What does website hardening mean? Having a proper firewall to protect your WordPress website is a crucial way to keep it secure. However, there are many ways you can configure and customize the firewall to take security to the next level. Website hardening means exactly that.
You can set your own firewall rules and tweak some settings here and there – for example – set a custom WordPress login URL or block certain countries from accessing your site.
Hardening settings IN the Patchstack app
In this article, we go over different website hardening methods that Patchstack offers.
Which website hardening features does Patchstack offer?
Patchstack covers all the basic website hardening settings, and the most essential of these will be turned on by default when you subscribe to the Patchstack Professional or Developer plan.
1. Block unwanted traffic by IP addresses or countries
IP blocking You can prevent different IP addresses from accessing your site. IP addresses can be set one by one, or in group with similar structure (e.g. 127.0.0.*)
IP whitelisting You can whitelist IP addresses that have been previously blocked
Country blocking Create a list of countries you would like to block traffic from. Read more about country blocking here
Reverse country blocking You can also create a list to only allow traffic from specific countries
2. Protect your registration and login functionality
Email registration blacklist This is an easy way to block spam users from registering on your website. With this feature, you can block visitors who try registering with an email containing certain phrases. For example, you can block all emails that contain “@badbot.com”
ReCaptcha Protect your WordPress forms and set up reCaptcha (v2 or v3) to built-in WordPress forms such as:
Post commenting form
Login form
Registration form
Password reset form
Login URL protection You can block access to your default /wp-admin URL, and set a custom login URL. You will still retain access to the /wp-admin URL – to whitelist your own IP address, simply visit the custom login page once. Read more about our login protection here
Automatic IP ban for brute force attacks Brute-force attacking is one of the ways hackers can gain access to your WordPress admin account. This is done by sending thousands of login requests to the login form and trying out different passwords. Our automatic brute-force IP ban feature blocks IP addresses that have failed to log in after a certain number of times. This feature is enabled by default
Logon hours You can enable this feature to let people log in to your WordPress administration area only during certain times of the day. You simply set the start and end time for when logging in to wp-admin is allowed (for example, only during your office hours)
2 Factor Authentication It is always good to use 2FA for keeping your account secure. Patchstack supports 2FA for WordPress login functionality, and you can use different authenticator apps on your phone or tablet to use it. It is also possible to whitelist some IP addresses from which the 2FA is not required
3. Configure your .htaccess and other settings easily
Different htaccess features There are multiple settings to modify your htaccess file, and you can write and apply htaccess rules straight from the Patchstack App. Other settings Patchstack handles through htaccess features are:
adding security headers
limiting access to default WordPress files (like readme.html, license.txt)
blocking access to debug.log file
disabling directory and file listing
forbidding proxy commenting
preventing image hotlinking
Disable the theme editor This feature removes the possibility of admin users getting their hands on the raw theme files from WordPress admin. This could also protect you from potential automated attacks that involve the theme editor. This feature is enabled by default
Hide information about your active WordPress core version Patchstack removes readme.html file and hides your WordPress version in the <meta> tags. This makes it difficult to run targeted attacks against your active WordPress version. This feature is enabled by default
Disable user enumeration It is fairly easy to detect the usernames that are registered on your WordPress site. Once the usernames are known, hackers could run brute force attacks against these user accounts. Disabling user enumeration blocks access to user data. This feature is enabled by default
Block application passwords Disables the application passwords feature introduced in WordPress 5.6. This feature is enabled by default
Restrict XML-RPC Access You can restrict access to xmlrpc.php file by only allowing authenticated users to access it. This feature is enabled by default
Restrict WP REST API Access Restrict access to the WP REST API by only allowing authenticated users to access it
Patchstack rocks at WordPress website hardening
As you can see, there can be a lot more to be done by just customizing your firewall settings. Patchstack has the most critical settings turned on by default, but there are lots of different rules that can be modified and added to your WordPress website to take the security even further.
We care about the best user experience, and try to make difficult things simple for you – so most of these hardening settings can be configured with only a couple of mouse clicks.
If you have any questions about our hardening features, read our documentation, or feel free to jump in the chat. Just click on the green chat bubble at the bottom right corner of this page!