How to enhance WordPress Website Security

Security of your WordPress website can be enhanced by various measures.

Prevent usage of ‘admin’ username

By default WordPress will create an ‘admin’ user on installation. You must change username to something not guessable from your domain name. Also use security plugin like really simple ssl to prevent creation of admin user name.

Prevent setting the public display name equal to the username.

Never set Public Display name same as username. Change public display name by going to users section. Because display names are easily found on your website, having users with a matching username increases the risk of a user enumeration attack. Use plugin that will prevent the creation of users with a username that is equal to the display name e.g. Really Simple SSL.

Prevent Login feedback

By default, WordPress will provide feedback if a non-existing username is entered or if the username exists, but the password doesn’t. This feedback will make it a lot easier to confirm usernames and guess passwords. Use plugin like Really Simple SSL which allows you to disable this textual feedback. Be aware though that even if the “wrong password” notices are disabled, hackers might be able to determine whether a given username exists for the WordPress website, based on the response time it takes for the site to check the password for an existing user, compared to a user that doesn’t.

Author pages

WordPress will create author pages for each user. The URL for this page contains the username. Using this will require randomly trying url’s with usernames though, this will result in a lot of 404 errors which in itself can be detected and blocked. One very easy way to enumerate authors is to user the author-id pages. (yoursite.com)/?author=(ID). This will redirect the visitor to the corresponding author name. Really Simple SSL will block requests to the Author-ID url when disable user enumeration is enabled.

Disable “anyone can register”

Disable the built-in file editors.

Prevent code execution in the public uploads folder.

Enabling this option will place a “.htaccess” file in your “wp-content/uploads/” directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your “uploads” directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess file are below:

Hide your wordpress version

WordPress, by default, discloses what its version is. This option will hide it from outsiders. We generally recommend that you do not enable this anymore, since there are other methods of determining the WordPress version such as fingerprinting of static content such as CSS and javascript files. Can be done using Really Simple SSL and Wordfence plugins.

Disable directory browsing

Disable user enumeration

Disable XML-RPC Authentication

Jetpack requires XML-RPC Authentication to work correctly. Do not disable if Jetpack plugin is used on wordpress website.

Plugins : Really Simple SSL, Wordfence

Enable 2 Factor Authentication

Enable reCaptcha v3