Skip to main content
Dessky.org Dessky.org
  1. All Posts/

cgit-wp-security-tool

Tools Open Source PHP WordPress

Castlegate IT WP Security Tool

Requires PHP 5.5.16 or greater
Provides some WordPress and general security enhancements:

  • Prevent exposure of usernames in author archives.
  • Prevent exposure of usernames in XML feeds.
  • Prevent PHP execution in the uploads directory.
  • Block access to xmlrpc.php.
  • Disable the theme editor and other file modifications in the dashboard.
  • Warn administrators if the default table prefix wp_ is in use.
  • Warn administrators if the default user account still exists.
  • Prevent a user with the default “admin” username from being created.
  • Block access to common README and LICENSE files in document root.
  • Log login attempts.
  • Lock repeated failed login attempts from the same IP address.
  • Enables Google reCAPTCHA on wp-login.php.
  • Sends the X-Frame-Origin HTTP header.
  • Sends the X-XSS-Protection HTTP header.
  • Sends the X-Content-Type-Options HTTP header.

Options

The options are stored and set as an associative array, with the following default values:

$options = [
    'automatic_update_warning' => true,
    'disable_author_archives' => true,
    'disable_author_names' => true,
    'disable_php_in_uploads' => true, // config option
    'disable_xmlrpc' => true, // config option
    'disable_readme_files' => true,
    'disable_file_mods' => false,
    'disable_file_edit' => true,
    'default_table_prefix_warning' => true,
    'default_user_warning' => true,
    'default_user_prevent' => true,
    'login_log' => true,
    'login_lock' => true,
    'login_max_attempts' => 5,
    'login_retry_interval' => 60, // 60 seconds
    'login_lock_duration' => 60, // 60 seconds
    'enable_google_recaptcha' => true,
    'enable_frame_options' => true,
    'enable_xss_protection' => true,
    'enable_no_sniff' => true,
];

By default, all security settings are enabled. If you really want to disable something (e.g. to allow author archives), you can edit the options as follows:

add_filter(
    'cgit_security_tool_options',
    function ($options) {
        $options['disable_author_archives'] => false,
        $options['disable_author_names'] => false,

        return $options;
    }
);

Configuration options

Some options require the plugin to edit configuration files, including .htaccess files. The plugin will only do this on activation and deactivation. If you need to change these options, you will need to reactivate the plugin or use the FileTool class directly:

use CgitSecurityTool;

$tool = new FileTool();

$tool->set('disable_php_in_uploads', false);
$tool->update();

Security enhancements

Automatic update warnings

Option: automatic_update_warning – Default: true
This option warns administrators if automatic updates are disabled or the configuration constant contains an invalid value, preventing updates from running. A warning will also be displayed if automatic updates are configured to include development or major updates, which may include site-breaking changes.
It’s recommended to use the default automatic update settings, which can be manually defined using the constant below. The 'minor' configuration value offers the best balance of security updates without risking major changes which may break the website.

define('WP_AUTO_UPDATE_CORE', 'minor');

Disable author archives

Option: disable_author_archives – Default: true
This option disables all author archives and returns a HTTP 404 response for any author archive page. Out of the box, WordPress will generate per-user archives using the following URL structure:
http://www.example.co.uk/author/administrator/
More often than not, these are not required and provide an endpoint for username exposure. If the site’s users do not have their display name set, the username is exposed in the URL.

Disable author names

Option: disable_author_names – Default: true
If a user’s display name is not set, the author’s username is used instead. This is shown in links, archives, XML feeds and results in username exposure.
This option prevents username exposure by replacing the author’s display name with an anonymous string, only if the display name is equal to the login name.

Disable PHP in uploads

Option: disable_php_in_uploads – Default: true
Any files uploaded to the uploads directory are publicly accessible and therefore executable. This poses a security risk if a PHP file is uploaded.
This option writes to .htaccess to disable execution of any PHP files within the uploads directory.

Disable XMLRPC

Option: disable_xmlrpc – Default: true
The XMLRPC endpoint becomes a target for brute force login attempts. If the feature is not it use it should be disabled.
This option blocks any access to xmlrpc.php using .htaccess.

Disable README files

Option: disable_readme_files – Default: true
WordPress ships with license.txt and developers often include a README.md file with their projects. License files need not be publicly accessible and any readme file can contain potentially sensitive information.
This option blocks access to license.txt and README.md using…