programming

Security snippets

Written by michael mc

disable theme / plugin text editor

I never use the built-in text editor to edit theme or plug-in files in WP-admin, nor do I want my clients to. It’s also a security risk. Anyone who manages to hack a user account can modify php files and javascripts. Standard code snippet for my sites, courtesy of wpfunction.me

// Disable the theme / plugin text editor in Admin
define('DISALLOW_FILE_EDIT', true);

 remove wp version

Telling hackers which version of WP you are running gives them an easy way to determine which security leaks it contains. Better to hide it and keep them in the dark.

// Remove WP version
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');

 hide email address from the markup on your site

Bots with dubious intentions are always scouring the web for email addresses. With this nifty function from wp-mix.com, putting the email address between shortcode brackets makes it hashed in the page source code.

// Hide email address from the markup on your site.
// use by putting each email address in shortcode like this: <a class="encoded-email" href="mailto:dude@example.com">dude@example.com</a>
function encode_email_shortcode($atts, $content = null) {
    for ($i = 0; $i < strlen($content); $i++) $encodedmail .= "&#" . ord($content[$i]) . ';';
    return '<a class="encoded-email" href="mailto:' . $encodedmail . '">' . $encodedmail . '</a>';
}
add_shortcode('email', 'encode_email_shortcode');

 remove default user roles

To keep things clean and minimize security risks, you can disable each default user role that remains unused. Another snippet from wpsnipp.com

// Remove default user roles (from wpsnipp.com)
function wps_remove_role() {
//    remove_role( 'editor' );
    remove_role( 'author' );
    remove_role( 'contributor' );
    remove_role( 'subscriber' );
}
add_action( 'init', 'wps_remove_role' );

add user role and capabilities

By the same token, you can add roles and capabilities.

// Add user role & capabilities
function wps_add_role() {
    add_role( 'manager', 'Manager',
             array(
                  'read',
                  'edit_posts',
                  'delete_posts',
                  )
    );
}
add_action( 'init', 'wps_add_role' );

 lead failed login away from wp login page

Lead a failed login away from your login page, such as login.php (or something else. I recommend changing this from the default location using the WPS Hide Login plugin as I have not found a well-working function for this purpose).

// Make sure a failed login does not lead the visitor to the WP-login page
if( ! function_exists( 'custom_login_fail' ) ) {
    function custom_login_fail( $username ) {
        $referrer = $_SERVER['HTTP_REFERER']; // where did the post submission come from?
        // if there's a valid referrer, and it's not the default log-in screen
        if ( !empty($referrer) && !strstr($referrer,'wp-login') && !strstr($referrer,'wp-admin') ) {
            if ( !strstr($referrer,'?login=failed') ) { // make sure we don’t append twice
                wp_redirect( $referrer . '?login=failed' ); // append some information (login=failed) to the URL for the theme to use
            } else {
                wp_redirect( $referrer );
            }
            exit;
        }
    }
}
add_action( 'wp_login_failed', 'custom_login_fail' ); // hook failed login
if( ! function_exists( 'custom_login_empty' ) ) {
    function custom_login_empty(){
        $referrer = $_SERVER['HTTP_REFERER'];
        if ( strstr($referrer,get_home_url()) && $user==null ) { // mylogin is the name of the loginpage.
            if ( !strstr($referrer,'?login=empty') ) { // prevent appending twice
                wp_redirect( $referrer . '?login=empty' );
            } else {
                wp_redirect( $referrer );
            }
        }
    }
}
add_action( 'authenticate', 'custom_login_empty');

 redirect users to previous page upon login

Instead of redirecting all visitors to the homepage upon login, redirect them to the page they were on before logging in.

// Redirect users to previous page upon login
if ( (isset($_GET['action']) && $_GET['action'] != 'logout') || (isset($_POST['login_location']) && !empty($_POST['login_location'])) ) {
        add_filter('login_redirect', 'my_login_redirect', 10, 3);
        function my_login_redirect() {
                $location = $_SERVER['HTTP_REFERER'];
                wp_safe_redirect($location);
                exit();
        }
}

 redirect to homepage after logout

Speaks for itself.

// redirect to homepage after logout
add_action('wp_logout',create_function('','wp_redire

 

Leave a Reply

Your email address will not be published. Required fields are marked *