WordPress Security Tips Part 6 – Disable File Editing

Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface. 

This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server.

Entering the following constant in wp-config.php, disables editing from within the administrative interface.

define('DISALLOW_FILE_EDIT', true);

Prevent WordPress Username Enumeration

In many WordPress blogs, it’s possible to enumerate WordPress users using an author’s  archive page. This works if WordPress permalinks are enabled and if the user has published one or more posts.

You can read about WordPress Username Enumeration in greater detail in the article WordPress Username Enumeration using HTTP Fuzzer

In order to prevent WordPress Username Enumeration you can add the following rule to WordPress site’s .htaccess file (this is usually located in your website’s root directory).

RewriteCond %{QUERY_STRING} author=d

RewriteRule ^ /? [L,R=301]

In Part 7 in the series we will be discussing: Enabling HTTPS for all logins and wp-admin

Read the previous article in the series about WordPress Security – Restricting Access to wp-admin Directory

Share this post

Leave a Reply

Your email address will not be published.