Block user registration

Rename the current user name ‘admin’

Tell us about this function in more detail too

Preventing open feedback when logging in

Tell us about this function in more detail too

Disable XML-RPC

Tell us about this function in more detail too

Hi @zauroman,

All the features you mention are part of our hardening features. Hardening features are focused on minimizing risk by removing points of attack.

So for example with “Block user registration if login and display name match” you make sure a new user to your website needs to have a different name for logging in than what their display is. So it won’t be guessed as easily by a hacker.

With “Rename the current user name ‘admin’” the admin user needs to be renamed with any name that is not so generic and can easily be guessed by a hacker.

We wrote an article to explain more about all the hardening features here: https://really-simple-ssl.com/instructions/about-hardening-features/

Please let me know if, after reading the article, you have any follow-up questions. I would be happy to answer them.

Kind regards, Kim van Dijk

In your documentation, nothing is clear to me at all ??
How a new user can have a different login name than the one he has displayed. If he doesn’t have an account yet, what should he display?

@zauroman I appreciate your feedback. We realise the documentation is not sufficient yet. Also the explanations within the plugin are not good enough. We will be improving this in coming releases.

As for your questions about the login name versus display name: If there’s no account yet, there’s no issue. For an existing user, it is better to have the login name different from the display name. Otherwise anybody can guess the login name, which makes brute force attacks easier.

The display name is generated based on the first and last name that are entered when creating a new user. If these are not entered, the system will eventually fall back on the login name. Which is not ideal.

So what this feature does, is requiring new user registrations to add a first and lastname, which ensures that the display name is not the same as the login name.

Let me know if you have any questions about this.

And if, when registering, the user does not specify a name, but only a login and email. What will be in the display name then?

If the first and last name are not required (which is what this setting does) and the user does not fill in either first or last name, WordPress will fall back to using the login name as display name. This setting attempts to prevent that.

You need to create a normal documentation where it is described in detail about each function with attached images. It’s hard for me to understand what these functions are.

https://ibb.co/SyLJWnB

@zauroman yes, I agree. We are working on that, and will release the first improvements in the 6.1.0 version.

I will be waiting for the documentation, thank you

@zauroman in the meantime, a quick run through for the hardening features. I’ve tried to describe them as clearly as possible, but can imagine some points still need clarification.

– Disable “anyone can register”
Disables the option which allows anyone to register as a user on the WordPress website.

– Disable the built-in file editors
Some attacks try to edit plugin files through the built in file editor (under plugins/themes). This setting disables this feature, which restricts options to edit php code using the WordPress interface.

– Prevent code execution in the public ‘Uploads’ folder
Some attacks consist of injecting files in the uploads directory with php code. This settings prevents execution of php files in the uploads directory. This directory should normally only contain images and videos etc.

– Hide your WordPress version
By default, the WordPress version is visible in the html of your website. This gives an attacker information on the possible vulnerabilities on your site. For example, if you use an older version of WordPress with a specific vulnerability.

– Prevent exposed login feedback
By default, when you try to login to WordPress with the wrong username or password, WordPress will tell you that the username was incorrect, or the password. This gives the attacker information on the used login. With a brute force attack, each username can be tried, and detected if it is a valid username. This makes brute force attacks more easier.

– Disable directory browsing
On some hosting environments, the possibility to browse through directories in the WordPress folders is not blocked. This can give attackers information on what plugins and themes, with what version, are installed. Like with the WordPress version, if there’s a plugin with a known vulnerability, the attacker can then exploit it.

– Disable user enumeration
If user enumeration is possibly, an attacker can detect which usernames are in use on a website, as a first step in brute force login attacks.

– Rename current ‘admin’ username
On most websites, the first user is ‘admin’, so this is one of the first attempts of any login attempt.

– Disable XML-RPC
The XML-RPC is a method to post and read information from WordPress. It also allows to login, and can even bulk login with lots of usernames in one attempt. Blocking it improves security against brute force login attempts.

– Block user registrations when login and display name are the same
Like with user enumeration and admin username, if the login name and display name are the same, it is easier to try a brute force login attack.

Thanks ??