iThemes Security WordPress Tweaks

These are advanced settings that may be utilized to further strengthen the security of your WordPress site.

wordpress_tweaks.jpg

Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

File Editor

Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.

XMLRPC

Off = XMLRPC is fully enabled and will function as normal.

Only Disable Trackbacks/Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XMLRPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.

Completely Disable XMLRPC is the safest, XMLRPC will be completely disabled by your webserver. This will prevent features such as Jetpack that require XMLRPC from working.

Multiple Authentication Attempts per XML-RPC Request

WordPress' XML-RPC feature allows hundreds of username and password guesses per request. Use the recommended "Block" setting below to prevent attackers from exploiting this feature.

Block = Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.

Allow = Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.

REST API

The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, see our post about the WordPress REST API here.

Restricted Access - Restrict access to most REST API data. This means that most requests will require a logged in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.

Default Access - Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.

Users

Login with Email Address or Username

By default, WordPress allows users to log in using either an email address or username. This setting allows you to restrict logins to only accept email addresses or usernames.

Force Unique Nickname

This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user's login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed urls if used.

Disable Extra User Archives

Disables a user's author page if their post count is 0. This makes it harder for bots to determine usernames by disabling post archives for users that don't post to your site.

Powered by Zendesk