Back to Posts

Harden WordPress

Posted in Defense

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

Quick steps to secure WordPress for $0

Update WordPress & Plugins

The best way to maintain security on your WP site is to always keep WP and its plugins up to date.

Since WordPress is the most common CMS running on the internet today, it’s a primary target for attackers. It’s constantly being probed and tested for vulnerabilities, including all the optional plugins available.

Limiting ANY plugins that aren’t absolutely necessary will not only improve security, but may also improve performance. Make sure to download plugins from trusted and tested sources. You may have your entire site locked down and secure, but all it takes is a random plugin to have a vulnerability.

It’s also recommended to turn on any automatic updates to reduce any zero days from impacting your system.

Block unauthorized wp-admin attempts

The plugin Login Lockdown is a commonly used (and tested) plugin that limits the amount of login attempts into WP. Like most of WP plugins, it’s easy to use and setup.

Make password complex

Since the WP login page is default (and can be difficult to change) attackers can easily search for WP sites by using google dorks or other crawling engines.

Basically the login page to your site is exposed to the entire planet - anyone can attempt to login. That being said, it’s very important to make your password very complex

Disable XML-RPC

XML-RPC Brute Force Amplification Attacks are very common and can double as a DDoS attack - WordPress sites are a prime XMLRPC brute force targets. By default it’s enabled and works with some plugins - so disabling it may cause some issues.

If you’re running a minimal server, without a lot of resources, then these attacks may be what’s bogging your WP site down. With the massive amount for requests, these can act similar to a DoS attack on resource light servers.

To disable you can download the Disable XML-RPC plugin or block xmlrpc.php page in your htaccess file…

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

Otherwsie you can configure a script to block suspected attacks. Here’s a quick and dirty script I created that’ll block an ip after x amount of requests to /xlmrpc.php. Create a cron job for it and you’re good to go.

Scan for vulns using WPScan

WPScan is an excellent tool to test for any vulnerabilities your WP site may have. It’s on Kali by default, which can be ran by..

root@kali:~# wpscan --help

It can scan for vulns in plugins, themes, version etc and can also brute force the login and/or for usernames.

Here are a few command string to get started..

//wpscan enumerate users and plugins
wpscan -u --enumerate uap

//wpscan brute force
wpscan -u --wordlist /home/wordlists/john.txt
 --username wintermute

Custom Cyber Ranges >>

Read Next