Every vulnerability is unique, but most attacks against WordPress sites fall into one of four categories:<\/p>\n\n\n\n
- Brute force and dictionary attacks: <\/strong>Attackers attempt to guess security credentials such as usernames and passwords. Attacks of this type are carried out by bots that can quickly flood WordPress authentication systems with a deluge of login attempts. <\/li>
- Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks: <\/strong>Bad actors bombard sites and networks with requests and data, consuming resources, degrading performance, and potentially taking them offline. WordPress includes a system called XML-RPC, which is often used in denial of service attacks. <\/li>
- Core, plugin, and theme vulnerabilities: <\/strong>Bugs in code can be exploited to circumvent authentication systems, upload malicious code, or gain extra privileges. Bad actors often look in a site\u2019s files for clues about the sort of attack it is vulnerable to. <\/li>
- Code injection attacks: <\/strong>Running malicious code is a goal of many bad actors. They scour WordPress sites searching for vulnerabilities that will let them inject PHP, JavaScript, or SQL code. <\/li><\/ul>\n\n\n\n
WP Toolkit for cPanel implements features and security measures that protect sites against each of these attack types. <\/p>\n\n\n\n
Security Hardening with WP Toolkit for cPanel<\/strong><\/h2>\n\n\n\n
cPanel\u2019s WP Toolkit is a complete WordPress management solution with an intuitive interface. You can think of it as a single dashboard for controlling all of your WordPress sites. It automates WordPress hosting tasks, including installation, updates, and backups. It also surfaces configuration tweaks that you\u2019d otherwise have to dig around in the admin interface or edit configuration files to change. <\/p>\n\n\n\n
WordPress security hardening is one of the places where WP Toolkit really shines. First, it applies fixes for critical vulnerabilities during installation, so sites are secure before they go online. Second, it scans existing sites for suboptimal security settings and can fix them at the click of a button. <\/p>\n\n\n\n
We\u2019ll have a look at some of the security fixes it applies in a moment, but first, we\u2019ll show you just how easy it is to security harden a WordPress site with cPanel.<\/p>\n\n\n\n
To use one-click hardening, you will need:<\/p>\n\n\n\n
- A cPanel instance with WP Toolkit installed <\/li>
- A WP Toolkit Deluxe license. <\/li><\/ul>\n\n\n\n
You can find the WP Toolkit in Applications <\/em>on cPanel\u2019s main page. Sites are listed on the overview page with status information and configuration switches. <\/p>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/00-cpanel-WordPress-toolkitoverview.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
If you take a closer look at the second site, you will notice that, under the Status<\/em> heading, the Security <\/em>line reads Check Security. <\/em>WP Toolkit scanned the site and noticed that several non-critical security measures have not been applied. The first site has already been hardened, so it displays View Settings. <\/em><\/p>\n\n\n\n
![\"WordPress](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/01-cpanel-WordPress-check-security.png\")
<\/figure>\n\n\n\nYou might also see Fix Security <\/em>here, <\/em>which means that critical security measures have not been applied. <\/p>\n\n\n\n
We can click on the status message to open the Security Status <\/em>panel, which displays all of the security measures the WP Toolkit can apply. <\/p>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/02-cpanel-wordpress-toolkit-security-status.png\")
<\/figure>\n\n\n\nYou can apply each measure individually by checking the adjacent box and clicking Secure. <\/em>They can be reverted, where possible, by selecting them and clicking Revert. <\/em>But we want to secure our WordPress site in a single click, and to do that, we\u2019ll select the Security Measures <\/em>checkbox at the top of the column and then click the Secure <\/em>button. <\/em><\/p>\n\n\n\n
![\"WordPress](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/03-cpanel-single-click-secure-wordpress.png\")
<\/figure>\n\n\n\nOne-Click Hardening for Multiple WordPress Sites<\/strong><\/h3>\n\n\n\n
What if you host dozens of WordPress sites? It would be time-consuming to secure each one individually, so you\u2019ll be happy to hear that you can use the WP Toolkit to secure any number of sites at the same time. On the overview page, click the Security Tab<\/em>. <\/p>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/04-cpanel-wordpress-toolkit-security-tab.png\")
<\/figure>\n\n\n\ncPanel displays a list of sites and their security status. Use the checkbox next to each site to select those that aren\u2019t fully hardened, and then click the Secure <\/em>button at the top of the page.<\/p>\n\n\n\n
