Website security is that many WordPress newbies are easy to overlook an important problem. How to ensure WordPress site security, but also many just contacts the WordPress experts when they face problems. This is a series of tutorials to teach you the introduction to a series of steps to protect your WordPress website security. Here are the 32 steps to WordPress website security ultimate checklist Step 28 ~ 32. Today we will see 28 to 32 step.
WordPress website security ultimate checklist Step 28 ~ 32
28. Disable the XML-RPC feature (if you don’t use it）
WordPress allows other applications to be accessed remotely via the application programming interface (API). That is, other applications can have access to your website. A typical application is XML-RPC, you can use it to update the website content.
There are a lot of plug-ins also rely on XML-RPC functions, such as the Jetpack plug-in package used XML-RPC function.
However, hackers may also use the XML-RPC to attack your website.
Today, many users believe that XML-RPC is as secure as the WordPress kernel. But in fact, hackers can use the XML-RPC for phishing scams.
If you are sure that you will not use third-party applications to access WordPress, WordPress plugin on the site does not need this feature, then you can install any one of these plug-ins to disable the XML-RPC function. If you are already using the All In One WP Security & Firewall then you can do it easily by going – WP Security » Firewall and fill the checkbox under WordPress XMLRPC & Pingback vulnerability protection.
29. Disable PHP error reporting
At the time of your website development, error reporting is like a life preserver. When the error comes, it can tell you exactly where the error is? So that you can fix the error quickly.
However, on production sites, bug reports give hackers a chance to easily obtain valuable information.
For example, here is a bug report：
This report revealed the username of the account. If someone else is looking for an opportunity to hack into your site, then this is a very crucial piece of information.
This is just an error message, if you want to find the target weaknesses, other error reports will give you more.
To turn off PHP error reporting, You can put the following code into your PHP among the ini files：
error_reporting = 4339
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/example.com/logs/php_error.log
log_errors_max_len = 1024
ignore_repeated_errors = On
ignore_repeated_source = Off
html_errors = Off
This can enhance the security of your WordPress website and reduce the possibility of exposing sensitive information on your website.
30. Installing a firewall
We can divide the firewalls into two categories, or there are two main purposes. In the field of network security, we use the firewalls mainly to separate different types of networks. Either to prevent external access or to prevent internal out.
If you want to do the analogy, the firewall is like a bodyguard. Only in the party invited on the list of important figures, can enter. Developers often use the Firewall software to prevent hackers from approaching your site. Just as party tickets prohibit uninvited parties from entering the party.
For WordPress site security, we usually use web application firewall (Web Application Firewall, WAF for short) to organize hackers to use their little dirty hands to enter unpopular their sites.
There are many kinds of WAF. But on the WordPress server, the most reliable, free, and open source firewall that can be used is the ModSecurity firewall.
You can ask your hosting provider to see if there is a firewall installed on your server space. Once you enable this firewall, your hosting provider and the WordPress programmer you hire, you can set the ModSecurity rules to protect your WordPress site.
31. Using a CDN firewall
CDN (Content Delivery Network) is mainly to optimize the performance of the site by storing web resources.
At the same time, CDN also provides additional features: the vast majority of CDN can protect the security of WordPress sites.
If you’re using a CDN (which you need to use if your site is heavily accessed), you should also set up security rules to improve the protection of your WordPress site.
32. Monitor WordPress site security with security log
If you don’t know what kind of attacks the site encountered, then you will not be able to stop these attacks, right?
By monitoring the log, you can enhance the protection of WordPress security. For example, if you find that there are a large number of attack attempts, all from a certain country, and this country is not the object of your attention, then you can set a rule to block the country.
Of course, this is just a simple example of a monitoring log.
If you can access the host server directly, you can also choose OSSEC to monitor the server’s logs. Otherwise, you can also choose to install the WordPress Security Audit Log plugin to monitor your security logs. Also, you can install the IQ block Country plug-in to block certain attacker country from backend or from both backend and frontend.
This article series details the ultimate 32 steps to enhance your WordPress site security. If you have not considered the issue of strengthening WordPress security before, then the text may give you more inspiration and suggestions. Fortunately, none of the steps described in this article require much expertise and can be completed easily.
WordPress security is critical. Perhaps at the moment, your website is being hacked.
Even if you do not intend to implement all of the above 32 steps, we strongly recommend that you implement most of the initiatives in the song. These measures can actually enhance the security of your WordPress site.
(Finished, Read earlier posts of this series…）