Back to DigiFusion

Adding Custom Security Features

This guide demonstrates how to implement essential security features in your DigiFusion child theme to harden your WordPress installation against common vulnerabilities and attacks.

Hide WordPress Version Information

Remove version information that could help attackers identify potential vulnerabilities.

Add this code to your child theme’s functions.php:

// Remove WordPress version from head and feeds
function digifusion_remove_version() {
    return '';
}
add_filter( 'the_generator', 'digifusion_remove_version' );

// Remove version from scripts and styles
function digifusion_remove_version_scripts_styles( $src ) {
    if ( strpos( $src, 'ver=' ) ) {
        $src = remove_query_arg( 'ver', $src );
    }
    return $src;
}
add_filter( 'style_loader_src', 'digifusion_remove_version_scripts_styles', 9999 );
add_filter( 'script_loader_src', 'digifusion_remove_version_scripts_styles', 9999 );

Disable XML-RPC

Prevent XML-RPC attacks by completely disabling the functionality.

// Disable XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );

// Remove XML-RPC pingback
function digifusion_remove_xmlrpc_pingback_ping( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
}
add_filter( 'xmlrpc_methods', 'digifusion_remove_xmlrpc_pingback_ping' );

// Remove X-Pingback header
function digifusion_remove_x_pingback( $headers ) {
    unset( $headers['X-Pingback'] );
    return $headers;
}
add_filter( 'wp_headers', 'digifusion_remove_x_pingback' );

Add Security Headers

Implement important security headers to protect against various attacks.

// Add security headers
function digifusion_add_security_headers() {
    if ( ! is_admin() ) {
        header( 'X-Frame-Options: SAMEORIGIN' );
        header( 'X-Content-Type-Options: nosniff' );
        header( 'X-XSS-Protection: 1; mode=block' );
        header( 'Referrer-Policy: strict-origin-when-cross-origin' );
        header( 'Permissions-Policy: camera=(), microphone=(), geolocation=()' );
    }
}
add_action( 'send_headers', 'digifusion_add_security_headers' );

Disable User Enumeration

Prevent attackers from discovering usernames through author archives and REST API.

// Disable author archives for user enumeration protection
function digifusion_disable_author_archives() {
    if ( is_author() && ! current_user_can( 'edit_posts' ) ) {
        wp_redirect( home_url() );
        exit;
    }
}
add_action( 'template_redirect', 'digifusion_disable_author_archives' );

// Remove author from REST API response
function digifusion_remove_author_from_rest( $response, $post, $request ) {
    if ( isset( $response->data['author'] ) ) {
        unset( $response->data['author'] );
    }
    return $response;
}
add_filter( 'rest_prepare_post', 'digifusion_remove_author_from_rest', 10, 3 );
add_filter( 'rest_prepare_page', 'digifusion_remove_author_from_rest', 10, 3 );

// Disable REST API user endpoint for non-authenticated users
function digifusion_disable_rest_endpoints( $endpoints ) {
    if ( ! is_user_logged_in() ) {
        if ( isset( $endpoints['/wp/v2/users'] ) ) {
            unset( $endpoints['/wp/v2/users'] );
        }
        if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
            unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
        }
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'digifusion_disable_rest_endpoints' );

Limit Login Attempts

Implement basic login attempt limiting to prevent brute force attacks.

// Simple login attempt limiting
function digifusion_check_attempted_login( $user, $username, $password ) {
    if ( get_transient( 'attempted_login_' . $username ) ) {
        $datas = get_transient( 'attempted_login_' . $username );
        
        if ( $datas['tried'] >= 3 ) {
            $until = get_option( '_transient_timeout_' . 'attempted_login_' . $username );
            $time = digifusion_time_to_go( $until );
            
            return new WP_Error( 'too_many_tried', sprintf( __( 'Too many failed attempts. Please try again in %s.' ), $time ) );
        }
    }
    return $user;
}
add_filter( 'authenticate', 'digifusion_check_attempted_login', 30, 3 );

// Track failed login attempts
function digifusion_login_failed( $username ) {
    if ( get_transient( 'attempted_login_' . $username ) ) {
        $datas = get_transient( 'attempted_login_' . $username );
        $datas['tried']++;
        
        if ( $datas['tried'] <= 3 ) {
            set_transient( 'attempted_login_' . $username, $datas, 300 );
        }
    } else {
        $datas = array(
            'tried' => 1
        );
        set_transient( 'attempted_login_' . $username, $datas, 300 );
    }
}
add_action( 'wp_login_failed', 'digifusion_login_failed', 10, 1 );

// Helper function to format remaining time
function digifusion_time_to_go( $timestamp ) {
    $time = $timestamp - time();
    return sprintf( __( '%d minutes' ), ceil( $time / 60 ) );
}

Disable File Editing

Prevent code editing through the WordPress admin interface.

// Disable file editing in admin
if ( ! defined( 'DISALLOW_FILE_EDIT' ) ) {
    define( 'DISALLOW_FILE_EDIT', true );
}

Remove Unnecessary Features

Disable features that aren’t commonly used but could present security risks.

// Remove unnecessary WordPress features
function digifusion_remove_unnecessary_features() {
    // Remove Windows Live Writer support
    remove_action( 'wp_head', 'wlwmanifest_link' );
    
    // Remove RSD link
    remove_action( 'wp_head', 'rsd_link' );
    
    // Remove shortlink
    remove_action( 'wp_head', 'wp_shortlink_wp_head' );
    
    // Remove adjacent posts links
    remove_action( 'wp_head', 'adjacent_posts_rel_link_wp_head' );
    
    // Remove emoji scripts
    remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
    remove_action( 'wp_print_styles', 'print_emoji_styles' );
    remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
    remove_action( 'admin_print_styles', 'print_emoji_styles' );
}
add_action( 'init', 'digifusion_remove_unnecessary_features' );

// Disable pingbacks
function digifusion_disable_pingbacks( &$links ) {
    foreach ( $links as $l => $link ) {
        if ( 0 === strpos( $link, get_option( 'home' ) ) ) {
            unset( $links[$l] );
        }
    }
}
add_action( 'pre_ping', 'digifusion_disable_pingbacks' );

Hide Admin Bar for Subscribers

Remove the admin bar for users who don’t need it.

// Hide admin bar for subscribers and non-admin users
function digifusion_hide_admin_bar() {
    if ( ! current_user_can( 'edit_posts' ) ) {
        show_admin_bar( false );
    }
}
add_action( 'wp_loaded', 'digifusion_hide_admin_bar' );

Secure wp-config.php

Add these constants to your wp-config.php file for additional security:

// Force SSL for admin and login
define( 'FORCE_SSL_ADMIN', true );

// Disable file modifications
define( 'DISALLOW_FILE_MODS', true );

// Set automatic updates
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

// Increase memory limit
define( 'WP_MEMORY_LIMIT', '256M' );

// Set proper file permissions
define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );

These security features provide a solid foundation for protecting your DigiFusion-based WordPress site. Remember to test each implementation on a staging environment before applying to your live site.

Similar Articles

Back to DigiFusion