WordPress Manager Security Measures


WordPress websites are frequently targeted by hackers. WordPress Manager by Softaculous provides security features to keep your WordPress site secure. Follow the below guide to secure your WordPress website.

The WordPress Manager security measures provides detailed information about each recommended update and allows you to update them without having to use a plugin. If any of the security measures make your website work incorrectly, you can revert them at any time.

Note: This feature is added in Softaculous 5.9.2

Accessing WordPress Manager

1. In order to access WordPress Manager you can click on the “WordPress” icon in the upper right corner of your Softaculous enduser panel as shown in the below screenshot.

2. OR you can access WordPress Manager by clicking the “WordPress” icon next to the WordPress installation you would like to manage from All Installations page as shown in the below screenshot.

WordPress Manager Security Measures

With WordPress Manager by Softaculous the Security Measures can applied to one or more WordPress site by selecting the right-most checkbox next to the desired WordPress installations.

Below are the Security measures provided by WordPress Manager to secure your WordPress site.

Change default administrator’s username

WordPress does not allow to change the username and if you installed WordPress with administrator username ‘admin’ your site can be at risk if someone tries to bruteforce with the username admin. This security option changes the username from admin to randomly generated username. You can use the Login button in WordPress Manager to login with the newly created admin account.

Restrict access to files and directories

Insecure permissions for files and directories can lead to unauthorized accessed by hackers and used to compromise your website. This security option sets the permissions for the wp-config.php file to 0600, other files to 0644, and directories to 0755.

Block unauthorized access to xmlrpc.php

This security option prevents access to the xmlrpc.php

Note: Custom directives in the .htaccess files might override this.

Block access to .htaccess and .htpasswd

Gaining access to .htaccess and .htpasswd files allows attackers to subject your website to a variety of exploits and security breaches. This security option ensures that .htaccess and .htpasswd files cannot be accessed over the web by abusers.

Turn off pingbacks

Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be abused to use your website for DDoS attacks on other sites. This security option turns off XML-RPC pingbacks for your whole website and also disables pingbacks for previously created posts with pingbacks enabled.

Disable file editing in WordPress Dashboard

Disabling file editing in WordPress removes the ability to directly edit the plugin and theme source files in the WordPress interface. This option adds an additional layer of protection for the WordPress website in case one of WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.

Block author scans

Author scans are used to find usernames of registered users using uids (especially WordPress admin) and eventually brute-force attack the login page of your website to gain access. This security option prevents such scans from exposing the usernames.

Note: Depending on the permalink configuration on your website this option might prevent visitors from accessing pages that list all articles written by a particular author.

Block directory browsing

If directory browsing is turned on, hackers can obtain various information about your website that can potentially compromise its security. Directory browsing is usually turned off by default, but if it is turned on, this security option can block it.

Forbid execution of PHP scripts in the wp-includes directory

The wp-includes directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-includes directory.

Note: Custom directives in the .htaccess files might override this.

Forbid execution of PHP scripts in the wp-content/uploads directory

The wp-content/uploads directory may contain insecure PHP files that can be executed to take over and exploit your website. This security option prevents the execution of PHP files in the wp-content/uploads directory.

Note: Custom directives in the .htaccess files might override this.

Disable scripts concatenation for WordPress admin panel

This security option turns off concatenation of scripts running in the WordPress admin panel, preventing your website from being affected by certain DoS attacks. Turning off concatenation of scripts might slightly affect the performance of WordPress admin panel, but it should not affect visitors’ experience on your WordPress website.

Block access to sensitive files

This security option prevents public access to certain files that can contain sensitive information like connection credentials or various information that can be used to determine which known exploits are vulnerable to your WordPress website.

Enable bot protection

This option protects your website from useless, malicious or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse.

Note: You might want to temporarily disable this measure if you’re planning to use an online service to scan your website for vulnerabilities, since these services might also use such bots.

Was this helpful to you?