DEV Community: Md.ismail

What I Learned About Enterprise WordPress Security

Md.ismail — Wed, 11 Mar 2026 04:44:16 +0000

Security in WordPress Is Mostly About the Ecosystem

One of the most important realizations is that WordPress core itself is rarely the problem.

Most real-world compromises come from:

vulnerable plugins
poorly written themes
outdated dependencies
insecure configuration

The platform itself has a strong security process, but the plugin ecosystem dramatically increases the attack surface.

For anyone building plugins or reviewing code, this is an important perspective.

Understanding the Attacker Mindset

A lot of WordPress security issues map directly to common web vulnerabilities.

Some of the most relevant ones include:

Cross-Site Scripting (XSS)
SQL Injection
Broken Access Control
Security Misconfiguration
Vulnerable and outdated components

Learning these patterns helps you recognize vulnerabilities faster when reviewing code.

XSS Is Still One of the Most Common Issues

Cross-Site Scripting appears frequently in WordPress plugins.

It typically happens when user input is displayed without proper escaping.

Example of a risky pattern:

echo $_GET['name'];

If this value is not escaped, an attacker could inject JavaScript.

WordPress provides helper functions specifically to prevent this:

esc_html()
esc_attr()
sanitize_text_field()
wp_kses()

A simple rule that helps a lot:

Sanitize input and escape output.

SQL Injection Is Preventable With Proper APIs

Another common vulnerability is SQL injection.

This usually happens when raw user input is placed inside SQL queries.

Example of unsafe code:

$query = "SELECT * FROM users WHERE id=$id";

WordPress provides a safe alternative using prepared statements:

$wpdb->prepare()

Using the built-in database APIs significantly reduces this risk.

Access Control Is Easy to Get Wrong

Many vulnerabilities are not technical bugs but logic problems.

For example:

users accessing actions they shouldn't
contributors performing admin actions
privilege escalation

WordPress solves this using roles and capabilities, but developers must check permissions correctly.

A useful concept here is the principle of least privilege.

Users should only have the permissions that they actually need.

Configuration Is Part of Security

Even well-written code can become vulnerable if the environment is misconfigured.

Some common areas that need attention include:

protecting wp-config.php
using secure file permissions
disabling unnecessary features
enforcing HTTPS
restricting server access

Security is not just about code — it also depends heavily on infrastructure and deployment practices.

Outdated Components Are a Major Risk

A large number of compromises happen simply because software is outdated.

Plugins and themes introduce additional code and dependencies, which means more potential vulnerabilities.

Good practices include:

removing unused plugins
updating dependencies regularly
monitoring vulnerability disclosures
reviewing third-party code before using it

Keeping the environment clean and updated reduces a large part of the attack surface.

Server-Side Request Forgery (SSRF) Is Often Overlooked

Another interesting vulnerability is Server-Side Request Forgery.

This occurs when an application allows users to control URLs that the server fetches.

Example pattern:

site.com/fetch?url=http://example.com

If not validated properly, attackers might be able to:

access internal services
interact with cloud metadata endpoints
retrieve sensitive data

Validating URLs and restricting outbound requests can help prevent this.

Monitoring and Logging Are Essential

Security does not end after deployment.

Monitoring activity is critical for detecting issues early.

Useful things to log include:

login attempts
admin actions
API requests
server events

Logs are often the only way to understand what happened during a security incident.

Security Is Also About Recovery

Another important takeaway is that incidents will eventually happen.

The goal is not only prevention but also fast recovery.

Some practices that help:

regular backups
incident response plans
recovery testing
clear monitoring alerts

Preparation makes a big difference when something goes wrong.

Key Takeaways

Some of the most important lessons:

Most WordPress vulnerabilities come from plugins and configuration issues.
Secure coding practices prevent many common attacks.
Proper permission checks are critical.
Keeping software updated reduces risk significantly.
Monitoring and logging help detect problems early.
Recovery planning is just as important as prevention.

Security in WordPress is not just about a single tool or plugin.

It is about combining good coding practices, proper configuration, continuous monitoring, and careful dependency management.

