using PHP. It covers HSTS (Strict-Transport-Security) and CSP (Content-Security-Policy) end-to-end: concepts, risks, best practices, rollout strategy, WordPress-specific implementation patterns, nonce-based CSP for inline scripts, reporting, server-level notes, testing and operational caveats. All code examples are ready to drop in functions.php […]
Introduction This article explains in depth how to avoid Cross-Site Request Forgery (CSRF) when registering and handling actions via WordPresss admin-post.php endpoint. It covers the threat model, how admin-post.php works, proven protection patterns for both authenticated and unauthenticated users, examples (complete code), common mistakes, and additional hardening measures. Why CSRF matters for admin-post.php admin-post.php is […]
Overview: why nonces and capabilities matter for WordPress forms WordPress nonces and capability checks protect your application from common web attacks and privilege escalation: Nonces (number used once) mitigate Cross-Site Request Forgery (CSRF) by ensuring a request originates from a trusted user and page. Capabilities (current_user_can, user_can) ensure the current user has the right privileges […]
Introduction — Why shortcodes and metaboxes are XSS targets Shortcodes and metaboxes are common extension points in WordPress that accept user-provided input and later render that input inside the admin or public HTML. That combination (user input HTML output) makes them frequent vectors for cross-site scripting (XSS). Preventing XSS here requires consistent application of three […]
Why escaping matters in WordPress Escaping output is the last and critical line of defense against cross-site scripting (XSS) and other injection attacks. Any time you print user-supplied data, data from the database, or values that may contain untrusted content into HTML, attributes or URLs, you must escape them for the exact context in which […]
Introduction This article explains in detail how to properly sanitize and validate inputs in WordPress using sanitize_text_field and related functions. It covers the difference between sanitization and escaping, lists the most important WordPress sanitization and validation helpers, and provides multiple practical examples (form processing, settings API, meta boxes, REST API, AJAX, uploads, and arrays). Every […]
Introduction This tutorial explains, in complete detail, how to implement a server-side proxy endpoint in WordPress to access external APIs from browser-based clients and avoid CORS issues. It covers why a proxy is useful, security and performance considerations, concrete plugin code you can drop into your WordPress site, caching and rate-limiting strategies, how to forward […]
Introduction Consuming external APIs from WordPress is a common need: you might pull weather data, remote posts, currency rates, or any third-party JSON/XML. Making live HTTP requests on every page load is slow and fragile. WordPress provides a built-in HTTP API (wp_remote_get, wp_remote_post, etc.) and a simple caching mechanism (transients) which together let you fetch […]
Overview This article explains safe, practical approaches for detecting in JavaScript whether a visitor is logged into a WordPress site. It covers multiple methods (inline data, localized script data, REST API), shows secure example code for both PHP and JavaScript, explains security and caching pitfalls, and gives recommendations for production usage. Principles and constraints Do […]
