Enhanced WordPress Security in WordPress toolkit: Page 2 - Enhance Control Panel

Enhanced WordPress Security in WordPress toolkit

mth

george

ivansalloum

Actually, you could achieve all this by simply modifying the vhost file. It would be nicer if the client could toggle these on and off, I know.

Restricting Access to Files and Directories

Do you mean to a specific IP? If so:

location = /wp-config.php {
    allow <ip>;
    deny all;
}

Blocking Unauthorized Access to xmlrpc.php

location = /xmlrpc.php {
    	deny all;
}

Disabling Pingbacks

This could be done from the WP Dashboard.
You can disable the trackbacks and pingbacks feature by going to Settings » Discussion in the WordPress dashboard.
Then, just uncheck the box next to "Allow link notifications from other blogs (pingbacks and trackbacks) on new posts".
And uncheck the box next to ‘Attempt to notify any blogs linked to from the article’ option.
Click on the save changes button to store your settings.
Keep in mind that this setting only disables trackbacks and pingbacks for any new articles you publish.
All your old posts will still have trackbacks and pingbacks enabled.

Disabling File Editing in WordPress Dashboard

Add this to the wp-config.php file:
define('DISALLOW_FILE_EDIT', 'true');

Blocking Author Scans

This could be done using the Ninja Firewall plugin (which I use on all my sites) or through NGINX:

if ($args ~* "^author=([0-9]+|{num:[0-9]+)") {
    return 444;
}
if ($request_uri ~ "/wp-json/wp/v2/users") {
    return 444;
}
if ($request_uri ~ "/author/") {
    return 444;
}
if ($request_uri ~ "wp-sitemap-users-[0-9]+.xml") {
    return 444;
}

Blocking Directory Browsing

I think this is already done by Enhance by default using autoindex off;

Forbidding Execution of PHP Scripts in Specific Directories

You could use this:

location = /(?:uploads|files|wp-content|wp-includes)/.*.php$ {
	deny all;
}

Disabling Scripts Concatenation for WordPress Admin Panel

Add this to the wp-config.php file:
define('CONCATENATE_SCRIPTS', false);

Blocking Access to Sensitive Files

You could use this for example:

location = /install.php {
	deny all;
}
location = /upgrade.php {
	deny all;
}
location = /wp-config-sample.php {
	deny all;
}

This all should be done by the admin and there is no way to a client for now to make these changes. I would love if Enhance could give us the chance to make these changes global to WordPress sites in the future or by making a WP security tab in the Toolkit for toggling off and on.

Shaijee

cristianuibar

+1 - love these suggestions

bertvandepoel

We would love to see this implemented too. We're considering migrating to Enhance specifically for our WordPress customers who are unhappy with the performance on DirectAdmin. We'd like to see as much automated for them as possible to add value and to be able to "sell" them the migration more easily.

nsevimov

DracoBlue

LuisMiguel

Vendoz

Huge +1

thisisviniciusnascimento

grradmin

wav3front

Steamon

Cirrus

We are coming from Plesk and their WP Toolkit implements optional "Security Measures" (* means it can be reverted).

From our experience, sometimes developers upload nulled themes and plugins containing malicious code and such measures help prevent their evil intents.

Restrict access to files and directories

If access permissions for files and directories are not secure enough, these files can be accessed by hackers and used to compromise your website. This security measure sets the permissions for the wp-config file to 600, for other files to 644, and for directories to 755.

Configure security keys

WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to ensure better encryption of the information stored in the user's cookies. A good security key should be long (60 characters or longer), random and complex. The security check should verify that the security keys are set up and that they contain at least alphabetic and numeric characters.

Block access to xmlrpc.php *

This security measure prevents access to the xmlrpc.php file. It is recommended to apply it to reduce attack surface if XML-RPC is not used. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

Block directory browsing *

If directory browsing is turned on, hackers can obtain various information about your website that can potentially compromise its security. Directory browsing is usually turned off by default, but if it is turned on, this security measure can block it. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

Forbid execution of PHP scripts in the wp-includes directory *

The wp-includes directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the wp-includes directory. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

Forbid execution of PHP scripts in the wp-content/uploads directory *

The wp-content/uploads directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the wp-content/uploads directory. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

Block access to wp-config.php *

The wp-config.php file contains sensitive information like database access credentials, and so on. If, for some reason, processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. This security measure prevents access to the wp-config.php file. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.

Disable scripts concatenation for WordPress admin panel *

This security measure turns off concatenation of scripts running in the WordPress Administrator panel, preventing your website from being affected by certain DoS attacks. Turning off concatenation of scripts might slightly affect the performance of WordPress Administrator panel, but it should not affect your WordPress website from visitors' point of view.

Turn off pingbacks *

Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be abused to use your website for DDoS attacks on other sites. This security measure turns off XML-RPC pingbacks for your whole website and also disables pingbacks for previously created posts with pingbacks enabled.

Disable PHP execution in cache directories *

If a compromised PHP file ends up in one of the cache directories of your website, executing it can lead to compromising the whole website. This security measure disables execution of PHP files in cache directories, preventing such exploits from happening. Note that some plugins or themes might ignore the security recommendations from WordPress Security Team and store valid PHP executables in their cache directory. You might have to disable this security measure if you need to make such plugins or themes work.

Disable file editing in WordPress Dashboard *

Disabling file editing in WordPress removes the ability to directly edit the plugin and theme file sources in the WordPress interface. This measure adds an additional layer of protection for the WordPress website in case one of WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.

Change default database table prefix

WordPress database tables have the same standard names on all WordPress installations. When the standard wp_ prefix is used for the database table names, the whole WordPress database structure is transparent, making it easy for malicious scripts to obtain any data from it. This security measure changes the database table name prefix to something different than the default wp_ prefix. Note that changing database prefix on a website with production data might be dangerous, so it is strongly advised to back up your website before applying this measure.

Enable bot protection *

This measure protects your website from useless, malicious or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse. Note that you might want to temporarily disable this measure if you're planning to use an online service to scan your website for vulnerabilities, since these services might also use such bots.

Block access to sensitive files *

This security measure prevents public access to certain files that can contain sensitive information like connection credentials or various information that can be used to determine which known exploits are applicable to your WordPress website.

Block access to potentially sensitive files *

This security measure prevents public access to certain files (for example, log files, shell scripts and other executables) that might exist on your WordPress website. Public access to these files could potentially compromise the security of your WordPress website.

Block access to .htaccess and .htpasswd *

Gaining access to .htaccess and .htpasswd files allows attackers to subject your website to a variety of exploits and security breaches. This security measure ensures that .htaccess and .htpasswd files cannot be accessed by abusers.

Block author scans *

Author scans are looking to find usernames of registered users (especially WordPress admin) and brute-force attack the login page of your website to gain access. This security measure prevents such scans from learning these usernames. Note that depending on the permalink configuration on your website this measure might prevent visitors from accessing pages that list all articles written by a particular author.

Change default administrator's username

During the installation WordPress creates a user with administrative privileges and the username 'admin'. Since usernames in WordPress cannot be changed, it is possible to try bruteforcing the password of this user to access WordPress as the administrator. This security measure creates WordPress administrator account with randomized username, and ensures that there is no user with the administrative privileges and 'admin' username. If 'admin' user is found, all content belonging to this user is reassigned to the new administrator account, and 'admin' user account is removed.

tomtr202

CloudyShaper

I recommend the plugin NinjaFirewall, it has all the features you requested.

« Previous Page