General security settings for WordPress

If you are using WordPress on a Plesk server, make sure that all necessary security measures are taken for the WordPress instance and that these are checked regularly.

Checklist

• Current version of WordPress
• Current version of all plugins used
• Deactivation of the WordPress cron function
• Deactivation of the WordPress XML RPC interface
• Activation of the recommended security settings
• Use of a web application firewall (WAF)

Current version of WordPress

Open the Plesk Control Panel and check whether an update is available for the WordPress version you are using.

Current version of all plugins used

You can use the Plugins menu item to import plugin updates via the Plesk Control Panel or activate the Update all plugins automatically function.

Deactivation of the WordPress cron function

The wp-cron.php file is used in WordPress for routine tasks such as retrieving updates or sending email notifications. The file is always executed when a website visitor loads a page. This can be problematic if there are critical tasks that need to be executed without delay. With this option, you can disable the automatic execution of wp-cron.php and set up a scheduled task instead.

Activation of the recommended security setting

Navigate to the WordPress installation in the Plesk Control Panel and select the menu item More → Check security.

Then select all security-relevant settings that you would like to apply and then click on Secure.

The settings are then applied in the background. Then check whether your WordPress instance continues to be delivered without errors.

Security measures

Block access to "xmlrpc.php "

This security measure prevents access to the "xmlrpc.php" file. It is recommended to activate this measure to reduce the attack surface if XML-RPC is not used. The server configuration file is adjusted (Apache, nginx for Linux or web.config for Windows). Note that this may be overridden by custom directives in the .htaccess or web.config files.

Do not allow execution of PHP scripts in the "wp-includes" directory

The "wp-includes" directory may contain insecure PHP files that can be used to take over and misuse your website. The security measure prevents PHP files from being executed in the "wp-includes" directory. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.

Do not allow execution of PHP scripts in the "wp-content/uploads" directory

The "wp-content\uploads" directory may contain insecure PHP files that can be used to take over and misuse your website. The security measure prevents PHP files in the "wp-content\uploads" directory from being executed. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.

Disable script chaining for WordPress admin panel

This security measure disables the chaining of scripts that are executed in the WordPress admin panel, which protects your website from certain DoS attacks. Disabling the chaining of scripts may slightly affect the performance of the WordPress admin panel, but your WordPress website will normally continue to function for visitors without any changes.

Disable Pingbacks

If your articles are referenced on another WordPress website, pingbacks can be used to automatically post comments under your posts. Pingbacks can be misused to carry out DDoS attacks on other websites via your website. This security measure deactivates XML-RPC pingbacks for your website. This also applies retroactively to posts that have already been created and for which pingbacks are activated.

Disable unused scripting languages

This security measure disables support for scripting languages not used in WordPress, such as Python or Perl. This ensures that your website is not compromised by exploiting vulnerabilities in these scripting languages.

Disable file editing in the WordPress dashboard

If you disable file editing in WordPress, source files for plugins and themes can no longer be edited directly in the WordPress interface. This measure adds additional layers of security for the WordPress website. This is helpful if one of the administrator accounts is compromised. It prevents malicious executable code from being easily inserted into plugins and themes via compromised accounts.

Enable protection from bots

This security measure protects websites from unwanted, malicious or harmful bots. Bots that scan your website for vulnerabilities and overload it with unwanted requests in order to overload resources will be blocked. If you use an online service to scan your website for vulnerabilities, you should temporarily disable this security measure, as such bots could also be used to search for security problems.

Block access to potentially sensitive files

This security measure prevents public access to certain files located on your WordPress website, e.g. log files, shell scripts and other executable files. Public access to these files could compromise the security of your WordPress website.

Block access to .htaccess - and .htpasswd file

If an attacker gains access to the .htaccess and .htpasswd file, they can trigger various exploits and security breaches on your website. This security measure ensures that attackers cannot access the .htaccess and .htpasswd file.

Block author scans

Usernames of registered users (especially WordPress administrators) are to be found out via the author search. The website is then accessed using a brute force attack via the login page. This security measure can prevent usernames from being retrieved as part of these attacks. Depending on the permalink configuration on your website, this may mean that visitors cannot access pages where all articles by a single author can be found.

Restrict access to files and directories

If access permissions for files and directories are not sufficiently secured, hackers can access these files and compromise your website. This security measure sets the permissions for the "wp-config" file to 600, for other files to 644 and for directories to 755.

Configure security key

WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY) for optimal encryption of the information stored in a user's cookies. A good security key should be long (at least 60 characters), randomly generated and complex. The security check ensures that security keys have been set up and contain both letters and numbers.

Block directory searches

If directory lookup is enabled, hackers can retrieve information about your website. This can pose a threat to the security of the website. Directory search is disabled by default. However, if it is enabled, you can block it using this security measure. The server configuration file is adjusted (Apache, nginx for Linux or web.config for Windows). Please note, however, that this setting can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.

Block access to "wp-config.php "

The "wp-config.php" file contains confidential information such as access data for the database. However, if for some reason the processing of PHP files is disabled by the web server, hackers can access the contents of the "wp-config.php" file. This security measure prevents access to the "wp-config.php" file. The server configuration file (Apache, nginx for Linux or web.config for Windows) is adapted. Please note, however, that this can be overwritten by user-defined instructions in the ".htaccess" or "web.config" files.

Disable PHP execution in cache directories

If a compromised PHP file is stored and executed in one of your website's cache directories, the entire website can be compromised. This security measure disables the execution of PHP files in cache directories. This prevents this type of exploit. However, with some plugins or themes, the security recommendations of the WordPress security team may be ignored and executable PHP files are stored in the cache directory. In this case, you may need to disable this security measure for the plugin or theme to work.

Change default prefix of database tables

The WordPress database tables have the same name by default in all WordPress installations. If the default prefix "wp" is used for the name of database tables, the entire WordPress database structure is visible. Attackers can thus retrieve data using malicious scripts. This security measure renames the name prefix of database tables so that it is no longer "wp". Please note that problems may occur if you change database prefixes for a website in the production environment. We strongly recommend backing up your website before editing the prefixes.

Block access to sensitive files

This security measure prevents public access to certain files that contain sensitive information such as login credentials. It also prevents attackers from retrieving data that could be used to find out which exploits are applicable to your WordPress website.

Change the default username of the administrator

During installation, a user with administration rights and the username "admin" is created in WordPress. Since usernames cannot be changed in WordPress, a brute force attack can be performed on the password to gain administrator access to WordPress. Thanks to this security measure, usernames are randomly generated for WordPress administrator accounts. This ensures that no user with administrator rights uses the username "admin". If a user with the name "admin" is found, the content is assigned to the new administrator account and the "admin" account is removed.

Use of a web application firewall (WAF)

In addition to the points mentioned above, WordPress should only be operated in combination with a web application firewall optimized for this purpose.

Web application firewalls suitable for WordPress:

• Plesk WAF (ModSecurity) [free]
• Imunify360 [8,00 € / month]

If you would like to use Imunify360, please contact our support so that we can install and license the corresponding extension.