This article describes how to enhance the security of your WordPress website. WordPress sites are often targeted by hackers. WordPress Manager by Softaculous offers security features to protect your WordPress site.
The security measures within WordPress Manager offer comprehensive details about each suggested update, enabling you to apply them directly without the need for a plugin. If any of these security measures cause issues with your website’s functionality, you have the flexibility to undo them at any point.
Note: This feature is added in Softaculous 5.9.2
Accessing WordPress Manager
1. To access WordPress Manager, click on the WordPress icon located in the upper right corner of your Softaculous enduser panel, as illustrated in the screenshot below.
2. Alternatively, you can access WordPress Manager by clicking the WordPress icon next to the specific WordPress installation you want to manage on the All Installations page, as indicated in the screenshot below.
WordPress Manager Security Measures
Using WordPress Manager by Softaculous, you can apply Security Measures to one or multiple WordPress sites by selecting the checkbox located on the right side of the respective WordPress installations.
Here are the security measures offered by WordPress Manager to enhance the security of your WordPress website.
Change the default administrator’s username
WordPress doesn’t permit changing the username, and if you initially installed WordPress with the username ‘admin’, your site could be vulnerable to brute-force attacks. This security feature alters the username from ‘admin’ to a randomly generated one, enhancing your site’s protection. You can log in using the newly created admin account via the Login button in WordPress Manager.
Restrict access to files and directories
Improper file and directory permissions can allow unauthorized access, posing a risk to your website’s security. This setting adjusts permissions: wp-config.php file to 0600, other files to 0644, and directories to 0755, enhancing security.
Block unauthorized access to xmlrpc.php
This security feature blocks access to xmlrpc.php.
Please note that custom directives in the .htaccess files could potentially override this setting.
Block access to .htaccess and .htpasswd
Accessing .htaccess and .htpasswd files can expose your website to various exploits and security breaches. This security measure prevents these files from being accessed online, enhancing your website’s protection.
Turn off pingbacks
Pingbacks enable other WordPress websites to automatically comment on your posts when they link to them. However, they can be misused for DDoS attacks on other sites. This security measure disables XML-RPC pingbacks for your entire website and also turns off pingbacks for previously published posts with pingbacks enabled.
Disable file editing in WordPress Dashboard
Disabling file editing in WordPress removes the ability to directly edit plugin and theme source files within the WordPress interface. This extra layer of protection is crucial in case a WordPress admin account is compromised, as it prevents unauthorized users from easily adding malicious executable code to plugins or themes.
Block author scans
Author scans are employed to identify the usernames of registered users, particularly WordPress admins, using unique identifiers (uids). Attackers then attempt brute-force attacks on your website’s login page to gain access. This security feature blocks such scans, ensuring usernames remain undisclosed.
Please note: Depending on your website’s permalink configuration, this option might restrict visitors from accessing pages that display all articles authored by a specific author.
Block directory browsing
If directory browsing is enabled, hackers can gather extensive information about your website, jeopardizing its security. While directory browsing is typically disabled by default, if it’s turned on, this security feature can block it.
Forbid execution of PHP scripts in the wp-includes directory
The wp-includes directory might house vulnerable PHP files that hackers can exploit to compromise your website. This security measure prevents the execution of PHP files within the wp-includes directory.
Note: Custom directives in the .htaccess files could potentially override this setting.
Forbid execution of PHP scripts in the wp-content/uploads directory
The wp-content/uploads directory could potentially harbor insecure PHP files that hackers might exploit to compromise your website. This security measure blocks the execution of PHP files in the wp-content/uploads directory.
Note: Custom directives in the .htaccess files could potentially override this setting.
Disable script concatenation for the WordPress admin panel
This security feature disables the concatenation of scripts within the WordPress admin panel, safeguarding your website from specific DoS attacks. While it may have a minor impact on the performance of the WordPress admin panel, it shouldn’t affect visitors’ experience on your WordPress site.
Block access to sensitive files
This security feature blocks public access to specific files containing sensitive information, such as connection credentials or data that could be exploited to identify vulnerabilities in your WordPress website.
Enable bot protection
This feature safeguards your website from unproductive, malicious, or harmful bots. It blocks bots scanning your site for vulnerabilities and overwhelming it with unwanted requests, preventing resource overuse.
Note: You may need to temporarily disable this measure if you plan to use an online service to scan your website for vulnerabilities, as these services might also utilize similar bots.
