Hardening WordPress with WP Cerber
It’s very important to have WordPress protected and it’s easy to do this by using built-in WP Cerber security features. All suggested settings are mandatory for most websites on the Internet. If you need, in some custom case, these function being accessible from some host or an IP network you can easily add IP or that network to the White IP Access List.
Disable REST API
Block access to the WordPress REST API. The ability to send invisible requests to the core of your WordPress makes hackers even happier than the ability to hack websites using XML-RPC. If you don’t use WordPress REST API disable it!
Why it’s important to restrict access to the WordPress REST API
Block access to the XML-RPC server including Pingbacks and Trackbacks. Do you know that hackers is using this hidden entrance to find out logins stealthily? Do you have a CAPTCHA or reCAPTCHA on the login form to protect from the bots? Don’t be silly, modern bots are using XML-RPC and WP REST API to brute-force your WordPress and you don’t even know how and when they are doing that because CAPTCHA is not working for XML-RPC requests. Nowadays XML-RPC makes hackers happy and they love it a lot. After activating this setting your website will return 404 Page Not Found.
Stop user enumeration
This blocks access to the author pages like /?author=N where N is a random number. Intruders and hackers can easily find out all logins of all the users on your website just scanning numbers from 1 to any number they want. This behavior is enabled in the WordPress by design and hackers around the world love it. After activating this setting your website will return 404 Page Not Found.
Block access to the RSS, Atom and RDF feeds. That does not allow hackers to find out what kind of software is installed on your website and collect additional helpful information to adjust further attacks to your WordPress. After activating this setting your website will return 404 Page Not Found.
Note: All these settings above do not affect hosts from the White IP Access List and you can easily allow, for instance, publishing posts via XML-RPC for your IP address just adding it to the White IP Access List.
If you have a root access to your web server I also recommend using those tips: Hardening WordPress with WP Cerber and NGINX
Last posts from WordPress security blog
- WP Cerber 4.7.7 04/28/2017
- Brute-force, DoS, and DDoS attacks – what’s the difference? 04/10/2017
- WP Cerber 4.5 03/22/2017
- Instant mobile and browser notifications with Pushbullet 03/20/2017
- Best WordPress Plugins for Two-Factor Authentication 03/15/2017
Let's make things clear with these intruder activities that happens every day with any website. How are they dangerous? What tools or plugin can mitigate them? What are chances that we can do that successfully?
WP Cerber allows you to easily enable desktop and mobile notifications and get all those notifications from your WordPress instantly and for free. In a desktop browser, you will get popup messages even if you logged out of your WordPress. Last posts from WordPress security blog WP Cerber 4.7.7 04/28/2017 Brute-force, DoS, and [...]