# Uptime Kuma: The Ultimate Self-Hosted Uptime Monitoring Tool

Md.ismail — Sun, 18 May 2025 03:47:54 +0000

Uptime Kuma: The Ultimate Self-Hosted Uptime Monitoring Tool

Uptime Kuma is a powerful, open-source, self-hosted uptime monitoring tool. With its modern UI, extensive feature set, and the ability to run on your own server, it's a great alternative to SaaS tools like UptimeRobot, Better Uptime, and Pingdom.

🚀 What is Uptime Kuma?

Uptime Kuma is a self-hosted monitoring tool that lets you:

Track website and service uptime/downtime
Receive instant alerts through 78+ notification integrations
Share public status pages
Monitor internal and external services
Retain full control over your data (no third-party involvement)

🔧 Key Features

✅ Monitoring Types

HTTP(s) (with keyword or JSON response checks)
TCP Ports
Ping (ICMP)
DNS Records
Push Monitoring (via unique URLs)
Steam Game Servers
Docker Container Health Checks

📊 Dashboards and UI

Live status overview
Uptime percentages
Historical response time charts
SSL info & expiration warnings
Multi-language support
Two-Factor Authentication (2FA)

🔔 Notifications & Alerts

Supports over 78 services via Apprise, including:

Email (SMTP)
Telegram
Slack
Discord
Gotify
Microsoft Teams
AWS SNS
Webhooks

📢 Public Status Pages

Share status with clients or stakeholders
Multiple pages with custom domains
Password-protection optional

📈 Metrics & API

Prometheus-compatible /metrics endpoint
WebSocket/GraphQL API (unofficial)
Environment variable configuration
Cloudflare Tunnel (secure remote access)

🔐 Security & Customization

Local user accounts
2FA support
Proxy support
Frame embedding support (optional)

🧰 Use Cases

👨‍💻 Developers

Monitor staging and production environments
Catch deployment issues with push monitors
Integrate with CI/CD tools

🧑‍🔬 System Administrators

Monitor internal services (NAS, DB, mail servers)
Get alerts before issues affect users
Use Docker or bare-metal deployments

🏠 Home Lab Enthusiasts

Monitor self-hosted services and smart devices
Track SSL cert expirations
Run on Raspberry Pi or low-resource VPS

🏢 Small Businesses

Monitor public websites and apps affordably
Share public status pages
Avoid vendor lock-in

🏢 Enterprises

Monitor services not exposed to public internet
Integrate with existing internal tools
Use Prometheus/Grafana for central metrics

⚙️ Self-Hosting & Deployment

Docker (Recommended)

docker run -d --restart=always \\
  -p 3001:3001 \\
  -v uptime-kuma:/app/data \\
  --name uptime-kuma louislam/uptime-kuma:1

Manual (Node.js + npm)

git clone https://github.com/louislam/uptime-kuma.git
cd uptime-kuma
npm run setup
node server/server.js

Backup & Persistence

Use volume mounts or set DATA_DIR
Backup kuma.db (SQLite file)
Optionally use Litestream to sync to S3

Reverse Proxy & SSL

Run behind NGINX or Traefik
Use Let's Encrypt for SSL
Configure SSL_CERT and SSL_KEY env variables

🔍 Feature Comparison

Feature	Uptime Kuma	UptimeRobot (Free)	Better Uptime (Free)	Pingdom (Paid)	StatusCake (Free)
Hosting	Self-hosted	SaaS	SaaS	SaaS	SaaS
Monitors	Unlimited	50 @ 5 min	10 @ 3 min	Unlimited	10 @ 5 min
Min Check Interval	20 sec	5 min	30 sec (Paid)	1 min	1 min (Paid)
Alert Channels	78+ (Apprise)	Email, SMS, Slack	Email, Call, Slack	Email, Webhook	Email, Slack
Public Status Pages	Yes	Yes	Yes	Yes	Yes
Global Checks	No	Yes	Yes	Yes	Yes
SSL Monitoring	Yes	Yes	Yes	Yes	Yes
Transaction Checks	No	Limited	Yes	Yes	No

