=== Secure Setup === Contributors: deeprahman Tags: security, file permissions, .htaccess, WordPress security, REST API Requires at least: 5.2 Tested up to: 6.8 Requires PHP: 7.2 Stable tag: 1.0.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Enhance WordPress security by setting recommended file permissions, securing .htaccess, and disabling sensitive endpoints. == Description == **Securing Setup** helps protect your WordPress installation by: 1. Allowing users to set recommended file permissions for directories and subdirectories. 2. Automatically modifying the `.htaccess` file to: - Protect the `debug.log` file from being accessed via the web. - Restrict execution of specific file types (e.g., `.png`, `.jpg`), ensuring only selected file types are processed by the web server. 3. Disabling sensitive WordPress endpoints such as: - `system.multicall` from XML-RPC. - The `users` endpoint in the REST API. The plugin is user-friendly and includes an easy-to-access settings page. You can view or contribute to the plugin's source code on GitHub: [GitHub Repository]https://github.com/deeprahman/sswp) == Features == - Set directory and subdirectory permissions for enhanced security. - Automate `.htaccess` file modifications. - Disable potentially vulnerable endpoints. - Tested with the latest version of WordPress. == Installation == 1. Upload the `securing-setup` folder to the `/wp-content/plugins/` directory. 2. Activate the plugin through the 'Plugins' menu in WordPress. 3. Navigate to **Tools > File Permission** to configure settings. == Frequently Asked Questions == = What are recommended file permissions? = The plugin will recommend secure file permissions (e.g., `755` for directories and `644` for files) to reduce risks from unauthorized access. = Can I undo `.htaccess` modifications? = Yes, the plugin provides options to revert changes made to the `.htaccess` file. = Will this plugin break my media uploads or other file handling? = No, you can configure which file types are allowed for execution by the web server, ensuring normal functionality. = What endpoints are disabled by this plugin? = The plugin disables: - The `system.multicall` function in XML-RPC to prevent potential attacks. - The `users` endpoint in the REST API to hide user enumeration. == Screenshots == 1. **Settings Page** - The File Permission settings and `.htaccess` configuration panel. 2. **Recommended File Permissions** - Displays the recommended permissions for a secure WordPress setup. == Changelog == = 1.0.2 = * Readme updated = 1.0.1 = * Added OS warning. * Implemented REST API rate limiting. = 1.0.0 = * Initial release. * File permissions management for directories and files. * `.htaccess` customization for secure file handling. * Disabled `system.multicall` and `users` REST endpoint for added protection. * == Upgrade Notice == = 1.0.0 = Initial release. Ensure your PHP version is 7.2 or higher and WordPress is updated to the latest version. == Notes == After activation, the plugin adds a submenu named **File Permission** under the Tools menu, where you can configure settings.