Category: WordPress Hardening
Hardening your website’s security
Table of Contents Introducing WordPress Hardening Hardening – Basic Disable “anyone can register” Disable the built-in file editors Prevent code execution in the public ‘Uploads’ folder Hide your WordPress version Prevent login feedback Disable directory browsing Disable user enumeration Block the ‘admin’ username Disable XML-RPC Block user registrations when login and display name are the same Hardening – Advanced Disable HTTP methods Rename and randomize your database prefix Change debug.log file location Disable application passwords Restrict creation of administrator roles
About File Change Detection
The File Change Detection feature (located under SSL & Security -> “Settings” -> Hardening -> File Change Detection) enables a daily scan to monitor if any changes have been made to files in WordPress Core, or files from Plugins or Themes on your site. If files are being modified without performing any updates, and without manually having modified those files via FTP this could indicate that your WordPress installation was infected by malware that targeted & modified those files on your server.
About File Permission Detection
All files and directories on your webserver have permissions which determine who can read, write, modify and access them. Files and directories should not have more permissions than they require; as unnecessarily elevated permissions might leave your site vulnerable to attack. Configuring appropriate permissions significantly reduces the risk of unauthorized access to your WordPress files and folders. Really Simple SSL Pro (since version 8.2.0) introduces the File Permission Detection feature, available under Settings -> SSL & Security -> “Settings” (top
Rogue admin protection for WordPress
To protect your website against the creation of rogue admins, simply enable the “Restrict creation of administrators” setting under advanced hardening in Really Simple SSL Pro.
Disabling admin account creation protection when you are locked-out
Really Simple Security Pro has an advanced hardening setting to “Restrict creation of administrator roles” Enabling this setting will check for Users that were assigned the Administrator role in a different way than through the regular user profile interface. If a such a user account is found, the role of the user will be changed to Subscriber immediately and an e-mail notification will be sent to the site administrator. If for some reason you are locked out of your site
