DB index

wp_options autoload

古いバージョンの WP だと wp_options の autoloadに インデックスがない。

Update: The reason the query is being logged is it doesn't use an index. The query time is 0, i.e. it actually executes fast. You can unset the "log-queries-not-using-indexes" option if you don't want these to be logged.

The wp_options table has no index on autoload (it now should, it was added to WP core schema Aug 15, 2019), so the query ends up doing a full table scan. In general that table shouldn't get too large, so it's not a problem, but I'm guessing that's somehow happened in your case.

Adding an index might solve the problem, but as TheDeadMedic pointed out in the comments, it might not if the values of autoload are either majority yes, or evenly distributed between yes and no:

First, do this query to see what the distribution looks like:

SELECT COUNT(*), autoload FROM wp_options GROUP BY autoload;

if a large majority of them are set to 'no', you can solve the problem for now by adding an index on autoload.

ALTER TABLE wp_options ADD INDEX (`autoload`);

However, you might want to get to the bottom of why that table has gotten too large. Possibly some badly written plugin doing something fishy.

https://wordpress.stackexchange.com/questions/71691/slow-query-for-the-wp-options-table

https://crunchify.com/woocommerce-adds-thousands-of-transient-entries-into-wp-options-table-how-to-delete-and-disable-all-geoip-transient-settings/

WordPressサイトでwp_optionsのautoloadが遅い | ah-2.com

wp_posts guid

Workaround
A way to go around this problem is to (at least temporarily) add indexes for these fields.
You can do this using two SQL queries like the following ones:

ALTER TABLE `wp_posts` ADD INDEX `guid` (`guid`);
ALTER TABLE `wp_postmeta` ADD INDEX `meta_value` (`meta_value`(512));

https://wpml.org/errata/performance-considerations-for-the-wpml-media-setup-on-large-sites/

please get the plugin's author to add the index from the plugin. this field isn't used in where clauses in WP, and the index would be useless for other users -- but still goggle up db space.
#7633 (Lack of an Index on wp_posts.guid Slowing Down Queries) – WordPress Trac 2009

インデックスはプラグインがADD(DROP)すべき

categories-images 2.4.2

WPScan API

https://wpscan.com/api

https://wpscan.com/docs/api/v3/

curl -H "Authorization: Token token=API_TOKEN" https://wpscan.com/api/v3/plugins/woocommerce | python3 -mjson.tool
...
            {
                "id": "1212fec8-1fde-41e5-af70-abdd7ffe5379",
                "title": "Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection",
                "created_at": "2021-07-15T14:28:21.000Z",
                "updated_at": "2021-07-30T07:46:15.000Z",
                "published_date": "2021-07-15T00:00:00.000Z",
                "description": null,
                "poc": null,
                "vuln_type": "SQLI",
                "references": {
                    "url": [
                        "https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/",
                        "https://twitter.com/WooCommerce/status/1415442447312764931",
                        "https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/",
                        "https://noc.org/2021/07/15/serious-sqli-in-woocommerce/",
                        "https://blog.wpscan.com/critical-woocommerce-vulnerabilities/",
                        "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-7vx5-x39w-q24g"
                    ],
                    "cve": [
                        "2021-32790"
                    ]
                },
                "cvss": null,
                "fixed_in": "5.5.1",
                "introduced_in": "3.3"
            },
...

https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
各メジャーバージョンで修正されている場合でも fixed_in は最新メジャーバージョンで修正されているバージョンの値になる。

WordPress 3,4 PHP 7

古いバージョンのWordPressPHP 7で動作させた場合のエラーと警告を修正する。

wp-login.php

FTP経由でワードプレスディレクトリの直下にある「wp-login.php」にアクセスし、780行目付近にある下記のコードを書き換えることでエラーが解消されました。

書き換え前

$user = wp_signon( '', $secure_cookie );

書き換え後

$user = wp_signon( array(), $secure_cookie );

【WordPress】PHPのバージョンアップに伴うエラーの解消 | 株式会社オンズ 2019

WordPress 3.9 + PHP 7.4
WordPress 4.3 + PHP 7.4

wp-includes/nav-menu.php

To fix the issue manually, just replace the code:

$items[$k]->$args['output_key'] = $i++; // here is the error

with:

$items[$k]->{$args['output_key']} = $i++; // problem solved :)

arrays - How to fix "Illegal string offset 'output_key'" in nav_menu.php - Stack Overflow

WordPress 3.9 + PHP 7.4

Declaration of xxx::start_el(&$output, $item, $depth, $args)...
//これを
function start_el(&$output, $item, $depth, $args) {
 
//このように変更
function start_el(&$output, $item, $depth = 0, $args = array(), $id = 0) {

サーバーのphpを7.0にした際に出る【Warning: Declaration of My_Walker::start_el〜】の対処方法 | oku-log

php7.0にUpしたら、警告です。 | WordPress関連 | 福岡県パソコンサポート|志義どっとPC

Contact Form 7 v5.3.1 脆弱性

https://nvd.nist.gov/vuln/detail/CVE-2020-35489

2 上記が困難な場合は脆弱性のある該当のファイルに手作業でパッチを当てます
Contact Form7開発者の方のプログラム修正履歴を見ると、下記の修正が脆弱性をふさぐと思われます。

https://github.com/takayukister/contact-form-7/commit/2e45060ff0b4610e9665d996bc91f725ff5fc381

wp-content/plugins/contact-form-7/includes/formatting.php
のwpcf7_antiscript_file_name 関数の下の$filenameが一度basename関数を通った後に

$filename = preg_replace( '/[\pC\pZ]+/i', '', $filename ); //この行を追加

というように上記1行を追加してください。

[緊急・対処方法] Contact Form 7 v5.3.1以下にファイルアップロードの脆弱性 | ワードプレスドクター

function wpcf7_antiscript_file_name( $filename ) {
        $filename = basename( $filename );

        $filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
        $filename = preg_replace( '/[\pC\pZ]+/iu', '', $filename );

        $parts = explode( '.', $filename );

https://github.com/takayukister/contact-form-7/commit/5257a8450e2ccf91e912399a2c3c05db95c51ad3#diff-1cbe53027fad04eb0817207cc40031ad7c24fcacaa5ee61cb93079ed772fa422

https://github.com/takayukister/contact-form-7/commit/1ee666800b33105c77fce1b69d154115b2f1e54f#diff-1cbe53027fad04eb0817207cc40031ad7c24fcacaa5ee61cb93079ed772fa422

プラグインの自動更新

WordPress 5.5 からサイトの管理者はテーマやプラグインの自動更新を手動でオプトインできます。
https://ja.wordpress.org/support/article/plugins-themes-auto-updates/

以下のプラグインを更新しました:
- All in One SEO (バージョン4.1.5.2から4.1.5.3へ)

The 4.1.5.3 update contained some important security improvements, which is why it was pushed out to your website. Only in rare cases like these we can ask your site to auto-update, even if auto-updating is disabled.
Auto updated but do not have it enabled | WordPress.org

プラグインの自動更新が無効でも、重要なセキュリティ更新などで自動更新される場合がある