Interpreting a PHPCS report
PHP_CodeSniffer (PHPCS) scans that are run against WordPress application code will return a report of any identified errors and warnings and categorizes them by severity.
Tag: tech-ref
Showing page 22 of 26
Subdomain and subdirectory structures
By default, all WordPress multisite environments on the VIP Platform are configured with a subdirectory structure. The SUBDOMAIN_INSTALL constant is defined at platform level in wp-config.php with a default value of false. This value cannot be overridden, even by defining the constant differently in vip-config.php or with any other methods.
Data sync config file
Data sync config files are necessary for running a data sync from a WordPress multisite production environment to a non-production environment. The values added to a data sync config file determine the search and replace operations that occur for the domain values of each network site in the synced database.
Configure multiple domains to resolve to the same network site
Custom code added to client-sunrise.php can enable a network site to be accessible from more than one URL, or for a domain to serve a specific part of a site.
sunrise.php
When developing for a WordPress multisite, it is often necessary to load some custom code very early in the WordPress application’s loading sequence, for example custom domain mapping functionality.
Validating, sanitizing, and escaping
When writing theme and plugin code, it is important to be mindful of how data coming into WordPress is handled and how it is presented to the end user. This is commonly needed when building a settings page for a theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post. There is a distinction between how input and output are managed.
Security recommendations for all users
By default, two-factor authentication is required for all administrators and custom roles with the manage_options capability on WordPress sites on the WPVIP Platform. All other users, no matter what role is assigned to them, are strongly encouraged to enable two-factor authentication for their WordPress accounts. Under no circumstances should a password-less authentication solution be implemented on a site (e.g., an IP address check, or a one-click login by email).
JavaScript security recommendations
The primary vulnerability of note in JavaScript is Cross Site Scripting (XSS). In WordPress with PHP, best practice is to use escaping functions to avoid that, e.g. esc_html(), esc_attr(), esc_url(), etc.
Two-factor authentication for WordPress
Two-factor authentication (also known as multi-factor authentication and 2FA) is a method for securing user accounts. This method requires a user to know something (e.g. a password), and requires a user to possess something (e.g. their mobile device). Requiring multiple forms of verification is a basic way to protect sites against common account breaches due to leaked or guessed passwords. Two-factor authentication options are integrated with all WordPress sites on the VIP Platform.
Single Sign-On (SSO) for WordPress
Single Sign-On (SSO) for logging in to a WordPress site can be enabled using any identity provider (IdP) that supports Security Assertion Markup Language (SAML). Most IdPs can support SAML.