Category Archives: Web Security

How to Lock down xmlrpc.php in WordPress

This article explains how you can lockdown xmlrpc.php using .htaccess. The WordPress xmlrpc.php endpoint can be misused as an endpoint for brute force attacks. If you do not use xmlrpc.php for any integrations, you might as well disable it completely. Adding these lines to your .htaccess file will disallow access to the endpoint for everyone. Edit your public/.htaccess file and add Note: xmlrpc.php is required by some plugins,…

Read More

How to prevent XSS

In this section, we’ll describe some general principles for preventing cross-site scripting vulnerabilities and ways of using various common technologies for protecting against XSS attacks. Cross-site scripting prevention can generally be achieved via two layers of defense: Encode data on output Validate input on arrival Encode data on output Encoding should be applied directly before user-controllable data is written…

Read More

Dangling markup injection

In this section, we’ll explain dangling markup injection, how a typical exploit works, and how to prevent dangling markup attacks. What is a dangling markup injection? Dangling markup injection is a technique for capturing data cross-domain in situations where a full cross-site scripting attack isn’t possible. Suppose an application embeds attacker-controllable data into its responses…

Read More