GoSecure wrote up a new PHP exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, it’s possible to bypass certain hardening techniques that disallow the file write access in the web directory.
To regularly optimize my WordPress database tables, I created a small plugin that utilizes the WordPress Cron feature. This comes in handy to perform database optimization for WordPress on a regular basis, without forgetting about it. Just activate and enjoy. And here is the plugin code.
Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().
The WordPress WP-Super-Cache cache plugin doesn’t minify HTML cache files, which I find a … Read More
In my WordPress multisite, I use one theme for three sites and a tracking … Read More
This plugin adds a three second delay when logging into WordPress. This slows down brute-force attacks on your website. However, it is not recommended to use sleep(), because a heavy brute-force attack will let all those POST requests sleep for the given amount of time.
An important note for everyone who’s upgrading from PHP 5.4 and PHP 5.5 to PHP 5.6: the PHP default_charset in php.ini changed from “empty” to UTF-8, often breaking sites after upgradiong from PHP 5.4 and PHP 5.5 to PHP 5.6. UTF-8 encoding breaks when upgrading PHP 5.6 to PHP 7.0. Fix
PHP with ini_set( ‘default_charset’, “” ); or in your php.ini with default_charset = “”.
When the WordPress comment option is abused by spammers, it becomes a real pain in the “@ss”. With thousands spam reactions, disabling -and removing- WordPress comments is the only way to go. Here is how to disable WordPress comments in both the WordPress Dashboard interface and in your MySQL database. As a bonus, I show you how to re-enable comments too!
Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. The problem with the Joomla Googlemaps plugin lies in the fact anyone can execute cURL HTTP requests to remote websites.
Sometimes you may want to display commas in tag names. For example if you have a business directory listing and want to create one single taxonomy (tag name) “cafe, restaurant, bar”. This post shows you how to create a filter in your functions.php file to display WordPress tags with a comma, enjoy!
If you are able to control the 5th parameter of the mail() function ($options), you have the opportunity to execute arbitrary commands. Remote Code Execution (RCE) in PHP mail()
Since a week or so, I notice a huge increase in SQL injection attacks on various websites. Anyone else seeing the same SQL injection attacks lately? This increased SQL injection activity – on various web sites and databases – has the following characteristics
How to configure TLS for SMTP email in WordPress. I was suprised WordPress is … Read More