General Security Settings for WordPress

If you are using WordPress on a Plesk server, make sure that all necessary security measures are in place for your WordPress instance and that they are checked regularly.


Checklist

  • Latest version of WordPress
  • Latest versions of all installed plugins
  • Disable the WordPress cron function
  • Disable the WordPress XML-RPC interface
  • Enable the recommended security settings
  • Use of a Web Application Firewall (WAF)



Latest version of WordPress

Open the Plesk Control Panel and check whether an update is available for your WordPress version.




Current Version of All Installed Plugins

Via the Plugins menu item in the Plesk Control Panel, you can install plugin updates or enable the Automatically Update All Plugins feature.


Most WordPress attacks target known vulnerabilities in plugins, which is why we recommend using the automatic update feature.




Disabling the WordPress Cron Function

The wp-cron.php file is used in WordPress for routine tasks such as checking for updates or sending email notifications. The file is always executed whenever a website visitor loads a page. This can be problematic if there are critical tasks that need to be executed without delay. With this option, you can disable the automatic execution of wp-cron.php and set up a scheduled task instead.




Navigate to the WordPress installation in the Plesk Control Panel and select the menu item MoreCheck Security.



Next, select all the security-related settings you want to apply, and then click Secure.



The settings will then be applied in the background. Afterward, verify that your WordPress instance continues to function properly.


Security Measures

Block Access to "xmlrpc.php"

This security measure prevents access to the "xmlrpc.php" file. It is recommended that you enable this measure to reduce your attack surface if XML-RPC is not in use. This involves modifying the server configuration file (Apache, nginx for Linux, or web.config for Windows). Note that this may be overridden by custom directives in the .htaccess or web.config files.


Do not allow PHP scripts to run in the "wp-includes" directory

The "wp-includes" directory may contain insecure PHP files that could be used to take over and misuse your website. This security measure prevents PHP files in the "wp-includes" directory from being executed. To do this, the server configuration file (Apache, nginx for Linux, or web.config for Windows) is modified. Please note, however, that this can be overridden by custom directives in the ".htaccess" or "web.config" files.


Do not allow PHP scripts to run in the "wp-content/uploads" directory

The "wp-content\uploads" directory may contain insecure PHP files that could allow your website to be compromised and misused. This security measure prevents PHP files in the "wp-content\uploads" directory from being executed. This involves modifying the server configuration file (Apache or nginx for Linux, or web.config for Windows). Note, however, that this can be overridden by custom directives in the ".htaccess" or "web.config" files.


Disable Script Chaining for the WordPress Admin Panel

This security measure disables script chaining in the WordPress admin panel, protecting your website from certain DoS attacks. Disabling script chaining may slightly affect the performance of the WordPress admin panel, but your WordPress website will typically continue to function normally for visitors.


Disable Pingbacks

When another WordPress site links to your posts, pingbacks can automatically post comments below your posts. Pingbacks can be misused to launch DDoS attacks against other websites via your site. This security measure disables XML-RPC pingbacks for your website. This also applies retroactively to existing posts for which pingbacks are enabled.


Disable Unused Scripting Languages

This security measure disables support for scripting languages not used in WordPress, such as Python or Perl. This ensures that your website is not compromised by exploiting vulnerabilities in these scripting languages.


Disable File Editing in the WordPress Dashboard

If you disable file editing in WordPress, source files for plugins and themes can no longer be edited directly within the WordPress interface. This measure adds additional layers of security to your WordPress website. This is helpful if one of the administrator accounts has been compromised. It prevents malicious executable code from being easily injected into plugins and themes via compromised accounts.


Enable bot protection

This security measure protects websites from unwanted, malicious, or harmful bots. It blocks bots that scan your website for vulnerabilities and flood it with unwanted requests to overload its resources. If you’re scanning your website for vulnerabilities using an online service, you should temporarily disable this security measure, as such bots could also be used to identify security issues.


Block access to potentially sensitive files

This security measure prevents public access to certain files located on your WordPress website, such as log files, shell scripts, and other executable files. Public access to these files could compromise the security of your WordPress website.


Block access to .htaccess and .htpasswd files

If an attacker gains access to the .htaccess and .htpasswd files, they can trigger various exploits and security breaches on your website. This security measure ensures that attackers cannot access the .htaccess and .htpasswd files.


Block author searches

Author searches are used to discover the usernames of registered users (especially WordPress administrators). The website is then accessed via a brute-force attack on the login page. This security measure prevents usernames from being retrieved during such attacks. Depending on your website’s permalink configuration, this may prevent visitors from accessing pages that list all posts by a single author.


Restrict Access to Files and Directories

If access permissions for files and directories are not sufficiently secured, hackers can access these files and compromise your website. This security measure sets the permissions for the "wp-config" file to 600, for other files to 644, and for directories to 755.


Configure Security Keys

WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to optimally encrypt the information stored in a user’s cookies. A good security key should be long (at least 60 characters), randomly generated, and complex. The security check ensures that security keys have been set up and contain both letters and numbers.


Block Directory Browsing

If directory browsing is enabled, hackers can retrieve information about your website. This can pose a security risk to the website. By default, directory browsing is disabled. However, if it is enabled, you can block it using this security measure. This involves modifying the server configuration file (Apache, nginx for Linux, or web.config for Windows). Please note, however, that this setting can be overridden by custom directives in the ".htaccess" or "web.config" files.


Block Access to "wp-config.php"

The "wp-config.php" file contains sensitive information such as database credentials. However, if for any reason the web server’s processing of PHP files is disabled, hackers may be able to access the contents of the "wp-config.php" file. This security measure prevents access to the "wp-config.php" file. To do this, the server configuration file (Apache, nginx for Linux, or web.config for Windows) is modified. Note, however, that this can be overridden by custom directives in the ".htaccess" or "web.config" files.


Disable PHP Execution in Cache Directories

If a compromised PHP file is stored and executed in one of your website’s cache directories, the entire website can be compromised. This security measure disables the execution of PHP files in cache directories, thereby preventing this type of exploit. However, some plugins or themes may ignore the WordPress Security Team’s recommendations and store executable PHP files in the cache directory. In this case, you may need to disable this security measure for the plugin or theme to function properly.


Change the Default Database Table Prefix

The WordPress database tables have the same name by default in all WordPress installations. If the default prefix "wp" is used for database table names, the entire WordPress database structure becomes visible. This allows attackers to retrieve data using malicious scripts. This security measure renames the database table prefix so that it is no longer “wp.” Please note that changing database prefixes for a website in a production environment may cause issues. We strongly recommend backing up your website before editing the prefixes.


Block Access to Sensitive Files

This security measure prevents public access to certain files that contain sensitive information, such as login credentials. It also prevents attackers from retrieving data that could help them identify which exploits might be applicable to your WordPress site.


Change the Default Administrator Username

During installation, WordPress creates a user with administrative privileges and the username "admin." Since usernames cannot be changed in WordPress, a brute-force attack on the password could be carried out to gain administrator access to WordPress. Thanks to this security measure, usernames for WordPress administrator accounts are generated randomly. This ensures that no user with administrator privileges uses the username “admin.” If a user named “admin” is found, the content is assigned to the new administrator account, and the “admin” account is removed.



Using a Web Application Firewall (WAF)

In addition to the points mentioned above, WordPress should only be run in combination with a web application firewall optimized for it.


Web application firewalls suitable for WordPress:


If you would like to use Imunify360, please contact our support team so that we can install and license the corresponding extension.