WordPress’s security is good by default. But no system is safe. There are several steps that must be done to make WordPress secure:
After installed WordPress, wp-config.php permission is somewhat set to 666. This can be potentially dangerous as wp-config.php can be overwritten by hacker. You must change wp-config.php permission to 400. To change file permission easily using cPanel file manager:
- Login to cPanel.
- Click File Manager icon.
- Click wp-config.php file. Click Permissions menu.
- Check only Read on User colom. The result is 400.
XMLRPC is a Remote Procedure Call method that uses XML passed via HTTP as a transport. With it, a client can call methods with parameters on a remote server and get back structured data.
XMLRPC has been a part of WordPress since beginning. XMLRPC enable communication between WordPress and other applications. The code is stored in xmlrpc.php file in the root directory.
Since the REST API was integrated into WordPress, xmlrpc.php is no longer used. XMLRPC introduce security vulnerabilities. Hacker can do DDoS attack by sending large numbers of pingback. This could overload your server and make your site timeout. Each xmlrpc.php request send username and password. Hacker can send brute force attack. There is a chance they could eventually hit on the right one, giving them access to your site to insert, delete, or damage your site.
To disable xmlrpc.php, add following code in your .htaccess file:
<Files xmlrpc.php> Order Allow,Deny Deny from all </Files>