Hardening WordPress to limit attack vectors

No comments

Disable XML-RPC

Unless you are using the API, disable XML-RPC. Even if you are using it. Identify it you can limit access to a static IP address or range. This prevents script execution from remote sources attempting to gain access to your WordPress instance. The easiest way to disable XML-RPC is to add the following to .htaccess in the root of your website.

# Replace 192.168.0.1 with the IP of the server requiring XML-RPC access
<Files xmlrpc.php>
order deny,allow
 deny from all
allow from 192.168.0.1
</Files>

WP fail2ban plugin

Use the WP fail2ban plugin to ban IP addresses which continually attempt to brute force login to your website. Take a look at the docs for WP fail2ban on how to install the plugin and setup fail2ban filters. The important details to remember is that this is a 2 step process. The WP fail2ban plugin will capture failure events and log them to another location, usually /var/log/auth.log. The second step is to setup fail2ban as a service on the server and ensure that the log is being monitored and filtered based on the log events.

These 2 methods alone have reduced the amount of attempted brute force login attacks by 95% on my administered WordPress sites.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*