Step 1: Open .htaccess in your website’s root directory:
sudo nano /var/www/html/.htaccess
Note: Replace ‘html’ with your site’s directory name
Step 2: Add the following code to the top of your .htaccess file:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
If you’ve done a bit of research already, you’ll have seen many websites suggesting adding the following line of code to a plugin file, or optionally to functions.php in your /wp-content/themes directory:
add_filter('xmlrpc_enabled', '__return_false');
However, as security consultant Scott Brown notes, this method is ineffective since it only blocks “authenticated XML-RPC methods, not all XML-RPC methods”.
Disable the file editor
How to Secure WordPress Installation - Hardening Best Practices on Linux: Disable File Editor
With WordPress it is easy to edit your theme’s files from within the admin dashboard. You can see it in action at Appearance > Theme file editor. While convenient for quick changes or when you don’t have access to a terminal, it’s also a major security risk since it allows anyone with the necessary privileges to make changes to theme files and gain access to all your information.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true );
Disable file and plugin management
When the DISALLOW_FILE_MODS constant is set to true in wp-config.php, theme installation and updates, plugin installation and updates, as well as the file editor functions are removed from the dashboard.
Note: When theme, plugin, and file functions are removed from the dashboard, you’ll have to use the WordPress CLI as a substitute to accomplish these tasks. Learn more about the WP CLI at wp-cli.org.
Step 1: Open wp-config.php file in your site’s root directory:
sudo nano /var/www/html/wp-config.php
Step 2: Add the following code to your wp-config.php file:
define('DISALLOW_FILE_MODS', true );
Prevent user enumeration
WordPress Installation Disable User Enumeration
User enumeration refers to a process by which threat actors can determine valid WordPress users. With a valid username, attackers can attempt to brute force their way into your WordPress site.
You can easily test user enumeration on your site: add /?author=1 to your website address. For example https://bears.cloud/?author=1
If users can be enumerated on your site, you’ll see the username corresponding with the user ID, along with all posts by that user. With the use of a script, the user ID can be incremented automatically to get a list of all users on the WordPress site.
Step 1: To prevent user enumeration, open the .htaccess file in your site’s root directory:
sudo nano /var/www/html/.htaccess
Step 2: Add the following code to .htaccess
# Prevent user enumeration
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule (.*) $1? [L,R=301]
Disable expose_php
Reducing the amount of sensitive information freely available about the software powering a WordPress site can help reduce the potential for an attack.
Type the following in a terminal window:
curl –head https://www.bears.cloud
Here’s the output of a server with expose_php enabled:
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:09:39 GMT
Server: Apache/2.4.46 (CentOS)
X-Powered-By: PHP/7.4.16
Content-Type: text/html; charset=UTF-8
X-Powered-By reveals not only that we’re running PHP (which is obvious, since we’re running WordPress), but also the exact version of PHP supporting our WordPress installation. Set expose_php to off in your php.ini file:
sudo nano /etc/php/7.4/apache2/php.ini
Then, find expose_php (around line 379 on my system) and set it to off:
expose_php = Off
Then, restart Apache:
sudo systemctl restart apache2
Now when we run the curl command again, we get:
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:17:11 GMT
Server: Apache/2.4.46 (CentOS)
Content-Type: text/html; charset=UTF-8
Disable the Apache server signature
When you look at the output of the curl command above, you’ll notice that it still reveals the Apache2 version, as well as our server’s operating system. Just like the PHP version number, that’s information we’d like to hide from attackers. We can achieve this by making a small change to the Apache2 security configuration file.
Step 1: Open the security.conf file:
sudo nano /etc/apache2/conf-enabled/security.conf
Step 2: Find and change ServerTokens to Prod
ServerTokens Prod
Step 3: Find and change ServerSignature to Off
ServerSignature Off
Step 4: Save and close the file, then restart Apache2:
sudo systemctl restart apache2
Now when we run our curl command, we get the following output:
curl --head https://www.bear.cloud
HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:31:29 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Disable Version Information
We can remove WordPress version information by adding a few lines of code in functions.php.
Step 1: Open functions.php in your theme directory:
sudo nano /var/www/esque/wp-content/themes//functions.php
Step 2: Add the following code:
/** Remove WP Version Info **/
function remove_wp_version() {
return '';
}
add_filter('the_generator', 'remove_version_info');
Now when you check your site’s source or feed file, you’ll see that the WordPress version number has been removed.