💡 Tips for Production Use

Set up SSL & 2FA for security
Backup kuma.db or use Litestream for auto backups
Use Docker + --restart=always for reliability
Restrict access to the dashboard (e.g. VPN, IP allowlist)

📦 Useful Links

GitHub: https://github.com/louislam/uptime-kuma
DockerHub: https://hub.docker.com/r/louislam/uptime-kuma
Apprise Notification Library: https://github.com/caronc/apprise

🙌 Final Thoughts

Uptime Kuma is a powerful, customizable, and cost-effective alternative to commercial uptime monitoring tools. Whether you’re an individual developer, small business, or enterprise team, its extensive features and self-hosting model make it a go-to solution for reliable monitoring.

Try it today, and take back control of your monitoring!

Written by a tech enthusiast who loves self-hosted tools. If you found this useful, consider sharing or leaving feedback!

🚀 Getting Started with WordPress Plugin Development: Custom Plugin Folder, Action Hooks, Menus And Views

Md.ismail — Thu, 03 Oct 2024 09:03:49 +0000

WordPress plugins are a great way to extend your site's functionality, and keeping your code organized makes future maintenance easier. In this guide, we'll go through creating a custom WordPress plugin with menus and submenus that render views from separate files in a clean, organized way.

1. Setting Up Your Custom Plugin Folder and Files

First, you'll need to set up the file structure. Navigate to your WordPress installation's wp-content/plugins/ directory and create a folder for your plugin, such as my-custom-plugin.

Inside this folder, create your main plugin file, for example, my-custom-plugin.php.

2. Recognizing the Plugin with Header Comments

At the top of your my-custom-plugin.php file, add the plugin's metadata. This is how WordPress recognizes your plugin:

<?php
/**
 * Plugin Name: My Custom Plugin
 * Plugin URI: https://example.com/
 * Description: A custom plugin to demonstrate how to render views from separate files.
 * Version: 1.0
 * Author: Your Name
 * Author URI: https://yourwebsite.com/
 */

3. Adding Menus and Submenus with Action Hooks

Next, we’ll add custom menus to the WordPress dashboard using action hooks.

Adding a Menu:

add_action('admin_menu', 'my_custom_plugin_menu');

function my_custom_plugin_menu() {
    add_menu_page(
        'My Custom Plugin',       // Page title
        'Custom Plugin',          // Menu title
        'manage_options',         // Capability
        'my-custom-plugin',       // Menu slug
        'my_custom_plugin_page',  // Callback function
        '',                       // Icon URL
        6                         // Position
    );
}

Adding a Submenu:

add_action('admin_menu', 'my_custom_plugin_submenu');

function my_custom_plugin_submenu() {
    add_submenu_page(
        'my-custom-plugin',        // Parent slug
        'Submenu Title',           // Page title
        'Submenu',                 // Menu title
        'manage_options',          // Capability
        'my-custom-plugin-submenu',// Menu slug
        'my_custom_submenu_page'   // Callback function
    );
}

4. Creating Views in Separate Files

To keep things clean, we'll store the content of each menu and submenu in separate PHP files in a views folder.

Step 1: Create the views Folder
In the my-custom-plugin directory, create a folder called views. Inside that folder, create two files:

main-menu-view.php
submenu-view.php
Step 2: Add Content to the View Files
In views/main-menu-view.php, add the content you want to display on the main plugin page:

<h1>Welcome to My Custom Plugin</h1>
<p>This is the main page of your plugin, loaded from the views folder.</p>
In views/submenu-view.php, add content for the submenu page:

php
Copy code
<div class="wrap">
    <h2>Submenu Page</h2>
    <form method="post" action="options.php">
        <?php
            settings_fields('my_custom_plugin_options_group');
            do_settings_sections('my_custom_plugin');
            submit_button();
        ?>
    </form>
</div>

Step 3: Load the View Files in Callback Functions
In your my-custom-plugin.php file, modify the callback functions to include these view files when rendering the content:

function my_custom_plugin_page() {
    include plugin_dir_path(__FILE__) . 'views/main-menu-view.php';
}

function my_custom_submenu_page() {
    include plugin_dir_path(__FILE__) . 'views/submenu-view.php';
}

Step 4: How This Works
plugin_dir_path(__FILE__): This function returns the path to your plugin directory, making it easy to include files from anywhere within your plugin.
include: This is used to pull in the content from your views folder into the menu and submenu pages.
Now, when you access the custom menu or submenu in the WordPress admin dashboard, it will render the content from the views folder.

