In the Feature Spotlight posts, we will highlight a feature in the Solid Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover WordPress Tweaks, a collection of tools to secure your WordPress website.
Why You Should Use WordPress Tweaks
One of the great advantages of WordPress is its compatibility with third-party tools and services. However, if you aren’t taking advantage of these services, you have unnecessary entry points on your website that a hacker could potentially exploit.
WordPress also provides other conveniences that would allow an attacker to amplify a brute force attack or even make malicious changes to files stored on your server.
You should use the Solid Security Pro WordPress Tweaks settings because they are a set of tools specifically designed to harden some of WordPress’s potential soft spots.
How to Use WordPress Tweaks in Solid Security Pro
To get started using WordPress Tweaks, click the Advanced link in the Security Menu.
Once you are in the Advanced menu, click the WordPress Tweaks tab.
The WordPress Tweaks Settings
The WordPress Tweaks are broken up into 2 sections: API Access and Users. Let’s take a closer look at these settings.
API Access
1. XML-RPC
The Disable File Editor setting disables the WordPress file editor for plugins and themes. Disabling the WordPress file editor adds a huge amount of security to your website.
If a hacker can successfully break into your website, the WP file editor will allow them to make malicious changes to files stored on your server. However, if you disable the WP file editor, the hacker would still need server credentials to make malicious changes to your plugins and themes.
The WordPress XML-RPC feature allows external services to access and modify content on the site. For example, Jetpack requires XML-RPC to connect to WordPress websites and modify content.
The XML-RPC setting in Solid Security Pro has 3 options:
- Disable XML-RPC – XML-RPC is disabled on the site. This setting is highly recommended if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used.
- Disable Pingbacks – Only disable pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.
- Enable XML-RPC – XML-RPC is fully enabled and will function as normal. Use this setting only if the site must have unrestricted use of XML-RPC.
We recommend using the Disable XML-RPC option if you aren’t using any services that use XML-RPC.
2. Multiple Authentication Attempts per XML-RPC Request
There are other ways to log into WordPress besides using a login form. Using XML-RPC, an attacker can make hundreds of username and password attempts in a single HTTP request.
The brute force amplification method allows attackers to make thousands of username and password attempts using XML-RPC in just a few HTTP requests.
If you want to allow XML-RPC requests that contain multiple login attempts. check the box next to Allow Multiple Authentication Attempts per XML-RPC Request. Only use this setting if a service requires it.
If you do not check this box, you allow XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.
Limiting the number of username and password attempts to one for every request will go a long way in securing your WordPress login.
3. REST API
The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress.
By default, the REST API can be used to access information that you might believe is private on your site, including:
- Published posts of all post types, including those that don’t seem like posts, such as products or member programs.
- User details that may include users that do not have any published posts or pages.
- Media library entries which may expose links to download media that is not publicly linked anywhere. This could include links to download member-only content, backups created by some plugins, or any other kind of file added to the media library. (Note that BackupBuddy backups are not stored in the media library and are not accessible via the REST API.)
The REST API setting in Solid Security Pro has two options:
- Default Access – Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.
- Restricted Access – Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.
We recommend using the Restricted Access option to limit access to private information.
Users
1. Login with Email Address or Username
By default, WordPress allows users to log in using either an email address or username. The Login with Email Address or Username setting allows you to restrict logins to only accept email addresses or usernames.
The Login with Email Address or Username setting in Solid Security Pro has three options:
- Email Address and Username (Default) – Allow users to log in using their user’s email address or username. This is the default WordPress behavior.
- Email Address Only – Users can only log in using their user’s email address. This disables logging in using a username.
- Username Only – Users can only log in using their user’s username. This disables logging in using an email address.
Limiting logins to email addresses may add a bit of protection against a brute force attack. While a bot can scrape the author’s page for usernames, they are less likely to scrape a website for user email addresses.
2. Force Unique Nickname
The Force Unique Nickname setting forces users to choose a unique nickname when updating their profile or creating a new account. Using a unique nickname prevents bots and attackers from easily harvesting users’ login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed URLs if used.
Forcing users to use a unique nickname is another example of security through obscurity. You would be better off enabling the Solid Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.
The Disable Extra User Archives setting in Solid Security Pro makes it harder for bots to determine usernames by disabling post archives for users that don’t post to your site.
Disabling a user’s author page if their post count is 0 is another example of security through obscurity. You would be better enabling the Solid Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.
Wrapping Up: WordPress Tweaks to Strengthen WordPress Security
The WordPress Tweaks in Solid Security Pro were specifically designed to harden your WordPress website’s security. With the Solid Security Pro plugin, you can also add these extra layers of security to your website, including: