FREE PRO
Global Security ​
Global Security centralizes WordPress hardening toggles used by headless and API-first deployments. These controls are installation-wide and help reduce attack surface before route-level rules are evaluated.
Core Security Toggles ​
- Disable XML-RPC: blocks legacy XML-RPC entry points.
- Disable comments and pingbacks: reduces spam and legacy abuse vectors.
- Disable feeds/sitemaps where needed: limits passive discovery channels.
- Disable theme editor: prevents direct file edits from admin UI.
Header and Surface Hardening ​
- Security headers: enables common hardening headers through a guided toggle.
- CORS-related guardrails: keeps API surface aligned with explicit access policy.
- Hide server signatures where possible: reduces exposed fingerprinting hints.
File and Platform Hardening ​
- Uploads directory protections: applies safer execution posture for uploads.
- Configuration permissions checks: validates critical file permissions.
Recommended Rollout ​
- Enable XML-RPC disable.
- Enable comments/pingbacks disable if your site does not need them.
- Enable security headers and verify front-end behavior.
- Enable file protections.
- Re-test login, media upload, and API routes.
Related Modules ​
- For login attack mitigation, see Auth Hardening.
- For API ingress restrictions, see Global IP Filtering.
- For Pro-only headless lockout controls, see WordPress Mode.