Disable XML-RPC

XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call that uses XML to encode its calls and HTTP as a transport mechanism.

If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish your blog remotely, you need XML-RPC enabled. Otherwise, it’s just another portal for hackers to target and exploit.

There have been security concerns with XML-RPC in the past, so we are entirely disabling this feature.

Disable File Manager

WordPress has a file editor built into the system. Anyone accessing your login information can further edit your plugin and theme files and inject malicious code. So, we are disabling the file manager if it hasn’t already been disabled.

Update old security keys

WordPress uses security keys to improve the encryption of information stored in user cookies, making it harder to crack passwords. A non-encrypted password like “username” or “WordPress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination. I update old security keys on a website every 60 days.

Website Backups

I inspect backups for every website each month to ensure backups are performing correctly.