WordPress/website security measures taken with xserver

Misa
July 14, 2020
6:07 AM
0 comments

At HanamiWEB Online School,

●Ask questions in real-time in the virtual study room!

●Ask as many questions as you want via chat!

●E-learning materials that you can learn as much as you want, 24 hours a day!

All included for just 2,500 yen/month!

I use xserver. Did you know that I can easily improve the security of my worpdress and my website from the xserver server administration panel?

If you don't know, log in to the server panel now!

WordPress Security Settings

Many of you may have installed WordPress using the WordPress Easy Install. Have you ever clicked on the [WordPress Security Settings] in the same section?

International IP access restrictions

By default, it blocks access from outside the country.

Dashboard Access Restrictions

If you turn this on, you can prevent access to the WordPress dashboard from outside your country.

Restricted access areas
・/wp-admin … Dashboard folder
・/wp-login.php … File accessed when logging in to the dashboard
xserver

XML-RPC API Access Restrictions

What is XML-RPC?

This is a communication protocol used when posting articles or uploading images from a smartphone app or external system. It is a protocol used in various parts, such as the WordPress Pingback function, and this function is enabled by default in warpdress.

It's possible to create lists of usernames and passwords and launch login attacks.

XML-RPC itself is a required function for WordPress, but there is no need to allow it to be used from overseas, so we will also turn it ON.

Restricted access areas
・/xmlrpc.php ... XML-RPC WordPress API (file)
xserver

REST API Access Restrictions

What is REST API?

This is also an API used to use WordPress from smartphone apps and external systems. The default setting is ON, so leave it as it is.

Restricted access areas
・/wp-json … URL included when accessing REST API
xserver

If you need to access WordPress from overseas, turn it off.

Login Attempt Limit Settings

If you log in incorrectly, you will be locked out and will not be able to log in for a certain period of time.

If you forget your login password and try to log in multiple times and end up being locked out, the account will be unlocked after 24 hours and you will be able to log in again.

Alternatively, you can unlock the login lock by temporarily switching this setting to [OFF].

Comment/Trackback Restriction Settings

If a large number of comments or trackbacks are made, restrictions will be applied. Restrictions will be lifted in 6 hours.

Restrict comments and trackbacks from overseas IP addresses. It is important to note that all the other settings we have introduced so far are recommended settings.

The only setting that is not recommended is the restriction of comments and trackbacks from overseas IP addresses.

If you do not want to receive comments or trackbacks from overseas, or if you are having trouble with comments or trackbacks from overseas, change it to the recommended setting, which is ON.

WAF Settings

In the security section of the xserver server panel, click [WAF Settings]

The default setting is all OFF.

What is WAF?

Abbreviation for Web Application Firewall.
It is a security measure that protects websites from attacks that exploit vulnerabilities in web applications.

bad login
hacking

It is a security measure enabled against etc.

XSS Countermeasures

This function is effective for access that has embedded script tags such as Javascript.

This is useful for sites that have a function to display information posted by third parties on WordPress, such as bulletin boards.

SQL Countermeasures

Detects access in which a string corresponding to SQL syntax is inserted.

This is effective when you are using plugins that use a database, such as membership sites, email newsletter registrations, etc. I think most plugins use a database, so I recommend turning it ON.

File Protection

Detects access including server-related configuration files such as .htpasswd, .htaccess, and httpd.conf.

This is a useful function if you are using a bulletin board with an image upload function or a plugin that performs some kind of operation on files.

Email protection

Detects access that includes strings related to email headers such as "to", "cc", and "bcc"

We recommend keeping it turned ON on sites that use email functions, such as contact forms.

Command Measures

Detects access that contains strings related to commands such as kill, ftp, mail, ping, and ls

This is effective when using plugins created in PHP, Perl, etc. that use command execution, so we recommend leaving it ON since plugins basically use PHP.

PHP Countermeasures

Detects accesses including functions related to session and file operations, as well as functions that are likely to be the source of vulnerabilities

This is effective when you are using a plugin that uses PHP, so we recommend that you keep it ON since plugins basically use PHP.

When you set up the WAF

Please wait for the changes to be reflected. They will be reflected in about an hour.

Summary of xserver wordpress/website security

What do you think? Xserver has security features for WordPress.

Is WordPress secure? What's the best security plugin?

I think this is a question that many of you may have. The security measures introduced in this article can be achieved by using xserver. There is no need to take duplicate security measures, so please think carefully about security plugins before setting them up!

This is an article I wrote previously. I think it will be useful even for those who don't use xserver!

I thought about security measures for WordPress

Once you have taken security measures, you should also take SEO measures!

What is SEO? Here are 14 measures from Google Developer Guidelines that even beginners can do!

Leave the reskilling of your website to us!

Since 2019, we have been sharing skills related to WordPress and websites. We have accumulated case studies and know-how, and are good at quickly and accurately solving problems. If you have any concerns about your website, please feel free to contact us via our official LINE account!

↑Click to open the official LINE page