☆ Not an expert. Probably wrong.
The resources you have available to spend on WordPress security for your website usually vary vastly whether you’re an international corporation or just a hobbyist blogger. But since most attacks are automated by bots looking for vulnerabilities, a lot of the threats are the same. Here are some WordPress security measures that bloggers and small business with limited resources easily can take.
If you google “functions.php” you get about 7 million results. I bet most of them contain bad advice: “How to add functionality to your WordPress site”. Some of them continue even worse: “[…] without using a plugin”. For your own good, don’t edit functions.php to add custom functionality to your WordPress site. You can use mu-plugins to do that.
Continue reading “Use mu-plugins for adding custom functionality to your WordPress site”
Since I translate a lot of WordPress themes and plugins, I sometimes come across plugins who try to be clever with their translations. This tends to not work so well in reality.
Continue reading “Don’t be “clever” with the translatable strings in your WordPress plugin or theme”
As you may know, WordPress sends out email notifications from time to time. Actually, as of WordPress 4.8.1, there are 24 different occasions when WordPress will send an email message. Don’t you think it would be useful to have a reference of all outgoing WordPress emails?
Continue reading “A reference of all outgoing WordPress emails”
During WordCamp Europe 2017 in Paris, there was a Q&A session with Matt Mullenweg. I wanted to ask him a question, but due to high demand and restricted time, I never got to ask him. I guess Matt is a busy person, so I don’t expect him to actually answer this question himself. But maybe someone in the WordPress community has answers, insights or ideas?
A person is the CEO of one of the most important WordPress-related companies. WordPress would probably not have been such a success without this company: They are constantly contributing with a huge amount of hours spent on development, community support, marketing and probably on more areas than what I am aware of. Even their CEO has been the release lead for multiple WordPress releases; most recently WordPress 4.8 which was released this month.
I belive the same person is the leader of the WordPress Foundation, which holds the WordPress trademark. They organize and take care of a lot of all things WordPress.
The wordpress.org websites, and all the infrastructure there, are privately owned by the same single person. This is where you find WordPress itself, themes, plugins, documentation, discussions, the issue tracker, and pretty much everything of the infrastructure that WordPressers rely on.
It looks like The WordPress project and community relies heavily on this single person.
In this world nothing can be said to be certain, except death and taxes.
– Benjamin Franklin
I don’t know, or want to know, anything about Matt Mullenweg’s taxes. But what happens when he will be prevented from running all of this? Is there a contingency plan?
Automattic is, as far as I know, a very profitable corporation and does probably have a contingency plan. They are also very far from the only contributor to WordPress. If, in a worst-case scenario, Automattic stops contributing to WordPress, they will be missed, but we will overcome.
There seems to be very little information on the Foundation available online. How is the organization governed? Does it have a contingency plan? Will it become some sort of democracy instead of a benevolent dictatorship? Will it dissolve into nothing?
And what about the entire technical infrastructure that WordPress so heavily rely on? Who will own it? Who will run it? Who will pay all the bills for it – which I can only assume is quite a bill? Do we have a contingency plan for it?
Do we have a contingency plan for WordPress?
Note: Please do not consider any statement in this post as a fact. My question is based on my understanding of how things are being run. I might be wrong.
UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier), is a string that identifies a piece of information in computer systems. WordPress use GUIDs to identify each individual post, but use URLs (kind of) for GUIDs, and thus does not follow the standard definition (RFC 4122) of a UUID (or GUID).
Continue reading “Proper RFC 4122 UUIDs as GUIDs in WordPress”
WordPress doesn’t use a nonce for the login form, which opens up for you to perform a WordPress session donation attack.
Continue reading “How to perform and mitigate a WordPress session donation attack”
If you’re utilizing the browser cache correctly, you’ll gain huge performance benefits for your users, as well as save bandwidth and server capacity which equals to saving money. To do this right, you must create unique URLs for all versions of your resources, and tell them to never ask for the content again by telling the browsers that the assets are immutable resources.
Continue reading “Immutable assets with unique URLs in WordPress for enqueued JS and CSS files”
Inspired by how Facebook assists their users when they log in, I decided to implement something like the same for WordPress.
Continue reading “Giving users a helping hand when authorizing them in WordPress”
So, you’ve launched your WordPress site on a non-www domain, like example.com, but since then found out that running it on on www, like www.example.com, is better and want to move? You’re in luck, because it is really easy.
Continue reading “Move your WordPress site from non-www to www domain”
