Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface. 

This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server.

Entering the following constant in wp-config.php, disables editing from within the administrative interface.

define('DISALLOW_FILE_EDIT', true);

Prevent WordPress Username Enumeration

In many WordPress blogs, it’s possible to enumerate WordPress users using an author’s  archive page. This works if WordPress permalinks are enabled and if the user has published one or more posts.

You can read about WordPress Username Enumeration in greater detail in the article WordPress Username Enumeration using HTTP Fuzzer

In order to prevent WordPress Username Enumeration you can add the following rule to WordPress site’s .htaccess file (this is usually located in your website’s root directory).

RewriteCond %{QUERY_STRING} author=d

RewriteRule ^ /? [L,R=301]


Read the entire article on How to prevent a WordPress hack

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.