WordPress

Write-up: Initial Access Pot

“We sell hundreds of DeceptiPots to the world every month, but we don’t even use them in our network. Show me the value of our product, test it well, and schedule the demo. Deadline – next Monday!”

This is the task Emily Ross received from the company CEO. As a newly hired junior IT personnel at DeceptiTech, Emily didn’t really know what to do but still decided to prepare for the demo: Configure DeceptiPot to replicate a corporate WordPress blog, deploy the machine in the corporate DMZ, expose it to the Internet, and see what it captures over the weekend. Little did she know, threat actors around the globe enjoyed testing the DeceptiPot, too! Can you find out how the attack on DeceptiTech started?

How to Emulate a Request in WP CLI Shell

This post explains how to emulate a real request in a WP CLI shell so that all global variables are populated correctly — the same way as if you requested that URL in the browser.

How to Conditionally Disable Object Cache Drop-in

A site has one primary domain name and several secondary names. It also uses an object cache drop-in. Site administrators use only the primary domain for posting. All the administrative operations trigger cache updates only for the primary domain; the mirrors on the secondary domains show stale data. Site owners somehow needed to disable the object cache for all domains except the primary one.

This post shows a way to selectively disable the object cache drop-in.

How to Add a Content-Hash Suffix to Uploaded Files in WordPress

This post shows how to modify the name of the uploaded file while WordPress processes the upload. Renaming may be helpful if you need to implement cache-busting or, say, change the file’s name so that it matches the slug of the parent post.

How to Implement Revisions for Non-Standard Custom Post Types in WordPress

Post revisions do not work out of the box for custom post types which do not support the “title” and “editor” features. This post provides the necessary steps and code samples to make post revisions work for such post types.

Ryte Indexability Check and Cloudflare’s Bot Fight Mode

Ryte indexability check and Cloudflare’s Bot Fight Mode are not compatible. You have to disable either the Bot fight mode or Ryte integration.

How to Improve Performance of Sitemap Generation in WordPress

This article provides a simple trick to reduce the load on the server when generating a sitemap. We do this by disabling all widget-related code if the current request targets the sitemap or its stylesheet. The trick is compatible with many existing plugins.

How to Increase per_page Limit in WordPress REST API

Because large queries can hurt site performance, WordPress caps `per_page` REST parameter at 100 records. However, there are situations when you need to override this value. Luckily, this is easy to do, and this post explains how to do that.

WordPress: How to Disable BrowseHappy

When you go to the Dashboard of your WordPress site, WordPress checks whether your browser is up-to-date, and displays a notice if it is not. However, the browser check is performed by an external site. WP sends such data as: visitor’s user agent string, WordPress version, and the URL of the blog (and, implicitly, its IP address). Unfortunately, there is no way to opt out of that in the Dashboard. Luckily, there is a solution.

How to Restrict Access to User REST API in WordPress

By default, WordPress allows an unauthenticated user to view the list of the registered users with the help of the REST API. But, for example, to view the list of the users in the Dashboard, the user needs to have `list_users` capability (that is, be an Administrator). While the REST API does not expose sensitive information (such as emails) to unauthenticated users, it may be desirable to restrict `users` endpoint form unauthenticated users.

« Previous