5. Summary

By keeping the views for your plugin's menus and submenus in separate files, you maintain a cleaner and more organized codebase. This approach not only helps with readability but also makes your plugin easier to maintain as it grows.

Give this method a try next time you develop a custom WordPress plugin—it will save you a lot of headaches down the line!

🚀 Selenium IDE: Remembering Our Automation Origins!

Md.ismail — Tue, 01 Oct 2024 05:58:07 +0000

🚀 Selenium IDE: Remembering Our Automation Origins!

If you’re looking for a quick way to automate browser tasks without writing code, Selenium IDE is the tool for you. It’s a browser extension that lets you record, edit, and run tests—perfect for quick validation or simple repetitive tasks.

A Brief History of Selenium IDE 📜

Originally developed in 2006 as a part of the Selenium project, Selenium IDE allowed users to automate browser tasks through simple record-and-playback functionality. It was instrumental in popularizing web testing, making automation accessible to testers and developers alike. Over the years, while its functionality has been somewhat eclipsed by the more versatile Selenium WebDriver, Selenium IDE remains a valuable tool for rapid test creation.

What Are People Using Now? 🤔

Today, many automation testers have shifted to Selenium WebDriver for its robust capabilities, allowing for more complex interactions and better integration with programming languages like Java, Python, and JavaScript. This shift is largely due to the need for flexibility, control, and scalability in automated testing, which WebDriver offers over the simpler IDE.

What Is Selenium IDE? 🤔

Selenium IDE is a Chrome and Firefox extension that allows you to:

Record your actions while browsing.
Replay those actions to automate repetitive tasks or tests.
Export tests into code if you want to extend them later (supports languages like Java, Python, and JavaScript).

How to Install Selenium IDE

Install it as a browser extension:
- Selenium IDE for Chrome
- Selenium IDE for Firefox
Click on the Selenium IDE icon in your toolbar to start using it.

Quick Example

Record a Test:
- Click "Record a new test", then visit a website and interact with it.
Stop & Run the Test:
- After recording, click "Stop" and "Play" to watch the automation run.

That’s it! You’ve just automated your first browser task.

Why Use Selenium IDE?

No coding needed: Great for non-developers.
Fast feedback: Useful for quick tests or prototyping.
Cross-browser support: Works on Chrome and Firefox.

Limitations

It’s best for simple tasks. For more complex scenarios, consider using Selenium WebDriver with a programming language.

Final Thoughts

Selenium IDE is a fantastic tool to get started with browser automation without much setup. It’s fast, easy, and perfect for basic tasks or quick testing. While it may not be the future of automation, it reminds us of how far we've come in making testing accessible to everyone.

PHP Data Types

Md.ismail — Thu, 26 Sep 2024 09:25:07 +0000

Integers

Integers represent whole numbers, both positive and negative, without any decimal points. PHP supports decimal, hexadecimal, octal, and binary integers.

Example:

$num1 = 42;    // Decimal
$num2 = 0x1A;  // Hexadecimal
$num3 = 0123;  // Octal
$num4 = 0b101; // Binary

PHP offers various operations for manipulating integers, like addition, subtraction, multiplication, and division. It also provides bitwise operations for binary integers.

Booleans

A Boolean represents a logical true or false value. It’s often used in conditions and control flow.

True evaluates to a value of 1, and False evaluates to an empty string or 0.
Example:

$isValid = true;
$isEmpty = false;

Booleans are often used with comparison operators (like ==, !=, ===) and logical operators (&&, ||, !).

Null

The null data type signifies the absence of a value. Any variable set to null has no value assigned.

Example:

$value = null;

Casting to null using unset() has been deprecated in PHP 7.2 and removed in PHP 8.0, meaning this practice should be avoided.

