The WordPress application is one of the most used self publishing systems on the internet, and with that comes a plethora of attacks aimed to hijack websites.
The information I am about to provide is focused on Windows IIS Servers, but for those on other operating systems similar protection can be provide by the .htaccess file instead of the web.config file.
Plugins:
This section on plugins can be used both for WordPress hosted on Windows and Apache servers and provide an application firewall and malware scanner for threats on your website.
(01): Wordfence
The Wordfence plugin is one of the most popular Firewall & Security Scanners for WordPress with 4+ million active installation and comes in two versions Free & Premium, for most site owners the free version will be adequate.
Key Features:
- Built in firewall
- Malware Scanner
- Threat Defense Feed
- Real-time IP Blocking Of Attackers
- Checks Site For Know vulnerabilities
- Two-factor authentication (2FA)
- Disable or add 2FA to XML-RPC
(02): WPS Hide Login
The WPS Hide Login plugin is a light weight easy to use plugin that will allow you to change the default login page “wp-login.php” to another path that potential hackers will not be able to find or access.
Key Features:
- Works On Any WordPress Site
- East To Activate & Deactivate
- Hides Your Login Page
(03): Block Access Using Web.config & .Htaccess
For additional security hardening without the need to use some plugins you can use the Web.config file on Windows servers and the .htaccess file on Apache Servers to block access to the wp-config.php & xmlrpc.php files.
Below I will provide two examples that you can follow if you know how to edit files on your server, your may have to modify these to meet your needs.
Web.config
This is an example of security filtering you would add to you Web.config file:
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="xmlrpc.php" />
</denyUrlSequences>
<denyQueryStringSequences>
<add sequence="wp-config.php" />
</denyQueryStringSequences>
</requestFiltering>
</security>.htaccess
This is an example of security filtering you would add to you .htaccess file:
# Deny access to WordPress files wp-config.php, xmlrpc.php
<FilesMatch "\.(wp-config.php|xmlrpc.php)$">
Order allow,deny
Deny from all
</FilesMatch>