General security settings for WordPress
If you are using WordPress on a Plesk server, make sure that all necessary security measures are taken for the WordPress instance and that these are checked regularly.
Checklist
- Current version of WordPress
- Current version of all plugins used
- Deactivation of the WordPress cron function
- Deactivation of the WordPress XML RPC interface
- Activation of the recommended security settings
- Use of a web application firewall (WAF)
Current version of WordPress
Open the Plesk Control Panel and check whether an update is available for the WordPress version you are using.
Current version of all plugins used
You can use the Plugins menu item to import plugin updates via the Plesk Control Panel or activate the Update all plugins automatically function.
Most WordPress attacks target known vulnerabilities in plugins, which is why the automatic updates function is recommended.
Deactivation of the WordPress cron function
The wp-cron.php
file is used in WordPress for routine tasks such as retrieving updates or sending email notifications. The file is always executed when a website visitor loads a page. This can be problematic if there are critical tasks that need to be executed without delay. With this option, you can disable the automatic execution of wp-cron.php
and set up a scheduled task instead.
Activation of the recommended security setting
Navigate to the WordPress installation in the Plesk Control Panel and select the menu item More → Check security.
Then select all security-relevant settings that you would like to apply and then click on Secure.
The settings are then applied in the background. Then check whether your WordPress instance continues to be delivered without errors.
Security measures
Block access to "xmlrpc.php "
This security measure prevents access to the "xmlrpc.php" file. It is recommended to activate this measure to reduce the attack surface if XML-RPC is not used. The server configuration file is adjusted (Apache, nginx for Linux or web.config for Windows). Note that this may be overridden by custom directives in the .htaccess or web.config files.
Do not allow execution of PHP scripts in the "wp-includes" directory
The "wp-includes" directory may contain insecure PHP files that can be used to take over and misuse your website. The security measure prevents PHP files from being executed in the "wp-includes" directory. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.
Do not allow execution of PHP scripts in the "wp-content/uploads" directory
The "wp-content\uploads" directory may contain insecure PHP files that can be used to take over and misuse your website. The security measure prevents PHP files in the "wp-content\uploads" directory from being executed. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.
Disable script chaining for WordPress admin panel
This security measure disables the chaining of scripts that are executed in the WordPress admin panel, which protects your website from certain DoS attacks. Disabling the chaining of scripts may slightly affect the performance of the WordPress admin panel, but your WordPress website will normally continue to function for visitors without any changes.
Disable Pingbacks
If your articles are referenced on another WordPress website, pingbacks can be used to automatically post comments under your posts. Pingbacks can be misused to carry out DDoS attacks on other websites via your website. This security measure deactivates XML-RPC pingbacks for your website. This also applies retroactively to posts that have already been created and for which pingbacks are activated.
Disable unused scripting languages
This security measure disables support for scripting languages not used in WordPress, such as Python or Perl. This ensures that your website is not compromised by exploiting vulnerabilities in these scripting languages.
Disable file editing in the WordPress dashboard
If you disable file editing in WordPress, source files for plugins and themes can no longer be edited directly in the WordPress interface. This measure adds additional layers of security for the WordPress website. This is helpful if one of the administrator accounts is compromised. It prevents malicious executable code from being easily inserted into plugins and themes via compromised accounts.
Enable protection from bots
This security measure protects websites from unwanted, malicious or harmful bots. Bots that scan your website for vulnerabilities and overload it with unwanted requests in order to overload resources will be blocked. If you use an online service to scan your website for vulnerabilities, you should temporarily disable this security measure, as such bots could also be used to search for security problems.
Block access to potentially sensitive files
This security measure prevents public access to certain files located on your WordPress website, e.g. log files, shell scripts and other executable files. Public access to these files could compromise the security of your WordPress website.
Block access to .htaccess - and .htpasswd file
If an attacker gains access to the .htaccess
and .htpasswd
file, they can trigger various exploits and security breaches on your website. This security measure ensures that attackers cannot access the .htaccess and .htpasswd file.
