Instantly share code, notes, and snippets.

View authenticator_valeries_add_exclude.php
* Plugin Name: Valéries Authenticator Plugin to exclude pages
* Plugin URI:
* Description: This plugin extends the Authenticator plugin to exclude pages from the .
* Author:
* Version: 2018-07-10
* Author URI:
* License: GPLv3+
* License URI: ./assets/license.txt
View stop-ip-comment-storing.php
<?php # -*- coding: utf-8 -*-
declare( strict_types = 1 );
* Plugin Name: Stop Save IP Adress on Comment
* Plugin URI:
* Description: Stop Storing IP Addresses with WordPress Comments.
* Version: 2018-05-25
* Author: Frank Bültge
* Author URI:
* License: MIT
View tampermonkey-xdebug-css-addon.js
// ==UserScript==
// @name xDebug Restyling
// @namespace localhost
// @version 0.1
// @description Restyling Xdebug output
// @author Frank Bueltge
// @match http://*localhost/*
// @grant none
// ==/UserScript==


Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

Install via Composer

composer require --dev phan/phan

note: php-ast is necessary (sudo apt install php-ast)


View PortSwitch.php
<?php # -*- coding: utf-8 -*-
declare( strict_types = 1 );
* Plugin Name: Port Switch
* Plugin URI:
* Description: Port switch to get an workaround to use WordPress Multisite also without the default port 80.
* Version: dev
* Author: Frank Bültge
* Author URI:
* License: MIT
View plugin.php
class foo {
* Return sites of MU.
* $sites object
public function get_sites() {
$sites = get_sites();
View php.ini
;XAMPP Win example
;zend_extension = "c:\xampp\php\ext\php_xdebug32.dll"
;xdebug.trace_output_dir ="\xampp\tmp"
;Linux Path
xdebug.profiler_output_dir = /var/local/xdebug
xdebug.default_enable = 1
xdebug.profiler_enable = 0
View add-rel-nofollow-checkbox.php
* Add a 'Add rel="nofollow" to link' checkbox to the WordPress link editor
* @see
add_action( 'after_wp_tiny_mce', function(){

WordPress Plugin Security Testing Cheat Sheet

This cheat sheet was compiled by Dewhurst Security to record the knowledge gained when testing WordPress plugins for security issues for our clients. The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins.

This is a living document, feedback in the form of Issues or Pull Requests is very much welcomed.

Cross-Site Scripting (XSS)


Keybase proof

I hereby claim:

  • I am bueltge on github.
  • I am bueltge ( on keybase.
  • I have a public key whose fingerprint is 5EA5 319F D531 1C84 7094 2FE4 1A56 7625 5969 6D2D

To claim this, I am signing this object: