Cantrust recommends All In One WP Security & Firewall

All new WordPress installs will have the first section set up already. Please see the manual steps that need attention.

* WP Security (side menu)->User Login->Login Lockdown:
– Enable Login Lockdown feature
– Max Login Attempts – set to 10

* WP Security (side menu)->User Registration:

  • (optional) Enable registration captcha (if you don’t have Recaptcha or another captcha there).
  • Enable registration honeypot

* WP security (side menu)->Firewall > Basic Firewall

  • Enable Basic firewall protection with 50MB upload size
  • Completely Block Access to XMLRPC  (or, if you use Jetpack or another XMLRPC plugin, choose the Disable Pingback option instead)
  • Block Access to debug.log File

* WP security (side menu)->Firewall > Additional Firewall Rules

  • Listing of Directory Contents > Disable Index Views
  • Trace and Track > Disable Trace and Track
  • Proxy Comment Posting > Forbid Proxy Comment Posting
  • Bad Query Strings > Deny Bad Query Strings
  • Advanced Character String Filter > Enable Advanced Character String Filter

* WP Security (side menu) -> Firewall > 6G Blacklist Firewall Rules

  • 6G Blacklist / Firewall Settings > Enable 6G Firewall Protection
  • 6G block request methods > check all four: DEBUG, MOVE, PUT, TRACK.
  • 6G other settings > check all four: Block query strings, request strings, referrers and user agents.

* WP Security (side menu) -> Firewall > Internet Bots

  • Block fake Googlebots

* WP Security (side menu) -> Brute force

  • Rename Login Page tab > Rename Login Page Settings > check “Enable Rename Login Page Feature”, save.
  • Honeypot: Enable Honeypot on Login Page

* WP Security (side menu) > SPAM prevention > comment SPAM

  • enable Captcha if appropriate
  • Block Spambots from Posting comments

* WP Security (side menu) > Miscellaneous > Users Enumeration

  • Disable Users Enumeration

Manual Settings

* WP Security (side menu) >Database Security

  • Change the DB prefix from wp_ here, but when the site?s quiet and after taking a DB backup, and in maintenance mode…. just in case!

Optional settings:

* WP Security (side menu) >User Registration:

  • (optional) – Enable registration captcha (if you don’t have recaptcha or another captcha there).

* WP Security (side menu) > Firewall > Prevent Hotlinks

  • This should be on, but with a test after.

* WP Security (side menu) > Miscellaneous

  • REST API – Disable this for non-logged in requests if you can. Not if you use Contact Form 7 or other plugins that need it
  • You may want to turn some of these (copy/paste blocker, or the iframe blocker), if appropriate.