Block author scans
Usernames of registered users (especially WordPress administrators) are to be found out via the author search. The website is then accessed using a brute force attack via the login page. This security measure can prevent usernames from being retrieved as part of these attacks. Depending on the permalink configuration on your website, this may mean that visitors cannot access pages where all articles by a single author can be found.
Restrict access to files and directories
If access permissions for files and directories are not sufficiently secured, hackers can access these files and compromise your website. This security measure sets the permissions for the "wp-config" file to 600, for other files to 644 and for directories to 755.
Configure security key
WordPress uses security keys (AUTH_KEY
, SECURE_AUTH_KEY
, LOGGED_IN_KEY
and NONCE_KEY
) for optimal encryption of the information stored in a user's cookies. A good security key should be long (at least 60 characters), randomly generated and complex. The security check ensures that security keys have been set up and contain both letters and numbers.
Block directory searches
If directory lookup is enabled, hackers can retrieve information about your website. This can pose a threat to the security of the website. Directory search is disabled by default. However, if it is enabled, you can block it using this security measure. The server configuration file is adjusted (Apache, nginx for Linux or web.config for Windows). Please note, however, that this setting can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.
Block access to "wp-config.php "
The "wp-config.php" file contains confidential information such as access data for the database. However, if for some reason the processing of PHP files is disabled by the web server, hackers can access the contents of the "wp-config.php" file. This security measure prevents access to the "wp-config.php" file. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.
Disable PHP execution in cache directories
If a compromised PHP file is stored and executed in one of your website's cache directories, the entire website can be compromised. This security measure disables the execution of PHP files in cache directories. This prevents this type of exploit. However, with some plugins or themes, the security recommendations of the WordPress security team may be ignored and executable PHP files are stored in the cache directory. In this case, you may need to disable this security measure for the plugin or theme to work.
Change default prefix of database tables
The WordPress database tables have the same name by default in all WordPress installations. If the default prefix "wp" is used for the name of database tables, the entire WordPress database structure is visible. Attackers can thus retrieve data using malicious scripts. This security measure renames the name prefix of database tables so that it is no longer "wp". Please note that problems may occur if you change database prefixes for a website in the production environment. We strongly recommend backing up your website before editing the prefixes.
Block access to sensitive files
This security measure prevents public access to certain files that contain sensitive information such as login credentials. It also prevents attackers from retrieving data that could be used to find out which exploits are applicable to your WordPress website.
Change the default username of the administrator
During installation, a user with administration rights and the username "admin" is created in WordPress. Since usernames cannot be changed in WordPress, a brute force attack can be performed on the password to gain administrator access to WordPress. Thanks to this security measure, usernames are randomly generated for WordPress administrator accounts. This ensures that no user with administrator rights uses the username "admin". If a user with the name "admin" is found, the content is assigned to the new administrator account and the "admin" account is removed.
Use of a web application firewall (WAF)
In addition to the points mentioned above, WordPress should only be operated in combination with a web application firewall optimized for this purpose.
Web application firewalls suitable for WordPress:
- Plesk WAF (ModSecurity) [free]
- Imunify360 [8,00 € / month]
If you would like to use Imunify360, please contact our support so that we can install and license the corresponding extension.
- General security settings for WordPress
- Checklist
- Current version of WordPress
- Current version of all plugins used
- Deactivation of the WordPress cron function
- Activation of the recommended security setting
- Security measures
- Block access to "xmlrpc.php "
- Do not allow execution of PHP scripts in the "wp-includes" directory
- Do not allow execution of PHP scripts in the "wp-content/uploads" directory
- Disable script chaining for WordPress admin panel
- Disable Pingbacks
- Disable unused scripting languages
- Disable file editing in the WordPress dashboard
- Enable protection from bots
- Block access to potentially sensitive files
- Block access to .htaccess - and .htpasswd file
- Block author scans
- Restrict access to files and directories
- Configure security key
- Block directory searches
- Block access to "wp-config.php "
- Disable PHP execution in cache directories
- Change default prefix of database tables
- Block access to sensitive files
- Change the default username of the administrator
- Use of a web application firewall (WAF)