Skip to content

111 Recipes

How to remove all CSS classes and IDs from WordPress menu items

Published ·UPD ·In Recipes
add_filter('nav_menu_item_id', '__return_empty_string');
add_filter('nav_menu_css_class', '__return_empty_array');
add_filter('page_css_class', '__return_empty_array');

The three lines above will remove all IDs and classes from menu items, including classes for the current item. The current item can still be targeted using the aria-current attribute:

.menu li a[aria-current="page"] {
  color: red;


How to remove file lines that match a pattern

Published ·UPD ·In Recipes

Using GNU sed:

$ sed -i '/pattern/d' ./file

To remove the lines and keep a copy of the original:

$ sed -i.bak '/pattern/d' ./file

Since the pattern is a regular expression, special characters should be escaped. For example, to remove all lines containing

$ sed -i '/example\.com/d' ./file


WordPress security checklist

Published ·UPD ·In Recipes

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

  • Disable TLS 1.0 and 1.1
  • Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Disable the autoindex module
  • Disable the auth_basic module
  • Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
  • Configure security response headers:
    • Disallow MIME sniffing
    • Remove X-Powered-By
    • Configure X-Frame-Options
    • Configure Strict-Transport-Security – h5bp snippet
    • Configure Content-Security-Policy – h5bp snippetmay need adapting
  • Forbid access to files that don’t need to be accessible – h5bp snippet
  • Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
  • (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
  • (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
  • (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
  • (for WP) Forbid access to PHP files in wp-content
  • (for WP) Forbid access to PHP files in wp-includes
  • (for WP) Forbid manual uploading of themes and plugins – snippet
  • (for WP) Forbid user enumeration
  • (for WP) Forbid GET requests to core REST API endpoints
  • (for WP) Configure Content-Security-Policy for wp-admin



  • Set DISALLOW_FILE_EDIT to true
  • Set WP_DEBUG_DISPLAY to false
  • Set WP_DEBUG_LOG to true
  • Remove inactive themes except one (fallback)
  • Remove inactive plugins
  • Disable gravatars (one less thing to set CSP for)
  • (via plugin) Require strong passwords for all users
  • (via plugin) Require multi-factor authentication for admins – plugin
  • (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

Possible additions and improvements for the future


  • 2020-07-14. Added Mozilla Observatory to resources.

How to delete a Let’s Encrypt certificate

Published ·UPD ·In Recipes

First get a numbered list of all certificates that can be deleted:

$ sudo certbot delete

Then type the number of the certificate you want to delete and hit Enter.

Certificates can also be deleted by name:

$ sudo certbot delete --cert-name CERTNAME

Run certbot --help delete for more information.

How to unban an IP address in fail2ban

Published ·UPD ·In Recipes

In fail2ban 0.10.0 and later, the following command will remove an IP address from all fail2ban jails as well as from the fail2ban database:

$ sudo fail2ban-client unban <IP-ADDRESS>

The old syntax, which required to specify a jail, can still be used to remove an IP from a specific jail:

$ sudo fail2ban-client set <JAIL-NAME> unbanip <IP-ADDRESS>

To view all active jails:

$ sudo fail2ban-client status

To view all IPs in a jail (most recent entries are at the end):

$ sudo fail2ban-client status <JAIL-NAME>