Skip to content

I suggest you...

← Feature Suggestions

Improvements for Wordpress Toolkit

Disable the built-in code editor adding define('DISALLOWCODEEDIT', true); in wp-config.php

Anonymize login error message because it actually tells you what is wrong (the username or the password), hooking into loginerrors with addfilter('login_errors, function() { return 'Login error'; });

Apply permission 400 (-rw-------) to wp-config.php

Change login URL avoiding the standard /wp-login.php or /wp-admin/ (pre)installing plugin "Lockdown WP Admin" or applying the same idea.

Block brute force (pre)installing plugin "Limit Login Attempts" or applying the same idea.

Mentioned plugins may be installed by default when Wordpress is installed through the APS, and may be added as an optional security measure by the Wordpress Toolkit.

48 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Marco Marsala shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jayson commented  ·   ·  Report

    What woul dbe great is ability to select countries or IPs allowed to access wp-login / wp-admin directly from WordPress toolkit. Currently doing this via messy plugins but doing it directly from the toolkit at a server level will make sites faster and much easier for users to secure.
    You could even prompt for this on wordpress install.

  • Fee commented  ·   ·  Report

    @Olaf Kapinski: The WordPress Toolkit features only run if you set up the installation with WordPress toolkit. If you install it manually it doesn't do anything.

  • Olaf Kapinski commented  ·   ·  Report

    But please don't aim for fixed settings rather than options!!! Not everyone wants to manage the WP with this toolkit. Forcing and settings is the inflexible way. Maybe create a settings page per set.

  • Tobias Gábríél Sörensson commented  ·   ·  Report

    Hello Plesk Support Team and Others!

    Here are my findings for secureing wordpress

    all in .htaccess file

    # Block viewing directories from the site
    Options All -Indexes
    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>
    # Blocks access to .htaccess from hackers
    <files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </files>
    # BEGIN block author scans
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=\d+) [NC]
    RewriteRule .* - [F]
    # END block author scans
    # Blocks access to wp-config.php
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    And in folder /wp-content/uploads/ add a .htaccess and put in

    <Files *.php>
    deny from all
    </Files>

    This denys any .php from running in uploads folder (hackers fav place)

    The other .htaccess is self explanetory. blocks access to .htaccess, block author scaning, blocks access to wp-config.php (some plugins can show wp-content.php as a img file with exploits.
    blocks access to xmlrpc.php and also disables directory browsing.

  • Lua commented  ·   ·  Report

    "Would love to be able to change wp-login-php file name and still be able to use the "log in" button in Plesk to login to WP."

    Me too, any feedback if this could make it into the toolkit. Maybe just add support for plugins, that do that, so you don't need to add everything from scratch, if possible.

  • Highlight Films commented  ·   ·  Report

    Would love to be able to change wp-login-php file name and still be able to use the "log in" button in Plesk to login to WP.

  • Randall commented  ·   ·  Report

    Two issues I have run into with the wordpress toolkit are that if I enable security for the wp-includes folder it breaks the wordpress editor, because tinyMCE tries to use a specific file under wp-includes directly. And secondly some plugins (si-captcha as a specific example) ties to it's own files directly rather than executing through the wordpress core so enabling the wp-content security breaks this and other plugins... Would it be possible to add an option to enable the security on those directories and then enter specific exclusions so that issues like those I have listed could be addressed on a case by case basis? Currently I just have to disable security on the directories as a whole to allow the site to function fully.

  • Olgerdas commented  ·   ·  Report

    In uploads directory disable PHP and others scripts execution by default.

Feature Suggestions: WP Toolkit

Categories

Feedback and Knowledge Base

(thinking…)