Preventing Clickjacking on WordPress Sites

WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site. That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton […]

Continue reading...

WordPress.tv Developer Presentation Roundup

I’m one of the mentors for WordPress’ SupportPress project in this year’s Google Summer of Code, and I wanted to put together a list of WordPress.tv videos to help introduce Varun to the WordPress community and some development best practices. I figured it’d be good to save it for future reference, so I’m also posting […]

Continue reading...

PayPal Security Sucks; or, Why Two Factor Authentication is Worthless Without Strong Account Recovery Policies

Even though two-factor authentication isn’t the silver bullet many make it out to be, I’m still a big fan of it and think that it should be offered by any web service that wants to be taken seriously. It’s completely pointless, though, if the service doesn’t also have strong account recovery policies, or if their customer support […]

Continue reading...