Secure WordPress

Add a Good Security Point With 3 Hooks

Blog Secure WordPress Add a Good Security Point With 3 Hooks

After the WordCamp Paris 2014, i’m back to share a tip based on fact to force some options on some values, they can become malicious:

Force the admin email address

Force this value with a hardcoded one, you’ll be sur to always receive important emails in relation with WordPress.

Force the non-registering possibility

With the same idea, if i let this option unchecked  is because my website do not and will not accept members.

Force the default new user role

Sincerely, between us, who’ll use the “Adminitrator” ? I don’t event understand with this choice is possible ? So i set it on “Subscriber” and if i want that on of my members became Admin, i’ll do it manually.

Pour tout ça, un simple code de 3 hooks :

Copy/paste this code in a php file of your, then put it in the “/wp-content/mu-plugins” folder, create it og it doesn’t exists. Do not forget to change the default URL in the plugin.

[pastacode provider=”gist” lang=”php” path_id=”8499149″/]

Malicious, how ?

And if, by example you or your clients have a theme whicj contains a security flaw. This flaw can lead on a “what ever option i can update it”? (I already saw this) The flaw pemit a simple user to modifiy any WP Options ! The hacker can touch the code as he needs, comme les 3 ci-dessus.

I count on you to put this tip in place!