Enterprise Security
WordPress is a target. Learn to secure it properly.
Key Concepts
- Headers: CSP, X-Frame-Options.
- File Permissions: Read-only filesystem in production.
- XML-RPC: Disabling legacy attack vectors.
1. Disable File Editing
Prevent admins from editing PHP files in the dashboard. Bedrock does this by default.
define('DISALLOW_FILE_EDIT', true);2. Disable XML-RPC
XML-RPC is a common target for brute force attacks. Disable it if not used.
add_filter('xmlrpc_enabled', '__return_false');3. Content Security Policy (CSP)
Restrict where scripts and styles can load from using HTTP headers.
4. Nonces
Always use nonces to protect URLs and forms from CSRF attacks.
wp_create_nonce('my_action');
check_admin_referer('my_action');5. Sanitization & Escaping
Never trust user input. Sanitize on save, escape on output.
$clean = sanitize_text_field($_POST['data']);
echo esc_html($clean);6. Limit Login Attempts
Install a plugin or use a WAF to block IPs that fail login too many times.
7. Two-Factor Authentication (2FA)
Enforce 2FA for all administrator accounts.
8. Database Prefix
Change the default `wp_` prefix to something random during installation (handled by Bedrock env).
9. Salt Keys
Ensure your `SALT` keys in `.env` are unique and random. Rotate them periodically.
10. Web Application Firewall (WAF)
Use Cloudflare or AWS WAF to block malicious traffic before it reaches your server.