Security Lockdown
-
First off I applaud the recent updates to WordPress that have implemented automatic updates, stronger passwords and the raft of recent security patches. Thank you.
Sadly I feel WordPress is increasingly becoming a victim of its’ own success, maintaining a secure site (especially multiple) is becoming a burden. Sites I monitor see a ridiculous amount of malicious traffic, the internet is a seemingly more hostile place.
I can’t help but think there will always be bugs, flaws and new attack vectors. I wander if good strategy would be to lock down some of code base / attack vectors.
A security step during the installation could offer options to:
– Remove user roles that are not required. (why do subscribers see the admin area?!)
– Disable comments (how many people now use WordPress as a CMS rather than blog, or use external comment providers).
– Disable Appearance > Editor.
– Disable XML-RPC
– Along with a few other best practises as outlined in http://codex.wordpress.org/Hardening_WordPressYes most of this can be handled by plugins, functions.php or wp-config.php but it would be great to have some sensible defaults and reduce the risk by reducing the scope of default functionality.
ps. Very interested to hear if other site owners are experiencing similar levels of malicious activity.
- The topic ‘Security Lockdown’ is closed to new replies.