Being used by one-third of the total websites, WordPress always manages to catch the eye of hackers. In recent years, the extent of attacks on WordPress is alarming and calls for action. Despite the attacks, WordPress Security is still a massively misunderstood and underappreciated concept. And, web owners find it more convenient to overlook it.
Below are 6 easy steps you can take right now to significantly improve security on your WordPress site and detailed instructions and links on how to implement these safeguards when hosting WordPress on Azure App Service.
This article takes a more comprehensive look at WordPress Security
You can use WP Hardening Plugin to fix 12+ issues like (Stop User Enumeration, Disable XMLRPC, Hide Version No. & many more)
For more in-depth detail on current vulnerabilities on your WordPress side, run a WordPress Vulnerability Report
Update WordPress
Update your WordPress version to the latest stable version as soon as possible. There are a number of known vulnerabilities exposed in WordPress that are being continuously addressed.
By Updating your WordPress version, you will overcome a large majority of security vulnerabilities. Make sure you keep it uptodate as often as possible.
It is also important to update any Plugins or Themes you are using, and to delete any unused plugins or themes as these can contain vulnerabilities even when not used.
Set PHP Version
By Default, an Azure Web App Service will use an older, more vulnerable version of PHP. Its important to set the PHP Version to the latest version available.
To show the current PHP version, run the following command in the Cloud Shell:
az webapp config show --resource-group <resource-group-name> --name <app-name> --query phpVersion
To show all supported PHP versions, run the following command in the Cloud Shell:
az webapp list-runtimes | grep php
Run the following command in the Cloud Shell to set the PHP version to 7.4:
az webapp config set --resource-group <resource-group-name> --name <app-name> --php-version 7.4
Remove PHP Server Header
Ensuring the Server
information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.
Server PHP/7.3.27
After you remove the Server header in your Web.Config file for ASP.NET, the PHP processor will still add the Server header to outgoing responses.
To remove the PHP Server header, we need to add the expose_php system directive in php.ini.
Because we don’t have access to php.ini in Azure App Service, you need to customise the PHP_INI_SYSTEM directives using Cloud Shell
Remove Unnecessary Headers
The X-Powered-By
header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.
Ensuring the The x-aspnet-version
ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.
See: Using Web.Config to Secure your ASP.NET Application
Hide WordPress Version Number
Ensuring the WordPress version is not exposed can make it harder for attackers to find exploits against your site.
- Navigate to your root directory
- Go to /wp-content/themes/<theme> directory
- In the functions.php file, add the following line of code
remove_action('wp_head','wp_generator');
function remove_wp_version_rss() { return”; }
add_filter(‘the_generator’,’remove_wp_version_rss’);
Disable XML-RPC
The WordPress XML-RPC API can provide an additional surface for DDoS and brute force attacks. It should be disabled when possible.
- Navigate to your root directory
- Create or Edit the .htaccess file
- Add the following lies of code to the end of the file
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>