Solid Security WordPress Tweaks

These are advanced settings that may be utilized to strengthen the security of your WordPress site further.

 

Note: These settings are listed as advanced because they block common forms of attacks, but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

 

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

 

 

Disable File Editor

 

Disables the file editor for plugins and themes, requiring users to have access to the file system to modify files. Once activated you will need to manually edit the theme and other files using a tool other than WordPress.

 

 

API Access

 

XML-RPC

 

  • Enable XML-RPC = XML-RPC is fully enabled and will function as normal.
  • Disable Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XML-RPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.
  • Disable XML-RPC = XML-RPC will be completely disabled by your web server and is the safest option. This will prevent features such as Jetpack that require XML-RPC from working.

 

 

Multiple Authentication Attempts per XML-RPC Request

 

WordPress' XML-RPC feature allows hundreds of username and password guesses per request. Disabling this setting prevents attackers from exploiting this feature.

  • Unchecked = Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
  • Checked = Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.

 

 

REST API

 

The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, you can see our post about the WordPress REST API here.

 

  • Default Access = Access to REST API data is left as default. Information, including published posts, user details, and media library entries, is available for public access.
  • Restricted Access = Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially private data. We recommend selecting this option.

 

 

Users

 

Login with Email Address or Username

 

By default, WordPress allows users to log in using either an email address or username. This setting allows you to restrict logins only to accept email addresses or usernames.

 

 

Force Unique Nickname

 

This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting users' login usernames from the code on author pages. Note: this does not automatically update existing users, as it will affect author feed URLs if used.

 

 

Disable Extra User Archives

 

Disables a user's author page if their post count is 0. This makes it harder for bots to determine usernames by disabling post archives for users who don't post to your site.

 

Have more questions? Submit a request