Yes. This will be a bit of a rant about WordPress.
Don’t get me wrong. I love and adore WordPress. Hell, I live WordPress. But there are just some things I really don’t like about it (at least from a security perspective).
Most of my major issues are with the default settings of a clean install of WordPress. I’m talking about features such as the XML-RPC protocol, author pages, file editing in the backend (on themes, plugins and core files).
Let’s take “author pages” as an example. I know from experience that this feature of WordPress is being used by just a fairly limited number of sites running WordPress.
However, when author pages are active, it’s easy to derive the usernames. This only leaves hackers the necessity of ascertaining the password and they’re inside your backend.
If you’d like to know the impact, just add “/?author=1” behind your domainname in the address bar. If author pages are active, it’ll redirect to a url that contains something like “/author/username”. And this “username” is actually the one you use to log into your wp-admin-backend.
And yes, I know there are plugins that can block this for you (such as https://nl-be.wordpress.org/plugins/disable-author-pages/ and several security plugins that offer it as an option), but that’s not my point.
The thing is that these settings are active by default, without an option in the WordPress backend to easily disable them.
Let’s make these functions an “opt-in” functionality. Let them be disabled by default and let’s make it possible to enable them if this is really needed for a specific website. This would make a huge number of WordPress sites that little bit more secure.
I’ve decided I won’t site back and I’ve already started working on a security plugin that will disable all of these features and create an “opt-in” menu under “Settings” in the WordPress backend. More on that soon!