The First WordPress Security Things To Do

First and foremost:

Block the main User Agents that are behind a lot of bad traffic, User-Agent libwww-perl and Microsoft-WebDAV-MiniRedir. If your using a Linux server, be sure to add the following lines in your .htaccess file:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

or you can also block it this way:

SetEnvIf User-Agent ^Microsoft-WebDAV-MiniRedir BadWebDav
Order Allow,Deny
Deny from env=BadWebDav

Be aware that this will block all User Agents both good and bad, of libwww-perl and Microsoft-WebDAV-MiniRedir. The majority of this traffic is bad however, so its a necessary fix.


Install the plugin Statpress or another hit tracking plugin to allow you to see the interactions of all IPs on your site. This includes 404 hits which you will find being a goldmine in the aspect of seeing what pages these script kids are trying to use to get in your backend. Not all tracking plugins are made the same, so test them out.


Make a backup. This is huge!!! A backup of every database and file should be done weekly at a minimum, daily if possible. This allows you to have a fallback in order to get your site back up as quickly as possible in the event of a outage or hack.


Update and visit your site regularly. Dont leave a site up for a month without visiting. This allows the script kiddies to bombard the site instead of you seeing a IP running a script and banning/blocking that IP upon finding it.


Delete your file xmlrpc.php  This file can be found in your root installation of WordPress.  Yes, to answer that question, its a valid file that installs with WordPress.  However, this file ends up being another way for script kiddies to try and DDOS your site through the API that is documented on it.  Basically this allows the script kiddies to constantly ping your site.  Compound this by multiple instances, multiple IP hits, and hits every second or so.. down goes a site.  There has been a major uptick in hits to this file since July 2014 as the script kiddies look for another loophole that is easier than the last one.  The only issue with full out deleting this file may be Jetpack.  If you feel Jetpack is a must have plugin, then you can add the following to your .htaccess file:

# lockdown xmlrpc.php file
<files xmlrpc.php>
order deny,allow
deny from all

This list will get updated over time, to help every site owner deal with the constant threats.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>