Verifying that I have fully removed a WordPress hack?
My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked — it was showing an <iframe> on every page like so:
security
Can I rename the wp-admin folder?
Is it possible to rename the wp-admin folder?
Worthwhile to restrict direct access of theme files?
I’ve run across the following snippet in themes from time to time:
Hide the fact a site is using WordPress?
I have a website for which we are trying to be discreet about the fact that we are using WordPress. What steps can we take to make it less obvious?
Is moving wp-config outside the web root really beneficial?
One of the most common security best practices these days seems to be moving wp-config.php one directory higher than the vhost’s document root. I’ve never really found a good explanation for that, but I’m assuming it’s to minimize the risk of a malicious or infected script within the webroot from reading the database password.
How to Protect Uploads, if User is not Logged In?
I use WordPress for a private site where users upload files.
I use the “Private WordPress” to prevent access in to the site if the user is not logged in.
Filter any HTTP request URI?
I want to filter any HTTP request URI done through the HTTP API.
Is there any way to rename or hide wp-login.php?
Any way to change the wp-login.php url? It seems insecure that everyone that’s ever used WordPress could easily see if your site is using it, and get right to the login page.
Handling front-end file uploads, considering safety and ease of use
I’m looking to adapt an existing forum-like plugin which has no facility for attaching media.
Can I Prevent Enumeration of Usernames?
Can I prevent enumeration of usernames on my wordpress site? I can see users at the moment using the WPScan tool.