內容簡介
Security Hardener 是一款專為加強 WordPress 安全性而設計的外掛,依據 WordPress 的最佳實踐和廣泛接受的安全措施進行設置,無需修改核心檔案,確保網站安全。
【主要功能】
• 禁用 WordPress 控制台中的檔案編輯器
• 完全禁用 XML-RPC 功能
• 阻止自我 pingback 和進入的 pingback
• 阻擋用戶枚舉查詢,返回 404
• 登入安全性加強,提供通用錯誤訊息
• 隱藏 WordPress 版本資訊
外掛標籤
開發者團隊
原文外掛簡介
Security Hardener applies WordPress security best practices based on the WordPress Advanced Administration / Security / Hardening documentation and widely accepted hardening measures. It uses WordPress core functions and follows best practices without modifying core files.
Key Features
File Security:
* Disable file editor in WordPress admin
* Optionally disable all file modifications (blocks updates – use with caution)
XML-RPC Protection:
* Disable XML-RPC completely (enabled by default)
* Remove pingback methods when XML-RPC is enabled
Pingback Protection:
* Disable self-pingbacks
* Remove X-Pingback header
* Block incoming pingbacks
User Enumeration Protection:
* Block /?author=N queries (returns 404)
* Secure REST API user endpoints (require authentication)
* Remove users from XML sitemaps
* Prevent canonical redirects that expose usernames
* Optionally block author feed pages (/author/username/feed/)
Login Security:
* Generic error messages (no username/password hints)
* Login honeypot — silently blocks bots before any credential check
* IP-based rate limiting with configurable thresholds
* Security event logging (last 100 events)
* Automatic blocking after failed attempts
Security Headers:
* X-Frame-Options: SAMEORIGIN (clickjacking protection)
* X-Content-Type-Options: nosniff (MIME sniffing protection)
* Referrer-Policy: strict-origin-when-cross-origin
* Permissions-Policy (restricts geolocation, microphone, camera)
* Optional HSTS (HTTP Strict Transport Security) for HTTPS sites — max-age set to 1 year
Additional Hardening:
* Hide WordPress version (meta generator tag and asset query strings)
* Remove obsolete wp_head items (RSD, WLW manifest, shortlink, emoji scripts)
* Security event logging system
* Optionally disable Application Passwords for API authentication
⚠️ Important: Always test security settings in a staging environment first. Some features may affect third-party integrations or plugins.
Privacy: This plugin does not send data to external services and does not create custom database tables. It stores plugin settings and a security event log in the WordPress options table, and uses transients for temporary login attempt tracking. All data is preserved on uninstall by default and only deleted if the “Delete all data on uninstall” option is explicitly enabled.