Float

Floating point numbers (floats) in PHP are used to represent real numbers, including numbers with decimals or in scientific notation.

Syntax:

$a = 1.234;     // Simple decimal
$b = 1.2e3;     // Scientific notation
$c = 7E-10;     // Small float in scientific notation
$d = 1_234.567; // Using underscores for readability (PHP 7.4+)

PHP’s floating point numbers are platform-dependent, but typically they follow the 64-bit IEEE format. This allows for a maximum value of approximately 1.8e308 with a precision of about 14 decimal digits.

Floating Point Precision Issues:
Floats have limited precision, For example:

floor((0.1 + 0.7) * 10); // Outputs 7 instead of 8
This occurs because numbers like 0.1 and 0.7 can't be precisely represented in binary, leading to small inaccuracies. Never rely on exact comparisons of floating point numbers; instead, use an epsilon value for comparison:

$a = 1.23456789;
$b = 1.23456780;
$epsilon = 0.00001;
if(abs($a - $b) < $epsilon) {
    echo "true";
}

Strings
A string is a sequence of characters used to store and manipulate text in PHP. Strings can be defined in several ways using single quotes (') or double quotes (").

Syntax:

$str1 = 'Hello, World!';  // Single-quoted string
$str2 = "Hello, $name!";  // Double-quoted string with variable interpolation

PHP supports heredoc and nowdoc for multiline strings.

Heredoc example:

$text = <<<EOD
This is a string
that spans multiple lines.
EOD;

Nowdoc example:

$text = <<<'EOD'
This is a nowdoc example.
EOD;

Common Operations:
Concatenation: . operator is used to concatenate two strings.

$fullName = $firstName . " " . $lastName;
String functions: strlen(), strpos(), substr(), etc.

Arrays

Arrays in PHP can store multiple values in a single variable and are one of the most versatile data types. PHP arrays can be indexed or associative.

Syntax:

// Indexed array
$arr = [1, 2, 3, 4];

// Associative array
$arrAssoc = ["name" => "John", "age" => 25];

Common Operations:
Adding elements:

$arr[] = 5; // Adds an element to the end of the array

Accessing elements:

echo $arr[0];          // Outputs: 1
echo $arrAssoc['name']; // Outputs: John

Array functions: count(), array_merge(), in_array(), array_pop(), etc.

Objects

Objects in PHP represent instances of user-defined classes. A class is a blueprint for creating objects with properties and methods.

Syntax:

class Person {
    public $name;
    public $age;

    public function __construct($name, $age) {
        $this->name = $name;
        $this->age = $age;
    }

    public function greet() {
        return "Hello, my name is " . $this->name;
    }
}

$person = new Person("John", 30);
echo $person->greet(); // Outputs: Hello, my name is John

Key Concepts:
Properties: Variables inside classes.
Methods: Functions inside classes.
$this: Refers to the current object instance.

Callable

A callable in PHP refers to any variable that can be called as a function. It can be a string containing a function name, an array with an object and method, or an anonymous function (closure).

Syntax:

function sayHello($name) {
    return "Hello, $name!";
}

$callable = 'sayHello';
echo $callable("World"); // Outputs: Hello, World!

Example of a Callable Array:

class Greeter {
    public function greet($name) {
        return "Hello, $name!";
    }
}

$greeter = new Greeter();
$callable = [$greeter, 'greet'];
echo call_user_func($callable, 'John'); // Outputs: Hello, John!

Anonymous Functions (Closures):

$callable = function($name) {
    return "Hi, $name!";
};
echo $callable("Jane"); // Outputs: Hi, Jane!

Resource

Resources are special variables that hold references to external resources, such as database connections or file handlers. These are not primitive data types but are pointers to external resources that PHP can interact with.

Syntax:

// File resource
$handle = fopen("file.txt", "r");

Resources are generally used with functions that return and manipulate them, like database connections (mysqli_connect()), image manipulation (imagecreatefromjpeg()), or file operations (fopen()).

Example:

$connection = mysqli_connect("localhost", "username", "password", "database");
if (!$connection) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully!";

Thank You....