inside
, without touching .Uses DOMDocument → no injection/DoS risk.
————————————————————– */
add_action(‘template_redirect’, function () {
if (is_admin()) return;
ob_start(function ($html) {
// Quick check to avoid overhead
if (stripos($html, ‘
$xpath = new DOMXPath($dom);
$styles = $xpath->query(‘//head/style’);
if ($styles->length > 0) {
foreach ($styles as $style) {
$style->parentNode->removeChild($style);
}
return $dom->saveHTML();
}
return $html;
});
});
/* ————————————————————–
5. IMAGE SIZE CONTROL (SAFE VERSION)
– Keep responsive images (srcset) for SEO & performance
– Remove unnecessary giant sizes
– DO NOT break width/height attributes
————————————————————– */
add_filter(‘intermediate_image_sizes_advanced’, function ($sizes) {
// Keep at least medium + large for responsive images
unset($sizes[‘medium_large’]); // safe to remove
unset($sizes[‘1536×1536’]);
unset($sizes[‘2048×2048’]);
return $sizes;
});
// Limit huge uploads (protects server)
add_filter(‘wp_handle_upload_prefilter’, function ($file) {
$max = 8000; // 8k width or height max
$info = @getimagesize($file[‘tmp_name’]);
if ($info && ($info[0] > $max || $info[1] > $max)) {
$file[‘error’] = ‘Image too large (max: 8000px)’;
}
return $file;
});
/* ————————————————————–
6. REMOVE ADMIN BAR FOR USERS
————————————————————– */
add_filter(‘show_admin_bar’, function () {
return current_user_can(‘manage_options’) ? true : false;
});
/* ————————————————————–
7. KEEP SECURITY UPDATES WORKING
(Your old plugin disabled them — dangerous)
→ NOTHING is blocked now.
————————————————————– */
/* ————————————————————–
8. DISABLE XML-RPC + REST AUTH HEADERS (SAFE)
————————————————————– */
add_filter(‘rest_authentication_errors’, function ($result) {
// Hard-disable REST for visitors if you want:
// BUT do NOT disable for logged-in or plugins needing it
if (!is_user_logged_in()) {
return new WP_Error(‘rest_disabled’, ‘REST API disabled for guests.’, array(‘status’ => 401));
}
return $result;
});
/* ————————————————————–
9. DISABLE HEARTBEAT (optional)
————————————————————– */
add_filter(‘heartbeat_send’, ‘__return_false’);
add_filter(‘heartbeat_tick’, ‘__return_false’);
/* ————————————————————–
10. SAFE ADMIN CLEANUP
————————————————————– */
add_action(‘admin_init’, function () {
// Remove some editor assets if no Gutenberg used
wp_deregister_style(‘wp-block-library’);
wp_deregister_script(‘wp-editor’);
});
/* ————————————————————–
11. DISABLE SPECULATION RULES (prefetch/prerender)
injecting #is',
'',
$html
);
// Remove skip link inline script
$html = preg_replace(
'##is',
'',
$html
);
// Remove importmap
$html = preg_replace(
'##is',
'',
$html
);
return $html;
});
}, 999);
/*********************************************************************************************************/
/*_____________________________________________________________________
** Watch out, the message broke my frontend layout !!!
**
/* may, 10, 2026
** Scan WordPress uploads folder for potentially dangerous files
** Flags any PHP, executable, or suspiciously named files,
** e.g javscript would be evil twice in uploads !
**
**
** @param string $uploadDir Optional. Defaults to WordPress uploads directory.
** @return array List of suspicious files with paths
function scan_uploads_for_risks($uploadDir = '') {
if (empty($uploadDir)) {
$uploadDir = wp_upload_dir()['basedir'];
}
$suspicious = [];
$rii = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($uploadDir));
foreach ($rii as $file) {
if ($file->isDir()) continue;
$filePath = $file->getPathname();
$ext = strtolower(pathinfo($filePath, PATHINFO_EXTENSION));
// Check for executable extensions
$dangerousExts = ['php', 'php5', 'phtml', 'exe', 'sh', 'pl', 'cgi', 'js'];
if (in_array($ext, $dangerousExts)) {
$suspicious[] = $filePath;
continue;
}
// Check file content for PHP tags (if disguised)
$contents = file_get_contents($filePath);
if (preg_match('/<\?php/i', $contents)) {
$suspicious[] = $filePath;
}
}
return $suspicious;
}
// *************************
// Example usage
// **************************
$suspiciousFiles = scan_uploads_for_risks();
if (!empty($suspiciousFiles)) {
echo "
Suspicious files found:
- ";
- " . esc_html($file) . "
foreach ($suspiciousFiles as $file) {
echo "
";
}
echo "
";
} else {
// echo "
No suspicious files detected in uploads.
";
}
?>