About Hardening Features

The newest addition to Really Simple SSL is hardening features. These features will tackle the known and lesser-known weaknesses when running a WordPress website. Hardening features are focused on minimizing risk by removing points of attack. Mostly in disabling features that are not used or limiting access to those who use them. For more information on Hardening Features for WordPress, please read this article.

Hardening Features

Most of these hardening features are self-explanatory, but we will pick some to explain the necessity further. If you are unable to change a setting because it is “greyed-out”, this means we detected the setting is already activated outside Really Simple SSL. If you want to manage that setting from within Really Simple SSL you will have to find where it is set and remove the setting in that location. If you have questions about a hardening feature that is not mentioned, visit our definitions page.

Disable “anyone can register”

This setting will display the status of the “Anyone can register” setting under “General” in the WordPress Settings menu and allow you to disable that setting directly.

It is mainly included to trigger awareness that “Anyone can register”  is enabled. If “Anyone can register” is already disabled, the toggle will be “greyed-out”. If you want to enable “Anyone can register” you will need to do so in the “General” section op the WordPress settings menu.

Disable the built-in file editors

Disabling the built-in file editors will disable the Theme & Plugin file editor that are built-in to the WordPress admin dashboard. Even though you need admin permissions to use the built-in file editors, leaving them enabled poses a small security risk when combined with other vulnerabilities. Enabling this setting will add the line “define( 'DISALLOW_FILE_EDIT', true );” to your wp-config.php file.

Prevent code execution in the public ‘Uploads’ folder

This setting will prevent the execution of (PHP) code from the uploads folder. Uploading .php files to the uploads folder should be blocked by default but in case this protection is circumvented this setting will prevent the code from being executed. This settings is only supported on Apache & LiteSpeed servers works by adding a .htaccess file to the uploads folder

Hide your WordPress version

When you enable this setting, Really Simple SSL will make a number of changes in your default WordPress files making it difficult (but not impossible) for attackers to determine the exact WordPress version you are using. It is part of the “security by obscurity ” measures used to make it a little more difficult to automatically find vulnerabilities in your website.

Prevent exposed login feedback

Did you know the default login page will tell you when an email address or username is correct? Which means anyone trying to log in can proceed with a reset or brute force attack? This is not only textual feedback, but a correct username or email address is saved and will be pre-filled the next time. It is part of the “security by obscurity ” measures used to make it a little more difficult to try to gain unauthorized access to your website.

Disabling directory browsing prevents people from browsing through all available files in your website and should ideally already be done by your webhoster. When sensitives files that are not meant to be public are present on your system, not having directory browsing disabled may lead to information leakage. Enabling this setting will create an index.html file in all your folders thus preventing directory browsing.

By default WordPress allows anyone to lookup the usernames of everyone that posted an article (post or page) on your website. This makes life easier for attackers because this gives them a handy list of usernames when trying to break into your website by guessing  passwords. Enabling this setting will prevent people & bots from compiling a list of valid usernames on your website. It is part of the “security by obscurity ” measures used to make it a little more difficult to try to gain unauthorized access to your website.

Most brute force attacks on login pages are made with the username ‘admin.’ Removing and preventing common usernames is good practice. Most hosting providers can automatically install WordPress, so you can start without the hassle of creating a database and uploading files. However, some automatic installs also create an admin with the username ‘admin.’ This will randomize the username of any known usernames with ‘admin.’ These admins can always log in with their existing email addresses.

Block the username “admin”

The user “admin” is the first user automatically created when installing WordPress. Because it is almost always present it is also by far the most attacked account on WordPress sites. To prevent your website from being hacked quickly when you inadvertently set a weak or previously compromised password, this option will rename the current user named “admin” (you can choose a new name) and block the creation of new users with the name admin. An e-mail reminding you of the new username will be sent to the e-mail address linked to the “admin” account.

XML-RPC (Remote Procedure Call) is a protocol that allows external applications to communicate with your WordPress site. If you’re not using XML-RPC features, disabling it can be a step to enhance your site’s security. While it can be useful for certain features like remote publishing and mobile app interactions, it has also been known to pose security risks. Before disabling XML-RPC, it’s a good idea to check whether your site relies on XML-RPC for any functionality. Upgrade to Really Simple SSL Pro to use our unique learning mode to detect what functionality is using XML-RPC and selectively enable XML-RPC for specific uses only.

If you want to know how to change these manually, please follow this article. In WordPress, your users can have a login/username and display name (Author). Commonly, these are the same. Someone might log in with their name “Alexandra” and post as an author with “Alexandra.” Now the username is posted on each blog post written by this user! As this is an obvious security issue, you can use this option to prevent this from happening.

