Cantrust recommends All In One WP Security & Firewall

All new WordPress installs will have the first section set up already. Please see the manual steps that need attention.

* WP Security (side menu) -> User Login
-> Login Lockdown:

  • check: Enable Login Lockdown feature
  • Max Login Attempts – set to 5
  • check: Display Generic Error Message

* WP Security (side menu) -> User Login
-> Additional Settings:

  • check: Disable Application Password

* WP Security (side menu) -> User Registration
-> Manual Approval:

  • (optional) check: Enable Captcha On Registration Page

* WP Security (side menu) -> User Registration
-> Registration Captcha:

* WP Security (side menu) -> User Registration
-> Registration Honeypot:

  • check: Enable Honeypot On Registration Page

Note: please protect your users’ privacy by not installing Google reCAPTCHA. In the new v3, reCAPTCHA spies on every site user, as they visit *every page on your website*. It collects data to identify them and reports it back to Google’s databases, which are stored in the USA. This data includes browser info and browsing history, as well as actual biometric data collected on users, like the rhythms of typing and mouse movements, in order to be able to fingerprint and identify them as they browse multiple site across the internet. Following the principles of PIPEDA (Canadian privacy laws), you should choose to protect your users privacy and use an alternative technology that is not fundamentally built on mass surveillance data collection. The simple built in math captcha in the plugin is not as strong or effective as Google’s recaptcha, but it is private, and it works in concert with other security settings to provide complete protection.

* WP Security (side menu) -> Filesystem Security
-> PHP File Editing:

  • Disable Ability To Edit PHP Files

-> WP File Access:

  • Prevent Access to WP Default Install Files

* WP security (side menu) -> Firewall
-> Basic Firewall

  • Enable Basic firewall protection with 50MB upload size
  • Completely Block Access to XMLRPC  (or, if you use Jetpack or another XMLRPC plugin, choose the Disable Pingback option instead)
  • Block Access to debug.log File

* WP security (side menu) -> Firewall
-> Additional Firewall Rules

  • Listing of Directory Contents > check: Disable Index Views
  • Trace and Track > check: Disable Trace and Track
  • Proxy Comment Posting > check: Forbid Proxy Comment Posting
  • Bad Query Strings > check: Deny Bad Query Strings
  • Advanced Character String Filter > check: Enable Advanced Character String Filter

* WP Security (side menu) -> Firewall
-> 6G Blacklist Firewall Rules

  • 6G Blacklist / Firewall Settings > check: Enable 6G Firewall Protection
  • 6G block request methods > check all four: DEBUG, MOVE, PUT, TRACK.
  • 6G other settings > check all four: Block query strings, request strings, referrers and user agents.

* WP Security (side menu) -> Firewall
-> Internet Bots

  • Block Fake Googlebots > check: to block all fake Googlebots

* WP Security (side menu) -> Brute force
-> Rename Login Page

  • Rename Login Page Settings > check: Enable Rename Login Page Feature, save.

* WP Security (side menu) -> Brute force
-> Honeypot

  • check: Enable Honeypot on Login Page

* WP Security (side menu) –> SPAM prevention
-> comment SPAM

  • check: Enable Captcha if appropriate
  • check: Block Spambots from Posting comments

* WP Security (side menu) -> Miscellaneous
-> Users Enumeration

  • check: Disable Users Enumeration

Manual Settings

* WP Security (side menu) ->Database Security
-> Database prefix

  • Change the DB prefix from wp_ here, but when the site?s quiet and after taking a DB backup, and in maintenance mode…. just in case!

Optional settings:

* WP Security (side menu) >User Registration
-> Registration Captcha

  • (optional) – Enable registration captcha (if you don’t have recaptcha or another captcha there). *see note about privacy here

* WP Security (side menu) –> Firewall
-> Prevent Hotlinks

  • This should be on, but with a test after.

* WP Security (side menu) > Miscellaneous
-> WP REST API

  • REST API – Disable this for non-logged in requests if you can. Not if you use Contact Form 7 or other plugins that need it
  • You may want to turn some of these (copy/paste blocker, or the iframe blocker), if appropriate.