Security Archives - Tweaks WP

Sanitize input vs escape output WordPress XSS prevention split layout

How to Prevent XSS in WordPress: Sanitization and Escaping Functions Guide

Maps every WordPress esc_*, wp_kses_*, and sanitize_* function to its exact context, with the 'sanitize on input, escape on output' rule that eliminates XSS.

Varun Dubey · May 23, 2026 · 10 min read

WordPress SSL TLS 1.3 handshake timeline with OCSP stapling and HTTP/2

Performance

WordPress SSL/TLS Performance: OCSP Stapling, TLS 1.3, and HTTP/2 Setup

WordPress SSL/TLS performance guide covering OCSP stapling, TLS 1.3 cipher config, session resumption, HTTP/2 setup, FORCE_SSL_ADMIN, mixed content fixes, and Cloudflare Full Strict mode.

Varun Dubey · May 23, 2026 · 10 min read

WordPress htaccess optimization config snippet with Gzip and browser caching

Performance

WordPress .htaccess Optimization: Gzip, Browser Caching, and Security Rules

WordPress .htaccess optimization covering Gzip compression with mod_deflate, browser caching via mod_expires, ETag removal, security rules, hotlink protection, and XML-RPC blocking.

Varun Dubey · May 23, 2026 · 10 min read

WordPress malware cleanup recovery checklist in terminal style

How To

WordPress Malware Cleanup: Developer’s Step-by-Step Recovery Checklist

Step-by-step WordPress malware cleanup checklist covering core file verification, database injection scans, hidden admin detection, cron backdoors, and post-cleanup hardening.

Varun Dubey · May 23, 2026 · 10 min read

WordPress SQL injection prevention with wpdb prepare placeholder code example

How To

WordPress SQL Injection Prevention: $wpdb->prepare() Deep Dive

Every WordPress database query that concatenates user input without $wpdb->prepare() is a ticking time bomb. This guide covers every prepare() pattern in production code.

Varun Dubey · May 23, 2026 · 10 min read

WordPress passkeys and session management feature image

Security

Beyond Passwords: Setting Up Passkeys and Session Management for Multi-User WordPress Sites

Learn how to set up passkeys and session management for multi-user WordPress sites, reduce password risk, and improve account security with practical controls.

Shashank Dubey · May 11, 2026 · 10 min read

Security

Implementing Content Security Policy (CSP) to Stop XSS and Data Exfiltration in WordPress

Learn how to implement Content Security Policy in WordPress step by step to reduce XSS risk, lock down script sources, and limit browser-side data exfiltration.

Shashank Dubey · May 11, 2026 · 10 min read

Security

AI-Driven Bots WordPress: Automated Security Responses

Learn how to defend WordPress against AI-driven bots with automated security responses, rate limiting, bot scoring, challenges, and layered blocking strategies.

Shashank Dubey · May 11, 2026 · 10 min read

WordPress file permissions chmod guide showing correct values: 400 for wp-config.php, 755 for directories, 644 for files, 444 for .htaccess

How To

Correct File Permissions for WordPress: chmod Guide for Every File and Folder

Set correct chmod values for wp-config.php, directories, files, uploads, and .htaccess. Includes one-liner fix commands and wp-config.php constants.

Varun Dubey · April 30, 2026 · 10 min read

Dark developer-themed featured image showing PHP code for disabling XML-RPC and blocking REST API user enumeration in WordPress

Backup and Security

How to Disable XML-RPC and Block REST API User Enumeration in WordPress

Disable XML-RPC, block REST API user enumeration, and stop ?author= redirects with exact PHP hooks, Apache/.htaccess, and Nginx config examples.

Varun Dubey · April 30, 2026 · 10 min read

WordPress login security hardening: rate limiting with transients, custom login URL via rewrite rules, and brute force protection code diagram on dark developer background

Backup and Security

WordPress Login Security: Rate Limiting, Custom URL, and Brute Force Protection

Harden WordPress login with PHP rate limiting via transients, a custom login URL using rewrite rules, Application Password controls, and TOTP 2FA. No plugins required.

Varun Dubey · April 30, 2026 · 10 min read

Banner for Wordfence April 2026 Perfmatters Ninja Forms MW WP Form CVE

Security

Wordfence Weekly: 450K WordPress Sites at Risk (Perfmatters, Ninja Forms, MW WP Form)

Three major WordPress plugin vulnerabilities disclosed in early April 2026, Perfmatters (200K sites), Ninja Forms File Upload (50K sites), and MW WP Form (200K sites). What each vulnerability does, whether your site is affected, and the patched version numbers.

Varun Dubey · April 14, 2026 · 10 min read

Category: Security

How to Prevent XSS in WordPress: Sanitization and Escaping Functions Guide

WordPress SSL/TLS Performance: OCSP Stapling, TLS 1.3, and HTTP/2 Setup

WordPress .htaccess Optimization: Gzip, Browser Caching, and Security Rules

WordPress Malware Cleanup: Developer’s Step-by-Step Recovery Checklist

WordPress SQL Injection Prevention: $wpdb->prepare() Deep Dive

Beyond Passwords: Setting Up Passkeys and Session Management for Multi-User WordPress Sites

Implementing Content Security Policy (CSP) to Stop XSS and Data Exfiltration in WordPress

AI-Driven Bots WordPress: Automated Security Responses

Correct File Permissions for WordPress: chmod Guide for Every File and Folder

How to Disable XML-RPC and Block REST API User Enumeration in WordPress

WordPress Login Security: Rate Limiting, Custom URL, and Brute Force Protection

Wordfence Weekly: 450K WordPress Sites at Risk (Perfmatters, Ninja Forms, MW WP Form)