When I installed WordPress on this site, one thing that concerned me is that login and administrative functions were not using SSL by default. OK, I didn’t have an SSL certificate installed at that point, fair enough. But once the SSL certificate from Let’s Encrypt was installed, I set about learning how to secure these functions.
It is very simple.
In the same directory where WordPress is installed you’ll find a file named “wp-config.php”. Add the following line toward the bottom, right above the “That’s all” comment:
Save the file and you’re good to go. Assuming that an SSL certificate is properly installed on your web server, login and administration will now go over SSL.
I then set out to further validate my WordPress security. I found this free web based tool.
I ran it against this site and found that my user accounts could be enumerated. This is clearly information leakage that should be avoided. The solution is to enable a WordPress plugin that stops this behavior. The plugin can be found here.
Download the plugin and copy it to the plugins directory as described in the Installation section of the above page. Using the plugins menu of the WordPress administration console, activate the plugin.
Run the scan again against your WordPress site and you’ll see that this issue has been resolved.