// ═══════════════════════════════════════════════════════ // IMAST SECURITY HARDENING // ═══════════════════════════════════════════════════════ // 1. Disable XML-RPC completely add_filter("xmlrpc_enabled", "__return_false"); add_filter("xmlrpc_methods", function() { return []; }); // 2. Hide WordPress version remove_action("wp_head", "wp_generator"); add_filter("the_generator", "__return_empty_string"); // 3. Block REST API user enumeration for unauthenticated users add_filter("rest_endpoints", function($endpoints) { if (!is_user_logged_in()) { unset($endpoints["/wp/v2/users"]); unset($endpoints["/wp/v2/users/(?P[\\d]+)"]); } return $endpoints; }); // 4. Block author enumeration add_action("template_redirect", function() { if (is_author()) { wp_redirect(home_url(), 301); exit; } }); // 5. Login rate limiting (5 attempts, 15 min lockout) add_filter("authenticate", function($user, $username, $password) { if (empty($username)) return $user; $ip = $_SERVER["REMOTE_ADDR"] ?? "unknown"; $attempts = get_transient("login_attempts_" . md5($ip)) ?: 0; if ($attempts >= 5) { return new WP_Error("too_many_attempts", "ERROR: Too many failed login attempts. Try again in 15 minutes."); } return $user; }, 30, 3); add_action("wp_login_failed", function($username) { $ip = $_SERVER["REMOTE_ADDR"] ?? "unknown"; $key = "login_attempts_" . md5($ip); set_transient($key, (get_transient($key) ?: 0) + 1, 15 * MINUTE_IN_SECONDS); }); add_action("wp_login", function() { delete_transient("login_attempts_" . md5($_SERVER["REMOTE_ADDR"] ?? "unknown")); }); // 6. Remove unnecessary headers add_action("init", function() { remove_action("wp_head", "wlwmanifest_link"); remove_action("wp_head", "rsd_link"); remove_action("wp_head", "wp_shortlink_wp_head"); }); // 7. Security headers add_action("send_headers", function() { if (!is_admin()) { header("X-Content-Type-Options: nosniff"); header("X-Frame-Options: SAMEORIGIN"); header("X-XSS-Protection: 1; mode=block"); header("Referrer-Policy: strict-origin-when-cross-origin"); } });