In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover WordPress Tweaks, a collection of tools to secure your WordPress website.
Why You Should Use WordPress Tweaks
One of the great advantages of WordPress is its compatibility with third-party tools and services. However, if you aren’t taking advantage of these services, you have unnecessary entry points on your website that a hacker could potentially exploit.
WordPress also provides other convenience that would allow an attacker to amplify a brute force attack or even make malicious changes to files stored on your server.
You should use the iThemes Security Pro WordPress Tweaks settings because they are a set of tools specifically designed to harden some of WordPress’s potential soft spots.
Using WordPress Tweaks, you can:
- Remove unused points of entry.
- Protect against tabnapping.
- Apply various methods of security through obscurity.
- Mitigate Attachment File Traversal Attacks.
How to Use WordPress Tweaks in iThemes Security Pro
To get started using WordPress Tweaks, enable the module on the main page of the security settings.
After enabling the module, click the Configure Settings button to view the available WordPress Tweaks.
The 13 WordPress Tweaks
iThemes Security Pro includes these 13 WordPress tweaks, all designed to harden the security of WordPress websites.
1. Windows Live Writer Header
The Windows Live Writer Header removes the WLW header. The header isn’t needed if you aren’t using Windows Live Writer or other blogging clients that rely on this file. Remove this point of entry if it isn’t needed.
2. EditURI Header
The EditURI Header setting removes the Really Simple Discovery header. If you don’t integrate your blog with external XML-RPC services such as Flickr then the “RSD” function is pretty much useless to you. Remove this point of entry if it isn’t needed.
3. Reduce Comment Spam
The Reduce Comment Spam option will cut down on comment spam by denying bots’ comments with no referrer or without a user-agent identified.
While the Reduce Comment Spam option can help, enabling iThemes Security Pro’s reCAPTCHA feature on comments will more effective at blocking spam-bots.
4. Disable File Editor
The Disable File Editor setting disables the WordPress file editor for plugins and themes. Disabling the WordPress file editor adds a huge amount of security to your website.
If a hacker can successfully break into your website, the WP file editor will allow them to make malicious changes to files stored on your server. However, if you disable the WP file editor, the hacker would still need server credentials to make malicious changes to your plugins and themes.
The WordPress’ XML-RPC feature allows external services to access and modify content on the site. For example, Jetpack requires XML-RPC to connect to WordPress websites and modify content.
The XML-RPC setting in iThemes Security Pro has 3 options:
- Disable XML-RPC – XML-RPC is disabled on the site. This setting is highly recommended if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used.
- Disable Pingbacks – Only disable pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.
- Enable XML-RPC – XML-RPC is fully enabled and will function as normal. Use this setting only if the site must have unrestricted use of XML-RPC.
We recommend using the Disable XML-RPC option if you aren’t using any services that use XML-RPC.
6. Multiple Authentication Attempts per XML-RPC Request
There are other ways to log into WordPress besides using a login form. Using XML-RPC, an attacker can make hundreds of username and password attempts in a single HTTP request.
The brute force amplification method allows attackers to make thousands of username and password attempts using XML-RPC in just a few HTTP requests.
The Multiple Authentication Attempts per XML-RPC Request setting in iThemes Security Pro has two options:
- Block – Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
- Allow – Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.
Using Multiple Authentication Attempts per XML-RPC Request Block option will prevent multiple authentication attempts per XML-RPC request. Limiting the number of username and password attempts to one for every request will go a long way in securing your WordPress login.
7. REST API
The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress.
By default, the REST API can be used to access information that you might believe is private on your site, including:
- Published posts of all post types, including those that don’t seem like posts, such as products or member programs.
- User details that may include users that do not have any published posts or pages.
- Media library entries which may expose links to download media that is not publicly linked anywhere. This could include links to download member-only content, backups created by some plugins, or any other kind of file added to the media library. (Note that BackupBuddy backups are not stored in the media library and are not accessible via the REST API.)
The REST API setting in iThemes Security Pro has two options.:
- Restricted Access – Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.
- Default Access – Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.
We recommend using the Restricted Access option to limit access to private information.
8. Disable Login Error Message
The Disable Login Error Message setting prevents error messages from being displayed to a user upon a failed login attempt.
Hiding login error messages is a form of security through obscurity. Security through obscurity is the reliance on the secrecy of implementing a system or components of a system to keep it secure. So it is kind of like hiding your front door instead of locking it.
So while hiding login error messages won’t add any security to your website, it will prevent an attacker from seeing the reason they were locked out.
9. Force Unique Nickname
The Force Unique Nickname setting forces users to choose a unique nickname when updating their profile or creating a new account. Using a unique nickname prevents bots and attackers from easily harvesting users’ login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed URLs if used.
Forcing users to use a unique nickname is another example of security through obscurity. You would be better off enabling the iThemes Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.
10. Disable Extra User Archives
The Disable Extra User Archives setting in iThemes Security Pro makes it harder for bots to determine usernames by disabling post archives for users that don’t post to your site.
Disabling a user’s author page if their post count is 0 is another example of security through obscurity. You would be better enabling the iThemes Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.
11. Protect Against Tabnapping
Enabling the Protect Against Tabnapping feature in iThemes Security Pro helps protect site visitors–including logged-in users–from phishing attacks. These phishing attacks are carried out via tabnapping links that use the
The iThemes Sync Pro Site Audit feature can run automated checks to see if the links on a page link to a page on another site using the
target="_blank" attribute. It is better to remove the tabnapping opportunity than to try and mitigate the exploit.
12. Login with Email Address or Username
By default, WordPress allows users to log in using either an email address or username. The Login with Email Address or Username setting allows you to restrict logins to only accept email addresses or usernames.
The Login with Email Address or Username setting in iThemes Security Pro has three options:
- Email Address and Username (Default) – Allow users to log in using their user’s email address or username. This is the default WordPress behavior.
- Email Address Only – Users can only log in using their user’s email address. This disables logging in using a username.
- Username Only – Users can only log in using their user’s username. This disables logging in using an email address.
Limiting logins to email addresses may add a bit of protection against a brute force attack. While a bot can scrape the author’s page for usernames, they are less likely to scrape a website for user email addresses.
13. Mitigate Attachment File Traversal Attack
We added the Mitigate Attachment File Traversal Attack option in 2018 to help protect websites against the WordPress Attachment File Traversal and Deletion vulnerability.
While WordPress patched the vulnerability in version 4.7, this setting can help mitigate attacks on plugins and themes with this vulnerability.
Wrapping Up: WordPress Tweaks to Strengthen WordPress Security
The WordPress Tweaks in iThemes Security Pro were specifically designed to harden your WordPress website’s security. With the iThemes Security Pro plugin, you can also add these extra layers of security to your website, including:
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.