Monthly Archives: March 2020

Hardening a vanilla WordPress Installation

Working with WordPress can be real fun. But if you don’t secure your WordPress installation it can also be a pain in the a**. Because everyone can download WordPress, everyone knows which files and setting you use in your WordPress installation, if you don’t change anything at all. At this point, you’re inviting hackers to a free and funny party in your WordPress backend.

Step 1: Change the admin user

While installing WordPress you have to create your first account, wich automatically becomes your administrator account. Make sure not to stick with the default “admin” username and change it to something else. Every hacker knows, that “admin” is the default username and has only to try hacking your password if you don’t change it.

Step 2: Change your login path

After installing WordPress, you can login at www.yourdomain.de/wp-login.php. A direct access to your backend with www.yourdomain.de/wp-admin is also possible. In order to make it more difficult to access your backend, you should definitely change these links. A useful help for this is the free WordPress plugin “Rename wp-login.php”, which does just that. Under settings in the WordPress backend you can adjust your login path individually after activating the plugin and thereby disable the old paths.

Step 3: xmlrpc.php

XML-RPC (Extensible Markup Language Remote Procedure Call) is an interface between a system (in this case WordPress) and external functions. For example, it takes care of pingbacks and incoming and outgoing messages from other websites.

Apart from the desired functions, this interface can also be used for bruteforce methods. Attackers can try out a variety of passwords to guess the right one. Instead of denying all access to it, there’s little you can do about it because you simply can’t add any captcha or another security check to it. Just add the following code to your .htaccess file and you’ll be much safer than before.

<Files xmlrpc.php>
 Order Deny,Allow
 Deny from all
 </Files>

Step 4: Be up to date

Taking care of your WordPress installation is one thing. But keeping it safe is another. You want to make sure to stay updated on WordPress and know when things change. Some security precautions might not work in a few months or years anymore and you want to change them asap when this happens.