All guides
Medium ISO 27001 A.8.8 CIS Controls CIS 7

Harden your CMS (WordPress and friends)

Enumerable users, exposed admin paths and outdated plugins make a CMS the most-attacked part of most sites.

Why it matters

CMS platforms are targeted at scale by automated bots. Username enumeration feeds brute-force login attempts, and a single outdated plugin is a common entry point for full site takeover.

How to fix it

Keep core and plugins updated, block user enumeration and the REST user endpoint, disable file editing in the admin, and put strong authentication on the login page.

// WordPress: block file editing + REST user enum
define('DISALLOW_FILE_EDIT', true);
add_filter('rest_endpoints', function ($e) {
    unset($e['/wp/v2/users']); return $e;
});

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.