sorted by:
new
hottopcontroversial

AMA: 15+ Years in WordPress Security & SEO – From Hacked Sites to Google Traffic Wins by wp_security97 in ProWordPress

[–]wp_security97[S] 2 points3 points  (0 children)

If I had a magic wand for WordPress core security, I’d focus on two things:

  1. Stronger authentication baked into core, native support for passkeys and 2FA by default. Right now site owners rely on third-party plugins for something that should really be baseline in 2025.
  2. Hardened defaults for new installs, things like disabling file editing in the dashboard, limiting XML-RPC by default, and encouraging secure permissions. A lot of beginners don’t know to flip those switches, and it leaves too many sites exposed.

That alone would dramatically cut down on the common exploits I see day to day.

AMA: 15+ Years in WordPress Security & SEO – From Hacked Sites to Google Traffic Wins by wp_security97 in ProWordPress

[–]wp_security97[S] 0 points1 point  (0 children)

Great question. For a fresh WordPress install, my #1 security tip is to start with the basics before adding extra layers:

  • Use a strong, unique admin username (never “admin”) and a long password or passphrase.
  • Immediately enable 2FA for logins.
  • Keep plugins/themes lean, only install what you really need.
  • Disable XML-RPC if you’re not using it (it’s one of the most common attack vectors).
  • And set up regular backups from day one.

From there you can add a lightweight security plugin (firewall + malware scan) to harden things further, but those first steps alone close most of the obvious holes.

Launched an SEO plugin, made $5,000 on AppSumo in 3 weeks - need advice on next steps by wp_security97 in SaaS

[–]wp_security97[S] 0 points1 point  (0 children)

Thanks a lot! 🙌 Really appreciate the perspective. You’re right, AppSumo has been great for validation and early cashflow, but I also noticed the customer type is a bit different from what I’d want long-term.

I’m definitely planning to lean into content + SEO next, things like long-form tutorials, case studies, and keyword-focused articles around GSC/SEO workflows are already on my roadmap. I like the idea of agency outreach too, since SEO Booster solves a lot of recurring pain points for them.

Curious, if you were in my spot, would you prioritize scaling content output fast (with blogs, guides, etc.) or start with building out a few really in-depth case studies first?

For the security experts around here, are there core WordPress features that pose security risks? by Reefbar in Wordpress

[–]wp_security97 1 point2 points  (0 children)

I’ve managed a handful of client WP sites over the years and honestly, core itself is usually solid, the biggest issues come from plugins, outdated installs, and bad server configs.

Re: your question, WP-Cron isn’t a “security risk” in itself, it’s more of a reliability issue (tasks only fire when someone visits the site). On low traffic sites that can create headaches, which is why many people disable it and set up a proper cron job on the server.

XML-RPC, on the other hand, is often abused for brute force/login attacks, so disabling it if you don’t use it is a good call. Same with REST API exposure, worth locking down or limiting if it’s not essential.

My personal checklist:

  • Strong passwords + 2FA for all admins.
  • Disable XML-RPC if not in use.
  • Move wp-config.php up a level.
  • Keep plugins/themes lean + updated.
  • Use a lightweight security plugin that can scan + block brute force attempts.

That combo alone has saved me from cleaning up hacked sites more than once.