Advanced Hardening Features (Pro only)

Advanced Hardening features are Really Simple SSL Pro features because they can be more intrusive in nature. You could, of course, do this manually as well, if needed.

Disable HTTP methods.

This setting will restrict the available HTTP methods to GET, POST, HEAD & OPTIONS. Methods such as PUT, DELETE & TRACE are not necessary for a standard WordPress Installation. Blocking these might prevent attacks on possible vulnerabilities.

Rename and randomize your database prefix

A little security through obscurity. In the event of a vulnerability in your site, a simple attack could be prevented by changing your database prefix from “wp_” to a random value. This will not stop any serious hackers or advanced attacks though, there are several ways to find your database prefix programmatically. It is part of the “security by obscurity ” measures used to make it a little more difficult to automatically exploit vulnerabilities in your website. Warning: This will permanently change your database prefixes and you can NOT rollback this feature. Please make sure you have a back-up.

Change debug.log file location.

The debug.log file can contain sensitive information and might aid attackers in further discoveries, for example, server paths, errors, usernames, and even passwords. The debug.log has a standard path for all WordPress websites and is written to a publicly available directory /wp-content/. Changing the location will minimize anyone trying to download through the standard path. The debug.log is now added to a folder with a randomized name and changes the path, which is impossible to guess. If you’re vigilant with the use of the debugging itself, the debug.log is out of reach.

Disable application passwords

This setting will prevent the use of application passwords by your users. Application passwords are 24 character passwords that are meant to be used programmatically for applications (through the REST API or XML-RPC). They cannot be used to login interactively (through wp-login.php). There are very good reasons to use application passwords. If you access your site through the RESP API, using an application password instead of the regular user password is strongly encouraged. There are some risks in allowing application passwords though. They can be used to circumvent Multi Factor Authentication and when a user account is compromised, resetting the standard password is not enough, you will need to reset all application passwords for the user separately. If you are not authenticating against the REST API or XML-RPC we recommend disabling application passwords.

Restrict creation of administrators

Enabling this setting will check for users that were assigned the admin role in a different way than through the regular user profile interface. When you enable this setting all admin accounts that are already registered are automatically “approved” by Really Simple SSL. If any new accounts are assigned the admin role in a different way than through the regular user profile interface, the role of the user will be changed to subscriber immediately and an e-mail notification will be sent to the site administrator.

Why should you enable this ?
In the event your website gets compromised (for example by a vulnerability in a plugin or theme), attackers will often start by creating a new user account with admin privileges. The “rogue” admin accounts are then used to further compromise your website. Enabling this setting will prevent attackers from exploiting this way into your site by restricting the assignment of the administrator role to the native user profile function of WordPress.

Warning: There are other legitimate ways of assigning the administrator role to a user. When this setting is enabled, making a user administrator by using third party plugins or by using WP CLI commands will result in the user account being demoted to the subscriber role and you’ll have to manually change the role to admin in the users profile settings. If you need to need to make a user administrator by using a third party plugin, temporarily disable this setting while you make the change.

Also keep in mind that when you temporarily disable Really Simple SSL without disabling this setting, any admin accounts you create while Really Simple SSL is disabled will automatically be demoted to the subscriber role the moment you enable Really Simple SSL again!

To prevent this from happening disable this setting before disabling Really Simple SSL or read this article on how to fix this.

File Permissions check

All files and directories on your webserver have permissions which determine who can read, write, modify and access them. These files and directories should not have more permissions than they require; as unnecessarily elevated permissions might leave your site vulnerable to attack.
The “File permissions check” setting enables a weekly scan that detects any files or folders on your environment with insecure file permissions. If any such issues are discovered, you will be notified via e-mail as well as with a notice in the Really Simple SSL Dashboard, and the plugin displays a “Fix” button to automatically correct these permissions.  In addition, a report will be generated with the exact items that were found to have insecure permissions, alongside their locations; if the need arises to manually adjust their permissions.

Enable Custom login URL

Changing your default login URL to a custom login URL  will mitigate some bot attacks on default WordPress login URLs. Any visitors or bots trying to access /wp-login.php (or /wp-admin) will be redirected to a custom page (404 page by default). This means that you will need to inform all users that need to login to your site about the new custom Login URL before you change it. It is part of the “security by obscurity ” measures used to make it a little more difficult to try to gain unauthorized access to your website.

XML-RPC

XML-RPC can be seen as the precursor of the REST-API for WordPress and can be used to communicate with your WordPress configuration without being logged in. This protocol’s most well-known misuse is brute forcing username/password combinations. If you’re not using this, you can disable it under “Hardening.” If you’re unsure, you can use our learning mode to find out if you are (for example, the WordPress App) and only allow selected services.
Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.