Created
August 13, 2025 18:10
-
-
Save kpirnie/de2da319e88d074642c857fd0aef7381 to your computer and use it in GitHub Desktop.
WordPress Security Fixes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Functionality to help mitigate some security issues. | |
| */ | |
| // We don't want to allow direct access to this | |
| defined( 'ABSPATH' ) || die( 'No direct script access allowed' ); | |
| // prevent access to author archives on ID | |
| add_action( 'init', function ( ) { | |
| // attempt to remove the server info from the site headers | |
| header_remove( 'x-powered-by' ); | |
| header_remove( 'server' ); | |
| // remove ping backs | |
| add_filter( 'pings_open', function( ) { | |
| return false; | |
| } ); | |
| // disable xmlrpc | |
| add_filter( 'xmlrpc_enabled', function( ) { | |
| return false; | |
| } ); | |
| // disable email on auto update | |
| add_filter( 'auto_plugin_update_send_email', function( ) { | |
| return false; | |
| }); | |
| add_filter( 'auto_theme_update_send_email', function( ) { | |
| return false; | |
| }); | |
| // disable login messages | |
| add_filter( 'login_errors', function( ) { | |
| return ''; | |
| } ); | |
| // disable some feeds | |
| $feeds = array( | |
| 'do_feed', | |
| 'do_feed_rdf', | |
| 'do_feed_rss', | |
| 'do_feed_rss2', | |
| 'do_feed_atom', | |
| 'do_feed_rss2_comments', | |
| 'do_feed_atom_comments', | |
| ); | |
| foreach( $feeds as $feed ) { | |
| add_action( $feed, function( ) { | |
| wp_die( 'Feed has been disabled.' ); | |
| }, 1 ); | |
| } | |
| // Remove post and comment feed link | |
| remove_action( 'wp_head', 'feed_links', 2 ); | |
| // Remove post category links | |
| remove_action( 'wp_head', 'feed_links_extra', 3 ); | |
| // Remove link to the Really Simple Discovery service endpoint | |
| remove_action( 'wp_head', 'rsd_link' ); | |
| // Remove the link to the Windows Live Writer manifest file | |
| remove_action( 'wp_head', 'wlwmanifest_link' ); | |
| // Remove the XHTML generator that is generated on the wp_head hook, WP version | |
| remove_action( 'wp_head', 'wp_generator' ); | |
| // Remove start link | |
| remove_action( 'wp_head', 'start_post_rel_link' ); | |
| // Remove index link | |
| remove_action( 'wp_head', 'index_rel_link' ); | |
| // Remove previous link | |
| remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 ); | |
| // Remove relational links for the posts adjacent to the current post | |
| remove_action(' wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); | |
| // Remove relational links for the posts adjacent to the current post | |
| remove_action( 'wp_head', 'wp_oembed_add_discovery_links' ); | |
| // Remove REST API links | |
| remove_action( 'wp_head', 'rest_output_link_wp_head' ); | |
| // Remove Link header for REST API | |
| remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 ); | |
| // Remove Link header for shortlink | |
| remove_action( 'template_redirect', 'wp_shortlink_header', 11, 0 ); | |
| // If you're not using emojis, you can remove the additional JavaScript & CSS used for emoji support | |
| remove_action( 'wp_head', 'print_emoji_detection_script', 7 ); | |
| remove_action( 'wp_print_styles', 'print_emoji_styles' ); | |
| // disable the rest api for everyone that it NOT logged in to the site. | |
| add_filter( 'rest_authentication_errors', function( $errors ) { | |
| // if there is already an error, just return it | |
| if( is_wp_error( $errors ) ) { | |
| return $errors; | |
| } | |
| // is the user logged in? | |
| return ( is_user_logged_in( ) ) ? $errors : new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) ); | |
| } ); | |
| // if the author is being requested and the user is not logged in | |
| if ( isset( $_REQUEST['author'] ) && preg_match( '/\\d/', $_REQUEST['author'] ) > 0 && ! is_user_logged_in( ) ) { | |
| // die | |
| wp_die( 'forbidden - number in author name not allowed = ' . esc_html( $_REQUEST['author'] ) ); | |
| } | |
| // remove users from the sitemaps | |
| add_filter( 'wp_sitemaps_add_provider', function ( $provider, $name ) { | |
| // if its users, dump out | |
| if ( 'users' === $name ) { | |
| return false; | |
| } | |
| return $provider; | |
| }, 10, 2 ); | |
| // remove authors from oembed | |
| add_filter( 'remove_author_from_oembed', function ( $data ) { | |
| unset( $data['author_url'] ); | |
| unset( $data['author_name'] ); | |
| return $data; | |
| }, 10, 2 ); | |
| // disable author archives... just 404 | |
| add_filter( 'template_redirect', function ( ) { | |
| // if it's an author | |
| if ( is_author( ) || isset( $_GET['author'] ) ) { | |
| global $wp_query; | |
| $wp_query -> set_404( ); | |
| status_header( 404 ); | |
| nocache_headers( ); | |
| } | |
| } ); | |
| // remove the authors post links from themes | |
| add_filter( 'the_author_posts_link', function ( $link ) { | |
| // unless we're admin of course... | |
| if ( ! is_admin( ) ) { | |
| return get_the_author( ); | |
| } | |
| return $link; | |
| } ); | |
| } ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment