Enhanced Protection Against Vulnerabilities with a Security Plugin Preinstalled
We have recently launched our security plugin, which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. We have started preinstalling Security plugin on all new installations on our platform with some of the features enabled by default.
Default Security Settings Against Common WordPress Vulnerabilities
Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the Security plugin we enable the following settings:
WordPress Version is Hidden by default
Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file.
By default, our plugin removes the HTML tag with the WordPress version.
Advanced XSS Vulnerability Protection enabled
The cross site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default the Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
Disabled XML-RPC protocol to prevent many vulnerabilities and attacks
The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our Security plugin disables this open access line to your WordPress application by default.
Lock and Protect System Folders by default
Usually when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites. This feature protects those system folders and prevents potentially malicious scripts from being executed from them.
Disabled “Admin” Username
The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default.
Limit Login Attempts
When someone tries to log in several times with wrong credentials, they are most likely trying to guess your logins. That is why it is strongly recommended to block such attempts after the first few – 3 or 5. We set that in the Security plugin interface and after that many times of wrong logins, the user gets blocked for 1hour the first time, then 24hours on the second trial, and finally for 7 days on their third trial.
More Tools Against WordPress Vulnerabilities Coming Up
There is continuing development of the plugin and will add a lot of new functionality soon.