First post, so please be gentle.

I’m trying to harden our wordpress setup and for that I’m implementing a somewhat strict CSP. I wrote an mu-plugin that generates a nonce once per request, adds it to a HTTP header, then intercepts all script, style and link tags coming out of script_loader_tag and style_loader_tag and adds the nonce to them. However, and despite seeing the nonce in every tag that should have one when I curl the wp-login and wp-admin pages, when I view them in the browser I see a few scripts without nonces. Most notably, <link> tag that references load-styles.php (both wp-login and wp-admin) and the <script> tag calling load-scripts.php (only on wp-login, it has the nonce in wp-admin).

My CSP is as follows:

    default-src               'self' https:;
    script-src                'self' 'nonce-$nonce' 'strict-dynamic' https:;
    style-src                 'self' 'nonce-$nonce' https:;
    font-src                  'self' https:;
    img-src                   'self' https:;
    frame-src                 'self' https:;
    worker-src                'self' blob:;
    script-src-attr           'self';
    style-src-attr            'self';
    frame-ancestors           'none';

Am I just being too ambitious in my policy? Or is there something I can do? Preferably without having to modify WP core files and plugin files everytime there is an update, of course

It showed some forethought on WordPress’s part to have people have to explicitly install AND activate plugins before new code will enter the application. That’s good. But then why why why can PHP files be dropped into mu-plugin and execute on every page load without a whisper about it anywhere?

ANYWAY, it seemed to me like a great opportunity for AIOWPS to create a very simple dashboard widget informing users when there are files executing from this directory.

When I logged into my websites backend, I noticed it said this. I thought maybe it had something to do with the theme so I deactivated it and switched it to something else but that didn’t change anything. I am not all that smart with these kinds of things. The only thing I can think of is that I added a line to the end of my functions.php file in order to remove the “additional info” tab on my products which worked perfectly fine for a while now. I decided I would go back in and delete what I added, but it was already gone, like it erased itself back to its original state. Weird, but maybe that info is relevant to my issue? If anyone could help me please. I don’t have much, but I am willing to compensate a little something for your time if need be. Worse case I just redo my entire site from scratch and start over, which I don’t want to have to do –but I will. Everything seemed to be working fine and I don’t understand what happened. Thanks a bunch.

If you need more info such as logs etc let me know.

When I logged into my websites backend, I noticed it said this. I thought maybe it had something to do with the theme so I deactivated it and switched it to something else but that didn’t change anything. I am not all that smart with these kinds of things. The only thing I can think of is that I added a line to the end of my functionsphp file in order to remove the “additional info” tab on my products which worked perfectly fine for a while now. I decided I would go back in and delete what I added, but it was already gone, like it erased itself back to its original state. Weird, but maybe that info is relevant to my issue? If anyone could help me I am also willing to compensate. Worse case I just redo my entire site from scratch and start over, which I don’t want to have to do –but I will. Thanks a bunch.

add_filter( ‘option_active_plugins’, ‘disable_specific_plugin’ );
function disable_specific_plugin($plugins){ ………

to functions.php in /wp-content/mu-plugins/.

It works fine, I just wonder why this code is being executed so often. When for testing purposes I added some output, I noticed that depending on the page it’s being executed between 50 and 100 times. I would have expected it to be executed either once or once for each plugin. Is there an explanation for this (or maybe a way to avoid it and thus improve the performance of the site)? Thanks in advance.

I tried to override the template file throught the mu-plugins and the filters but it is not working as it should.

How can I remove the nofollow attribute?

Thank you!

The forms don’t render in my website anymore and I don’t understand why. I desactivated the plugins installed recently to see if they were causing it but the issue persists.

If I add the form to the page through adding a “Form” block, I am able to select the form and apply, it displays “rendering” but it doesn’t show. When previewing the page the form isn’t there either.

The contact form, which you can find through the menu, has the same behavior.

Please help, this is quite urgent as people won’t be able to register nor contact me for the events.

Thanks
Rodrigo