WordPress Tweaks

From iThemes Codex
Jump to: navigation, search

These are advanced settings that may be utilized to further strengthen the security of your WordPress site.

Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

Generator Meta Tag

Removes the <meta name="generator" content="WordPress [version]" /> meta tag from your sites header. This process hides version information from a potential attacker making it more difficult to determine vulnerabilities.

Windows Live Writer Header

This is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.

EditURI Header

Removes the RSD (Really Simple Discovery) header. If you don't integrate your blog with external XML-RPC services such as Flickr then the "RSD" function is pretty much useless to you.

Comment Spam

This option will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.

Display Random Version

Where a WordPress version must be displayed, it will display a random WordPress version and will remove the WordPress version completely where possible.

File Editor

Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.


Off = XMLRPC is fully enabled and will function as normal.

Only Disable Trackbacks/Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XMLRPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.

Completely Disable XMLRPC is the safest, XMLRPC will be completely disabled by your webserver. This will prevent features such as Jetpack that require XMLRPC from working.

Replace jQuery with a Safe Version

Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).

Note that this only checks the homepage of your site and only for users who are logged in. This is done intentionally to save resources.

← Back to iThemes Security Codex Home