WordPress Security Measures
WordPress is one of the most used website builders on the internet. It's free, very customizable and is open source. Because of it's popularity, it is also the #1 target for hackers!
Here at NameHero we provide Softaculous with WordPress Manager. Softaculous provides security features to keep your WordPress site secure. Follow the below guide to secure your WordPress website.
The WordPress Manager security measures provides detailed information about each recommended update and allows you to update them without having to use a plugin. If any of the security measures make your website work incorrectly, you can revert them at any time.
How to access WordPress Manager
WordPress Manager Security Measures
Change default administrator’s username
Restrict access to files and directories
Block unauthorized access to xmlrpc.php
Block access to .htaccess and .htpasswd
Turn off pingbacks
Disable file editing in WordPress Dashboard
Block author scans
Block directory browsing
Forbid execution of PHP scripts in the wp-includes directory
Forbid execution of PHP scripts in the wp-content/uploads directory
Disable scripts concatenation for WordPress admin panel
Block access to sensitive files
Enable bot protection
Login to your cPanel account. On the left menu, click on the link for 'WordPress Manager by Softaculous'
With WordPress Manager by Softaculous the Security Measures can applied to one or more WordPress site by selecting the right-most checkbox next to the desired WordPress installations.
Below are the Security measures provided by WordPress Manager to secure your WordPress site.
WordPress does not allow to change the username and if you installed WordPress with administrator username ‘admin’ your site can be at risk if someone tries to bruteforce with the username admin. This security option changes the username from admin to randomly generated username. You can use the Login button in WordPress Manager to login with the newly created admin account.
Insecure permissions for files and directories can lead to unauthorized accessed by hackers and used to compromise your website. This security option sets the permissions for the wp-config.php file to 0600, other files to 0644, and directories to 0755.
This security option prevents access to the xmlrpc.php
Note: Custom directives in the .htaccess files might override this.
Gaining access to .htaccess and .htpasswd files allows attackers to subject your website to a variety of exploits and security breaches. This security option ensures that .htaccess and .htpasswd files cannot be accessed over the web by abusers.
Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be abused to use your website for DDoS attacks on other sites. This security option turns off XML-RPC pingbacks for your whole website and also disables pingbacks for previously created posts with pingbacks enabled.
Disabling file editing in WordPress removes the ability to directly edit the plugin and theme source files in the WordPress interface. This option adds an additional layer of protection for the WordPress website in case one of WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.
Author scans are used to find usernames of registered users using uids (especially WordPress admin) and eventually brute-force attack the login page of your website to gain access. This security option prevents such scans from exposing the usernames.
Note: Depending on the permalink configuration on your website this option might prevent visitors from accessing pages that list all articles written by a particular author.
If directory browsing is turned on, hackers can obtain various information about your website that can potentially compromise its security. Directory browsing is usually turned off by default, but if it is turned on, this security option can block it.
The wp-includes directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-includes directory.
Note: Custom directives in the .htaccess files might override this.
The wp-content/uploads directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-content/uploads directory.
Note: Custom directives in the .htaccess files might override this.
This security option turns off concatenation of scripts running in the WordPress admin panel, preventing your website from being affected by certain DoS attacks. Turning off concatenation of scripts might slightly affect the performance of WordPress admin panel, but it should not affect visitors’ experience on your WordPress website.
This security option prevents public access to certain files that can contain sensitive information like connection credentials or various information that can be used to determine which known exploits are vulnerable to your WordPress website.
This option protects your website from useless, malicious or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse.
Note: You might want to temporarily disable this measure if you’re planning to use an online service to scan your website for vulnerabilities, since these services might also use such bots.
Here at NameHero we provide Softaculous with WordPress Manager. Softaculous provides security features to keep your WordPress site secure. Follow the below guide to secure your WordPress website.
The WordPress Manager security measures provides detailed information about each recommended update and allows you to update them without having to use a plugin. If any of the security measures make your website work incorrectly, you can revert them at any time.
How to access WordPress Manager
WordPress Manager Security Measures
Change default administrator’s username
Restrict access to files and directories
Block unauthorized access to xmlrpc.php
Block access to .htaccess and .htpasswd
Turn off pingbacks
Disable file editing in WordPress Dashboard
Block author scans
Block directory browsing
Forbid execution of PHP scripts in the wp-includes directory
Forbid execution of PHP scripts in the wp-content/uploads directory
Disable scripts concatenation for WordPress admin panel
Block access to sensitive files
Enable bot protection
How to access WordPress Manager
Login to your cPanel account. On the left menu, click on the link for 'WordPress Manager by Softaculous'
WordPress Manager Security Measures
With WordPress Manager by Softaculous the Security Measures can applied to one or more WordPress site by selecting the right-most checkbox next to the desired WordPress installations.
Below are the Security measures provided by WordPress Manager to secure your WordPress site.
Change default administrator’s username
WordPress does not allow to change the username and if you installed WordPress with administrator username ‘admin’ your site can be at risk if someone tries to bruteforce with the username admin. This security option changes the username from admin to randomly generated username. You can use the Login button in WordPress Manager to login with the newly created admin account.
Restrict access to files and directories
Insecure permissions for files and directories can lead to unauthorized accessed by hackers and used to compromise your website. This security option sets the permissions for the wp-config.php file to 0600, other files to 0644, and directories to 0755.
Block unauthorized access to xmlrpc.php
This security option prevents access to the xmlrpc.php
Note: Custom directives in the .htaccess files might override this.
Block access to .htaccess and .htpasswd
Gaining access to .htaccess and .htpasswd files allows attackers to subject your website to a variety of exploits and security breaches. This security option ensures that .htaccess and .htpasswd files cannot be accessed over the web by abusers.
Turn off pingbacks
Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be abused to use your website for DDoS attacks on other sites. This security option turns off XML-RPC pingbacks for your whole website and also disables pingbacks for previously created posts with pingbacks enabled.
Disable file editing in WordPress Dashboard
Disabling file editing in WordPress removes the ability to directly edit the plugin and theme source files in the WordPress interface. This option adds an additional layer of protection for the WordPress website in case one of WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.
Block author scans
Author scans are used to find usernames of registered users using uids (especially WordPress admin) and eventually brute-force attack the login page of your website to gain access. This security option prevents such scans from exposing the usernames.
Note: Depending on the permalink configuration on your website this option might prevent visitors from accessing pages that list all articles written by a particular author.
Block directory browsing
If directory browsing is turned on, hackers can obtain various information about your website that can potentially compromise its security. Directory browsing is usually turned off by default, but if it is turned on, this security option can block it.
Forbid execution of PHP scripts in the wp-includes directory
The wp-includes directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-includes directory.
Note: Custom directives in the .htaccess files might override this.
Forbid execution of PHP scripts in the wp-content/uploads directory
The wp-content/uploads directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-content/uploads directory.
Note: Custom directives in the .htaccess files might override this.
Disable scripts concatenation for WordPress admin panel
This security option turns off concatenation of scripts running in the WordPress admin panel, preventing your website from being affected by certain DoS attacks. Turning off concatenation of scripts might slightly affect the performance of WordPress admin panel, but it should not affect visitors’ experience on your WordPress website.
Block access to sensitive files
This security option prevents public access to certain files that can contain sensitive information like connection credentials or various information that can be used to determine which known exploits are vulnerable to your WordPress website.
Enable bot protection
This option protects your website from useless, malicious or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse.
Note: You might want to temporarily disable this measure if you’re planning to use an online service to scan your website for vulnerabilities, since these services might also use such bots.
Updated on: 10/10/2024
Thank you!