1. Disable File Access
|
1 2 3 4 5 6 |
<Files "wp-config.php"> Require all denied </Files> <Files "xmlrpc.php"> Require all denied </Files> |
2. Disable wp-cron.php
See here.
The default method works perfectly fine on a small site with very few visitors per hour. However, when implemented on a medium or larger site or even a site that is being scanned by bots (which is very common these days), this means you get twice fold whatever traffic you are currently handling. It becomes a rudimentary DDoS attack against yourself.
Add define('DISABLE_WP_CRON', true); to wp-config.php.
3. Disable Pingback in Comments
Go to Settings –> Discussion, uncheck Allow link notifications from other blogs (pingbacks and trackbacks) on new posts.
4. Disable Json API
Via Disable WP REST API. Activate and it just works.
5. Hide Login Page
Via WPS Hide Login.
6. Hide Server Info
Via mod_security. Install and add config in /etc/apache2/mods-enabled/security2.conf:
|
1 |
SecServerSignature "gws" |
7. Disallow IFrame Embedding
To avoid clickjacking attacks:
|
1 |
Header always set X-Frame-Options "SAMEORIGIN" |
8. Add reCAPTCHA
Via Advanced Google reCAPTCHA.
9. Refine robots.txt
Via WP Robots Txt:
|
1 2 3 4 5 6 7 8 9 10 11 |
User-agent: AhrefsBot User-agent: MJ12bot User-agent: Baiduspider Disallow: / User-agent: * Disallow: /author/ Disallow: /page Disallow: /wp-admin/ Sitemap: https://www.gonwan.com/wp-sitemap.xml |
The /wp-admin/admin-ajax.php path is allowed by default, see here and here. Simply remove it.
Updated May 8, 2025: It seems Baiduspider ignores robots.txt, since no access log for the file is found in latest 5 years. Simply blocked it in Cloudflare WAF.
10. More Fail2ban Rules
Including 400/403/404 errors, directory listing filters, and subnet bannning.