Security Basics

Overview

Security Basics is a free service included with every RakuWP plan. It bundles six essential hardening measures that protect your WordPress site against the most common attack vectors: brute-force login scans, XML-RPC abuse, clickjacking, MIME sniffing, and information leakage.

All features can be toggled independently from the WordPress admin or from the RakuWP panel. No server configuration is required.

Getting Started

1. Go to RakuWP > Services in your WordPress admin and enable the Security Basics service.
2. The Security Basics settings page will appear under the RakuWP menu.
3. Enable each protection individually depending on your site's needs.
4. You can also manage all settings from the Security tab in the RakuWP panel.

Custom Login URL

By default, every WordPress site uses /wp-login.php as its login page. This well-known path is constantly targeted by automated bots that attempt brute-force password attacks.

When you enable this feature, wp-login.php is moved to a custom slug of your choice (for example, /my-secret-login). Any request to the original /wp-login.php or /wp-admin from a non-authenticated visitor will return a 404 page, effectively hiding your login page from scanners.

How to configure

1. Toggle Enable custom login URL on.
2. Enter a slug in the text field (letters, numbers, and hyphens only).
3. Click Save. Your new login page is immediately active.

Important: Bookmark your new login URL. If you forget it, you can deactivate the RakuWP plugin via FTP or WP-CLI to restore the default login path.

Disable XML-RPC

XML-RPC (xmlrpc.php) is a legacy API that predates the WordPress REST API. It was originally designed to let external applications (such as the WordPress mobile app, Jetpack, and pingback/trackback systems) communicate with your site over HTTP.

Why disable it

• Brute-force amplification: XML-RPC's system.multicall method allows attackers to test hundreds of username/password combinations in a single HTTP request, bypassing rate-limiting protections that only count individual requests.
• DDoS amplification: The pingback feature can be exploited to launch distributed denial-of-service attacks using your server as a relay.
• Unnecessary attack surface: Since WordPress 4.7, the REST API handles everything the mobile app and modern plugins need. Keeping XML-RPC enabled adds an unused entry point.

When to keep it enabled

Only leave XML-RPC active if you rely on a tool that specifically requires it, such as older versions of the WordPress mobile app (before REST API support was added) or legacy plugins that have not migrated to the REST API.

Hide WordPress Version

WordPress exposes its version number in several places: the <meta name="generator"> tag in your HTML, RSS feed headers, and query strings appended to enqueued CSS and JavaScript files (e.g. ?ver=6.5.2).

Attackers use this information to identify sites running outdated versions with known vulnerabilities. Enabling this option removes the version string from all these locations, making it harder for automated scanners to profile your site.

Security Headers

HTTP security headers are response headers that instruct the visitor's browser to enable built-in protections. When this feature is enabled, the following headers are added to every response your site sends:

X-Content-Type-Options

Default value: nosniff

Prevents the browser from performing MIME type sniffing. Without this header, a browser might interpret a file as a different content type than declared (for example, treating a text file as executable JavaScript). Setting it to nosniff forces the browser to trust the Content-Type header, blocking a class of attacks where malicious files are disguised as safe types.

X-Frame-Options

Default value: SAMEORIGIN

Controls whether your site can be embedded inside an <iframe> on another domain. Clickjacking attacks work by overlaying your site in a transparent frame on top of a malicious page, tricking users into clicking buttons they cannot see. SAMEORIGIN allows your own site to use iframes (for previews, admin pages, etc.) while blocking all external domains from embedding your content.

Strict-Transport-Security (HSTS)

Default value: max-age=31536000; includeSubDomains

Tells the browser to only connect to your site over HTTPS for the specified duration (31536000 seconds = one year). After the first visit, the browser will automatically upgrade any HTTP link to HTTPS, preventing man-in-the-middle attacks that could intercept data during an unencrypted connection. The includeSubDomains directive extends this protection to all subdomains.

Referrer-Policy

Default value: strict-origin-when-cross-origin

Determines how much referrer information (the URL of the page the visitor came from) is shared when navigating to another site. strict-origin-when-cross-origin sends the full URL for same-origin requests, only the origin (domain) for cross-origin requests over HTTPS, and nothing at all if the destination is HTTP. This protects private URL paths and query parameters from leaking to third parties.

Permissions-Policy

Default value: geolocation=(), microphone=(), camera=()

Restricts which browser APIs your site is allowed to use. The default configuration disables geolocation, microphone, and camera access for all contexts (including embedded iframes). This prevents malicious scripts or third-party embeds from silently requesting access to sensitive device features. You can customize the policy to allow specific origins if your site legitimately uses these APIs.

Customizing header values

Each header value can be edited from the Security Basics settings. After toggling Enable security headers on, the individual fields appear with their default values pre-filled. Modify any value and click Save Headers to apply your changes.

Disable File Editor

WordPress includes a built-in code editor (Appearance > Theme File Editor and Plugins > Plugin File Editor) that allows administrators to modify PHP files directly from the browser. While convenient, this editor is a significant security risk: if an attacker gains admin access, they can inject malicious code into your theme or plugin files without needing FTP or SSH access.

Enabling this option sets the DISALLOW_FILE_EDIT constant to true, which removes the editor pages from the WordPress admin entirely. You can still edit files via FTP, SSH, or your hosting file manager.

Disable Directory Listing

When directory listing is enabled on your web server, visiting a URL like https://yoursite.com/wp-content/uploads/ displays a browsable index of all files in that folder. This allows anyone to discover uploaded files, plugin names, theme structures, and other sensitive information.

Enabling this option adds the Options -Indexes directive to your .htaccess file, which tells Apache to return a 403 Forbidden response instead of listing directory contents. This is a standard hardening measure recommended by WordPress and all major security auditing tools.

Note: This feature only applies to Apache servers. If you use Nginx, directory listing must be configured in your server block (autoindex off;).

Managing from the Panel

All Security Basics settings can be managed remotely from the Security tab on any site's detail page in the RakuWP panel. Changes are applied instantly to the WordPress site via the REST API. This is especially convenient when managing multiple sites, as you can review and configure security settings without logging into each WordPress admin individually.