DozWPSecure User Manual


Requirements


Installation Guide

Automated Installation (via WordPress Admin Dashboard)

  1. Go to Plugins > Add New.
  2. Search for “DozWPSecure” after clicking on “Add New” button.
  3. Install the plugin.
  4. Activate it right away.

Manual Installation (via WordPress Admin Dashboard)

After downloading the DozWPSecure zip file,

  1. Log in to the WordPress administrator panel (wp-admin).
  2. Go to Plugins >Add  New>Upload Plugin.
  3. Click “Choose File” and select the downloaded zip file.
  4. Click “Install Now” button.
  5. Click “Activate Plugin” button for activating the DozWPSecure plugin.

Manual Installation (via File Manager)

After downloading and extracting the DozWPSecure zip file,

  1. Upload the entire DozWPSecure folder to the /wp-content/plugins/ directory via web hosting File Manager / FTP / SCP.
  2. Log in to the WordPress administrator panel (wp-admin).
  3. Go to Plugins > Installed Plugins.
  4. Click on “Activate” link for activating the DozWPSecure plugin.

If the installation does not succeed, please contact us for help. After the installation is finished, DozWPSecure will appear in the Menu list.


Privacy Notices

With the default configuration, this plugin does not:

Securing your WordPress website

Navigate to “DozWPSecure” menu to start working on the hardening settings.


Basic WP Security Hardening

Exposing the WordPress version number is not a good practice because the attacker can easily identify if you are still using any known vulnerable version. By removing/hiding the version number, you will make the version number enumeration to be harder. This function will remove the WordPress core version number that is exposed in the HTML page source.

This to prevent remote updates to WordPress from other applications. By disabling this feature, you eliminate the risk of external attacks gaining access remotely through the XML-RPC feature.

A pingback is a special type of comment that’s created when you link to another blog post, as long as the other blog is set to accept pingbacks. By disabling this feature, you will reduce the spam coming from people who just want to get a link of any sort posted on your content.

Windows Live Writer (WLW) is a blog publishing application developed by Microsoft. By disabling this feature, you eliminate the risk of external attacks gaining access remotely through Windows Live Writer.

RSS feeds allow users to subscribe to your blog posts. However, when building small static or company websites, you may want to turn off the RSS feeds.

JSON REST API will allow users to retrieve data in JSON format using GET requests, which is useful for those building apps with WordPress. However, most site owners may not be needing those features at all. This will effectively prevent unauthorized requests from using the REST API to get information from your website.

HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.

PHP version header information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP. An attacker might use the disclosed information to harvest specific security vulnerabilities for the identified version.

Optional Settings

This will help to remove HTML comment tags to prevent information leakage (e.g. developer comments, hardcoded credentials, bug fixes, etc).

Trimming HTML response will help to reduce the size of the web page.

Custom Login URL

This allows you to change the default WordPress admin login URL to another name. The user will be redirected to the homepage if the URL is invalid. It will help to prevent the attacker to easily guess and brute force attack on your login page.

This will allow you to change the default WordPress logo on your admin login page.

This will redirect the user to HTTPS when accessing the WordPress admin login URL.