Medium
ISO 27001 A.8.8
CIS Controls CIS 7
Harden your CMS (WordPress and friends)
Enumerable users, exposed admin paths and outdated plugins make a CMS the most-attacked part of most sites.
Why it matters
CMS platforms are targeted at scale by automated bots. Username enumeration feeds brute-force login attempts, and a single outdated plugin is a common entry point for full site takeover.
How to fix it
Keep core and plugins updated, block user enumeration and the REST user endpoint, disable file editing in the admin, and put strong authentication on the login page.
// WordPress: block file editing + REST user enum
define('DISALLOW_FILE_EDIT', true);
add_filter('rest_endpoints', function ($e) {
unset($e['/wp/v2/users']); return $e;
});
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.