32 steps to WordPress website security ultimate checklist: Step 28 ~ 32

Website security is that many WordPress newbies are easy to overlook an important problem. How to ensure WordPress site security, but also many just contacts the WordPress experts when they face problems. This is a series of tutorials to teach you the introduction to a series of steps to protect your WordPress website security. Here are the 32 steps to WordPress website security ultimate checklist Step 28 ~ 32. Today we will see 28 to 32 step.

WordPress website security ultimate checklist step 28

WordPress website security ultimate checklist Step 28 ~ 32

28. Disable the XML-RPC feature (if you don’t use it)

WordPress allows other applications to be accessed remotely via the application programming interface (API). That is, other applications can have access to your website. A typical application is XML-RPC, you can use it to update the website content.

There are a lot of plug-ins also rely on XML-RPC functions, such as the Jetpack plug-in package used XML-RPC function.

However, hackers may also use the XML-RPC to attack your website.

Today, many users believe that XML-RPC is as secure as the WordPress kernel. But in fact, hackers can use the XML-RPC for phishing scams.

If you are sure that you will not use third-party applications to access WordPress, WordPress plugin on the site does not need this feature, then you can install any one of these plug-ins to disable the XML-RPC function. If you are already using the All In One WP Security & Firewall then you can do it easily by going – WP Security » Firewall and fill the checkbox under WordPress XMLRPC & Pingback vulnerability protection.

Block XML-RPC Completely

29. Disable PHP error reporting

At the time of your website development, error reporting is like a life preserver. When the error comes, it can tell you exactly where the error is? So that you can fix the error quickly.

However, on production sites, bug reports give hackers a chance to easily obtain valuable information.

For example, here is a bug report:


This report revealed the username of the account. If someone else is looking for an opportunity to hack into your site, then this is a very crucial piece of information.

This is just an error message, if you want to find the target weaknesses, other error reports will give you more.

To turn off PHP error reporting, You can put the following code into your PHP among the ini files:

error_reporting = 4339
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/
log_errors_max_len = 1024
ignore_repeated_errors = On
ignore_repeated_source = Off
html_errors = Off

This can enhance the security of your WordPress website and reduce the possibility of exposing sensitive information on your website.

30. Installing a firewall

We can divide the firewalls into two categories, or there are two main purposes. In the field of network security, we use the firewalls mainly to separate different types of networks. Either to prevent external access or to prevent internal out.

If you want to do the analogy, the firewall is like a bodyguard. Only in the party invited on the list of important figures, can enter. Developers often use the Firewall software to prevent hackers from approaching your site. Just as party tickets prohibit uninvited parties from entering the party.

For WordPress site security, we usually use web application firewall (Web Application Firewall, WAF for short) to organize hackers to use their little dirty hands to enter unpopular their sites.

There are many kinds of WAF. But on the WordPress server, the most reliable, free, and open source firewall that can be used is the ModSecurity firewall.

You can ask your hosting provider to see if there is a firewall installed on your server space. Once you enable this firewall, your hosting provider and the WordPress programmer you hire, you can set the ModSecurity rules to protect your WordPress site.

31. Using a CDN firewall

CDN (Content Delivery Network) is mainly to optimize the performance of the site by storing web resources.

At the same time, CDN also provides additional features: the vast majority of CDN can protect the security of WordPress sites.

If you’re using a CDN (which you need to use if your site is heavily accessed), you should also set up security rules to improve the protection of your WordPress site.

32. Monitor WordPress site security with security log

If you don’t know what kind of attacks the site encountered, then you will not be able to stop these attacks, right?

By monitoring the log, you can enhance the protection of WordPress security. For example, if you find that there are a large number of attack attempts, all from a certain country, and this country is not the object of your attention, then you can set a rule to block the country.

Of course, this is just a simple example of a monitoring log.

If you can access the host server directly, you can also choose OSSEC to monitor the server’s logs. Otherwise, you can also choose to install the WordPress Security Audit Log plugin to monitor your security logs. Also, you can install the IQ block Country plug-in to block certain attacker country from backend or from both backend and frontend.


This article series details the ultimate 32 steps to enhance your WordPress site security. If you have not considered the issue of strengthening WordPress security before, then the text may give you more inspiration and suggestions. Fortunately, none of the steps described in this article require much expertise and can be completed easily.

WordPress security is critical. Perhaps at the moment, your website is being hacked.

Even if you do not intend to implement all of the above 32 steps, we strongly recommend that you implement most of the initiatives in the song. These measures can actually enhance the security of your WordPress site.

Also read: Top 10 Things To Do After Installing WordPress

If you liked this article, then please follow us on social media and don’t forget to Subscribe to our mail list.

( Finished, Read earlier posts of this series )

You May Also Like

About the Author: WPC Staff

WPCrons staff has long-term experience of WordPress & like to constantly spot problems and plotting how to solve them. We believe you don't need to be a nerd or a programmer or a network engineer to make a difference.

Leave a Reply

Thanks for choosing to leave a reply. Your opinions and comments are very important to us, and your email address will NOT be published. If you need a private conversation then use our contact form. Please add an avatar if you do not have and make the comment section more beautiful.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Accept! No, thanks!

Why my browser don’t show me the coupon?

By default, Google Chrome and some other browser block pop-ups from automatically showing up on your screen. When a pop-up is blocked, the address bar will be marked Pop-up blocked Pop-up blocked.

ComputerAndroidiPhone & iPad

  1. On your computer, open Chrome.
  2. At the top right, click More More and then Settings.
  3. Under “Privacy and security,” click Site settings.
  4. Click Pop-ups and redirects.
  5. At the top, turn the setting to Allowed or Blocked.

  1. On your Android phone or tablet, open the Chrome app Chrome.
  2. To the right of the address bar, tap More More Settings.
  3. Tap Site settings and then Pop-ups and redirects.
  4. Turn Pop-ups and redirects on or off.

  1. On your iPhone or iPad, open the Chrome app Chrome.
  2. Tap More More and then Settings Settings.
  3. Tap Content Settings and then Block Pop-ups.
  4. Turn Block Pop-ups on or off.

Share via


Subscribe to get FREE updates

Join 1000s of readers around the globe. Don’t worry. We also don’t like Spam. We are weekly.


We are using affiliate links & images from respective product sites in our articles occasionally, means that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All the reviews & opinions (positive or negative) are 100% our own. We are not getting any money to write them. The trademarks mentioned in this website belong to the respective companies. All the articles are information purpose only, to help someone to educate & save money. In case any problem with the content, you can reach us anytime through our contact us page »