iThemes Security Pro Feature Spotlight – WordPress Tweaks

In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.

Today we are going to cover WordPress Tweaks, a collection of tools to secure your WordPress website.

Why You Should Use WordPress Tweaks

One of the great advantages of WordPress is its compatibility with third-party tools and services. However, if you aren’t taking advantage of these services, you have unnecessary entry points on your website that a hacker could potentially exploit.

WordPress also provides other conveniences that would allow an attacker to amplify a brute force attack or even make malicious changes to files stored on your server.

You should use the iThemes Security Pro WordPress Tweaks settings because they are a set of tools specifically designed to harden some of WordPress’s potential soft spots.

How to Use WordPress Tweaks in iThemes Security Pro

To get started using WordPress Tweaks, click the Advanced link in the Security Menu.

Once your are in the Advanced menu. click the WordPress Tweaks tab.

The WordPress Tweaks Settings

The WordPress Tweaks are broken up into 2 sections, API Access and Users. Let’ts take a closer look at these settings.

API Access

1. XML-RPC

The Disable File Editor setting disables the WordPress file editor for plugins and themes. Disabling the WordPress file editor adds a huge amount of security to your website.

If a hacker can successfully break into your website, the WP file editor will allow them to make malicious changes to files stored on your server. However, if you disable the WP file editor, the hacker would still need server credentials to make malicious changes to your plugins and themes.

The WordPress’ XML-RPC feature allows external services to access and modify content on the site. For example, Jetpack requires XML-RPC to connect to WordPress websites and modify content.

The XML-RPC setting in iThemes Security Pro has 3 options:

• Disable XML-RPC – XML-RPC is disabled on the site. This setting is highly recommended if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used.
• Disable Pingbacks – Only disable pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.
• Enable XML-RPC – XML-RPC is fully enabled and will function as normal. Use this setting only if the site must have unrestricted use of XML-RPC.

We recommend using the Disable XML-RPC option if you aren’t using any services that use XML-RPC.

2. Multiple Authentication Attempts per XML-RPC Request

There are other ways to log into WordPress besides using a login form. Using XML-RPC, an attacker can make hundreds of username and password attempts in a single HTTP request.

The brute force amplification method allows attackers to make thousands of username and password attempts using XML-RPC in just a few HTTP requests.

The Multiple Authentication Attempts per XML-RPC Request setting in iThemes Security Pro has two options:

• Block – Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
• Allow – Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.

Using Multiple Authentication Attempts per XML-RPC Request Block option will prevent multiple authentication attempts per XML-RPC request. Limiting the number of username and password attempts to one for every request will go a long way in securing your WordPress login.

3. REST API

The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress.

By default, the REST API can be used to access information that you might believe is private on your site, including:

• Published posts of all post types, including those that don’t seem like posts, such as products or member programs.
• User details that may include users that do not have any published posts or pages.
• Media library entries which may expose links to download media that is not publicly linked anywhere. This could include links to download member-only content, backups created by some plugins, or any other kind of file added to the media library. (Note that BackupBuddy backups are not stored in the media library and are not accessible via the REST API.)

The REST API setting in iThemes Security Pro has two options.:

• Restricted Access – Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.
• Default Access – Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.

We recommend using the Restricted Access option to limit access to private information.

Users

1. Disable File Editor

The Disable File Editor setting disables the WordPress file editor for plugins and themes. Disabling the WordPress file editor adds a huge amount of security to your website.

If a hacker can successfully break into your website, the WP file editor will allow them to make malicious changes to files stored on your server. However, if you disable the WP file editor, the hacker would still need server credentials to make malicious changes to your plugins and themes.

2. Force Unique Nickname

The Force Unique Nickname setting forces users to choose a unique nickname when updating their profile or creating a new account. Using a unique nickname prevents bots and attackers from easily harvesting users’ login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed URLs if used.

Forcing users to use a unique nickname is another example of security through obscurity. You would be better off enabling the iThemes Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.

3. Disable Extra User Archives

The Disable Extra User Archives setting in iThemes Security Pro makes it harder for bots to determine usernames by disabling post archives for users that don’t post to your site.

Disabling a user’s author page if their post count is 0 is another example of security through obscurity. You would be better enabling the iThemes Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.

4. Login with Email Address or Username

By default, WordPress allows users to log in using either an email address or username. The Login with Email Address or Username setting allows you to restrict logins to only accept email addresses or usernames.

The Login with Email Address or Username setting in iThemes Security Pro has three options:

• Email Address and Username (Default) – Allow users to log in using their user’s email address or username. This is the default WordPress behavior.
• Email Address Only – Users can only log in using their user’s email address. This disables logging in using a username.
• Username Only – Users can only log in using their user’s username. This disables logging in using an email address.

Limiting logins to email addresses may add a bit of protection against a brute force attack. While a bot can scrape the author’s page for usernames, they are less likely to scrape a website for user email addresses.

But again, you would be better off enabling the iThemes Security Pro Password Requirements and Two-Factor Authentication features to secure your WordPress login.

Wrapping Up: WordPress Tweaks to Strengthen WordPress Security

The WordPress Tweaks in iThemes Security Pro were specifically designed to harden your WordPress website’s security. With the iThemes Security Pro plugin, you can also add these extra layers of security to your website, including:

• Two-factor authentication
• Passwordless logins
• File change detection
• Local brute force protection