![\"WP](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/05-cpanel-secure-multiple-WordPress-sites.png\")
<\/figure>\n\n\n\nYou\u2019re given a chance to specify which security measures to apply, and then cPanel automatically hardens all selected sites. You can use this method to secure dozens or even hundreds of WordPress sites simultaneously. <\/p>\n\n\n\n
Security Settings in WP Toolkit<\/strong><\/h3>\n\n\n\n
WP Toolkit applies almost 20 security measures, but we\u2019d like to highlight a handful of the most important here. <\/p>\n\n\n\n
- Forbid execution of PHP files: <\/strong>The toolkit forbids the execution of PHP files in the wp-includes <\/em>and wp-content\/uploads <\/em>directory. Both are common targets of bad actors and malicious users who upload PHP code and attempt to execute it. <\/li>
- Block directory browsing: <\/strong>The files inside WordPress\u2019s directories contain information about plugins, themes, and other code that might reveal vulnerabilities. The Toolkit makes it impossible for any non-authenticated user to look in directories. It also sets secure file permissions for the wp-config <\/em>file and all other files and directories. <\/li>
- Enable bot protection<\/strong>: Allowing bots to scan your site is a security risk, as well as a waste of server resources. The WP Toolkit blocks bad bots to limit a site\u2019s exposure. <\/li>
- Change default administrator\u2019s username: <\/strong>When first installed, WordPress creates a user with administrative privileges called admin. <\/em>Bots and other bad actors often target admin <\/em>with brute force and dictionary attacks. <\/li>
- Turn off Pingbacks: <\/strong>When a WordPress website links to your site, it sends a ping, which results in a comment on your blog that records the link. Pingbacks rely on the insecure XML-RPC protocol, which can be abused to overwhelm a site\u2019s resource in a denial of service attack. <\/li>
- Enable hotlink protection<\/strong>: <\/em><\/strong>Hotlinking allows external sites to embed or display images hosted on your server. You gain little benefit from hotlinking, and it can become a significant drain on server and network resources. <\/li><\/ul>\n\n\n\n
Finally, the WP Toolkit makes it simple to quickly update WordPress Core, plugins, and themes in a unified interface, as well as to manage automatic updates. Plugin and theme vulnerabilities are the most common WordPress exploit, and regular updates are the only way to protect sites from vulnerabilities in their code. <\/p>\n\n\n\n
Restoring Backups with WP Toolkit<\/strong><\/h3>\n\n\n\n
To finish, let\u2019s look at one more security essential that cPanel simplifies: restoring backups. A recent backup is a lifeline if all else fails. It allows users to restore a compromised site to a secure and uninfected condition, and, with the WP Toolkit, making and restoring backups takes seconds. <\/p>\n\n\n\n
![\"WP](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/06-cpanel-wordpress-toolkit-backup.png\")
<\/figure>\n\n\n\nTo create a backup, click the Back Up <\/em>button. If you have previous backups, they are listed on the page. To restore your WordPress site and its database to an earlier state, choose a backup file and click the restore icon, as shown in the next image.<\/p>\n\n\n\n
![\"WP](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/07-cpanel-restore-wordpress-backup.png\")
<\/figure>\n\n\n\nSecure WordPress Hosting with cPanel<\/strong><\/h3>\n\n\n\n
The WP Toolkit makes it easier than ever to build a secure WordPress hosting platform with cPanel. Security hardening is now a one-click process, allowing hosts to protect servers, sites,\u00a0 and users without a long and expensive manual hardening process.\u00a0<\/p>\n\n\n\n
- Block directory browsing: <\/strong>The files inside WordPress\u2019s directories contain information about plugins, themes, and other code that might reveal vulnerabilities. The Toolkit makes it impossible for any non-authenticated user to look in directories. It also sets secure file permissions for the wp-config <\/em>file and all other files and directories. <\/li>
- Forbid execution of PHP files: <\/strong>The toolkit forbids the execution of PHP files in the wp-includes <\/em>and wp-content\/uploads <\/em>directory. Both are common targets of bad actors and malicious users who upload PHP code and attempt to execute it. <\/li>
- Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks: <\/strong>Bad actors bombard sites and networks with requests and data, consuming resources, degrading performance, and potentially taking them offline. WordPress includes a system called XML-RPC, which is often used in denial of service attacks. <\/li>