The Tweaks feature is always active, and some of the tweaks are enabled by default. All tweaks are available on the Tweaks panel.

Disable XML-RPC

If you don’t use it on your website, it is a good idea to disable XML-RPC. This tweak disable XML-RPC for all blogs in the network!

There is a .htaccess tweak that can do the same thing, and it is better solution than this tweak, since it will prevent access to the file. Always use .HTACCESS tweaks if possible.

Remove XML-RPC Pingback

This tweak will remove Pingback methods from XML-RPC library. This is one of the common methods for brute force attacks against XML-RPC.

  • This will not disable XML-RPC, but it will stop pingbacks sent to your website.
  • This will not prevent requests with pingbacks, but they will not go through.

Remove XML-RPC Multicall

This tweak will remove Multicall related methods from XML-RPC library. These methods are used for brute force amplification attacks.

  • This will not disable XML-RPC.
  • Tweak will also disable listMethods and getCapabilities methods to ensure brute force attack will not work.

Remove X-Pingback Header

This tweak will remove X-Pingback header element that points to XMLRPC file in WordPress and is used by some methods for attacks.

  • Some websites might depend on this header element to send real pingbacks to your website.
  • This will not prevent all pingbacks sent to your website.

Remove X-PoweredBy Response Header

PHP is adding Powered By entry inside HTTP protocol response header with version number. This tweak removes it. In some cases, this header might not be removed, depending on the server type and the way it was added.

Remove WordPress Security Headers

WordPress sets some security headers on admin side and login page. But, if you use this plugin to set all the security headers, you should disable WordPress added headers to prevent adding same headers twice. This will remove X-Frame-Origins and Referer Policy headers.

Remove Error Message from Login screen

Error messages displayed on the login screen can be used by hackers to improve hacking methods. In some cases, it is good idea to hide these messages.

  • Some hacking methods can use error messages on the login screen to learn and improve. Removing these messages can be helpful in fighting hacking attempts.
  • But, these messages are useful for normal users, and removing them can cause confusion since they will not know why the login has failed.

Remove Username from comment class

If comment is left by user, it will have a CSS class that contains username. Brute force passwords attacks depend on getting usernames.

Each page generated by WordPress contains header tag with RSD or Really Simple Discovery is used by some services (XML-RPC based, like Flicker or Quora) to discover website

Each page generated by WordPress contains header tag with WLW or Windows Live Writer is used that specific program to get manifest file from website. If you don’t use Windows Live Writer, remove this link.

Remove Header or meta with WordPress version

Each page generated by WordPress contains header tag with version of the WordPress. Some exploits use this to determine what WordPress is used to attack website.

There are other methods to detect WordPress version in use, but this at least closes the one used the most.

Rate this article

You are not allowed to rate this post.

Leave a Comment