I wrote about how to attack WP, but if you take the minimum security measures to build a WP site, you won’t end up in the same situation as in the previous article. So, here are the minimum measures.

Login information should be complex

Passwords are not something to be memorized

The more complex your login password is, the more difficult it will be to crack. Google “create a password” and go to a password creation site. I mean, you don’t need to remember your password. Just save it in your browser. Or let iOS or other operating systems remember your password and authenticate it with your fingerprint or face. I know it’s obvious, but I wonder how many sites don’t do this.

Changed the user name a little bit too

First of all, if you have a corporate site, do not use the following email address for the WP administrator.

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

If you can create an email address for your site, you can make it something a little harder to guess, like “[email protected]”. Also, it’s a good idea to avoid “admin”, “company name”, “representative’s name”, etc. for the WP administrator’s user name.

Never let anyone access the admin URL

Change the login URL

The default login URLs are “/wp-login.php” and “/wp-admin”, so it’s easy to get login attempts.
https://ja.wordpress.org/plugins/wps-hide-login/

For example, “/1015-login” would be fine.

BASIC authentication for login URL

BASIC authentication is also easy, so let’s apply it. Just create a .htpasswd file and add it to your .htaccess. This step is important. And you can save the authentication information in your browser.
If you google “create htpasswd”, you can easily find out how to create it.

# .htaccess
<Files wp-login.php>
    AuthUserFile "/your_server_path/.htpasswd"
    AuthName "Basic Auth"
    AuthType Basic
    Require valid-user
</Files>

Satisfy Any

SetEnvIf REQUEST_URI "^/1015-login(.*)" restricted_url
Order allow,deny
Allow from all
Deny from env=restricted_url

AuthUserFile "/your_server_path/.htpasswd"

AuthGroupFile /dev/null
AuthName "Restricted Files"
AuthType Basic
require valid-user

By the way, BASIC authentication changes the password to a base64 string, and also gives it to the unencrypted Header part of the communication. That’s why some people are saying that it’s easily compoundable and can be breached, but what? What? Stake out a cafe for hours, watch someone trying to log in to WP using the cafe’s wifi, and then break into the router to intercept the person’s communication and break through BASIC authentication? I’m sure it’s possible, but the fact that it costs so much is enough to counteract it.

Enabling xmlrpc is like not locking your house

If you have access to xmlrpc.php enabled, it’s very dangerous. WP is stupid, but it’s enabled by default. You can disable access as follows.

# .htaccess
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

It was this xmlrpc.php that I wrote about in How to Attack WP. Also, if you check the access logs of many WP sites, you will see that there are many suspicious accesses to this xmlrpc.php. In other words, there are rogues all over the world who are attacking this xmlrpc.php.

Let’s at least try to protect it.

All of the above settings can also be done with plugins, so if you’re interested, Google it.
The corporate website of a company I know was a very serious company website, but it was covered with pornographic banners. It’s better to increase security as much as possible, that’s for sure. You think, “My company doesn’t collect personal information, and no one will target my site. Your site might be hacked and used as a stepping stone to attack other sites, and you might be involved in criminal activities. Then, even though you didn’t commit any crime, the police may come and take you away, and you may have to eat katsudon until your innocence is proven.