Just a small number of security concerns I have about WordPress (new user).
Every WP page has a set of links up the top, and accessing some of those links concerns me.
which displays ...
Notice the HTTPS in all the url's. I do have a HTTPS cert/connection, BUT I don't want the public to know about it, or to use it. It is for secure purposes. Now, take a look in xmlrpc.php
Notice "site_url" which is clearly defined in the database and therefore WP config settings as HTTP, not HTTPS . The site_url must be overwritten by the SSL admin setting.
Clearly a bug.
displays the following ..
Why display /wp-admin/ links ? This is a security concern for us, as comments are "off" and also are registrations, so any reference/link to url/uri that are not allowed by login/access, should NOT be displayed to the general public.
Sure, people can find out by looking at a WP archive, and checking a few files, however bots/crawlesr will now try to access these links, and I have to go and add a mod-rewrite of change file perms,etc,etc.
Not very clever. :(