Security best practices to implement if Wordfence is installed?

  • Resolved fotske

    (@fotske)


    6 years ago

    Hi,

    I have Wordfence installed on my WordPress website and I would like to know if the following “security best practices” have to be implemented on top of Wordfence to increase the security of my website (or not):

    1) Disallow file editing within WordPress by adding the following line into the wp-config.php file:
    define( ‘DISALLOW_FILE_EDIT’, true );

    2) Hide PHP Warnings and Notices in WordPress by adding the following lines into the wp-config.php file:
    define(‘WP_DEBUG’, false);
    define(‘WP_DEBUG_DISPLAY’, false);

    3) Hide the WordPress login error by adding the following code into the functions.php file of the theme:
    function hide_wordpress_errors(){
    return ‘Something is gone wrong!’;
    }
    add_filter( ‘login_errors’, ‘ hide_wordpress_errors’ );

    Thank you very much in advance.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Ambyomoron

    (@josiah-s-carberry)

    I, for one, believe that those changes do indeed harden sites – at least a little.

    define( ‘DISALLOW_FILE_EDIT’, true ); might be more useful to limit inadvertant errors, or employee sabotage, than to fend off external attacks.

    
define(‘WP_DEBUG’, false);
define(‘WP_DEBUG_DISPLAY’, false);

    will help avoid providing visitors with information about potential attack vectors.

    add_filter( ‘login_errors’, ‘ hide_wordpress_errors’ ); will make it harder for an attacker to understand what is wrong with login credentials and thus make it slightly harder to find the right credentials.

    In short, they are very cheap, low maintenance ways of providing a tiny bit more security.

    wfasa

    (@wfasa)

    Hi @fotske,
    It’s not possible to give a blanket statement here because it will depend on how you’re using your site.

    DISALLOW_FILE_EDIT
    Could stop an admin from editing files they shouldn’t be editing, but an admin can just as well install a plugin containing malicious code so it doesn’t stop a hacker from owning your site. You’d need DISALLOW_FILE_MOD to stop that, but then you’d be in a situation where are plugins need to be auto updated or manually updated. Could be inconvenient but it depends on how you are using your site.

    WP_DEBUG
    If you have PHP error logging enabled on the server already, you usually don’t need WP_DEBUG so it can be disabled. However, if you don’t have PHP error logs available, I’d recommend keeping WP_DEBUG on and keep it to log PHP errors. Else it’s near impossible to figure out what happened if your site crashes one day.

    Hide the WordPress login error
    The vast majority of brute force attackers don’t check or care about error messages. It’s just not worth their time. It’s faster to just keep trying a few hundred or thousand times on each site. If nobody but you will be logging in and you see zero problems with this for yourself, then it won’t hurt. However, if you have a shop or something where lots of people will be logging in, it could cause trouble for your customers and thus would not be worth implementing.

    To sum up: It’s your call, depending on what’s reasonable for your site specifically.

    Hope that helps!

    Thread Starter fotske

    (@fotske)

    Hi @wfasa,

    Thank you very much for your advices!

    Kind regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security best practices to implement if Wordfence is installed?’ is closed to new replies.