Tag: tech-ref

When writing theme and plugin code, it is important to be mindful of how data coming into WordPress is handled and how it is presented to the end user. This is commonly needed when building a settings page for a theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post. There is a distinction between how input and output are managed.

By default, two-factor authentication is required for all administrators and custom roles with the manage_options capability on WordPress sites on the WPVIP Platform. All other users, no matter what role is assigned to them, are strongly encouraged to enable two-factor authentication for their WordPress accounts. Under no circumstances should a password-less authentication solution be implemented on a site (e.g., an IP address check, or a one-click login by email).

The primary vulnerability of note in JavaScript is Cross Site Scripting (XSS). In WordPress with PHP, best practice is to use escaping functions to avoid that, e.g. esc_html(), esc_attr(), esc_url(), etc.

Two-factor authentication (also known as multi-factor authentication and 2FA) is a method for securing user accounts. This method requires a user to know something (e.g. a password), and requires a user to possess something (e.g. their mobile device). Requiring multiple forms of verification is a basic way to protect sites against common account breaches due to leaked or guessed passwords. Two-factor authentication options are integrated with all WordPress sites on the VIP Platform.

Single Sign-On (SSO) for logging in to a WordPress site can be enabled using any identity provider (IdP) that supports Security Assertion Markup Language (SAML). Most IdPs can support SAML.