Facebook Phishing Postphp Code !free!

If an attacker uploads post.php via a vulnerable WordPress plugin, ensure that your /uploads/ directory has a .htaccess file:

The script first grabs the sensitive information sent from the fake login form. It typically looks for the email/phone and password fields. facebook phishing postphp code

Always validate the origin of your POST requests. Check the HTTP_REFERER (though spoofable) and require a nonce for every form submission. This will not stop a standalone phishing page, but it will protect your forms from being repurposed by attackers. If an attacker uploads post