Better WordPress Security with Custom Post Types

I’ve been building sites locally for a while now, so WordPress security isn’t something I lose sleep over. That said, I still set up firewall rules for my sites even though the database and installation are never exposed to the internet.

The good news is that if you plan your site structure carefully from the start, setting up those rules becomes much simpler.

Too Many URL Variations

Here’s what I mean.

Most WordPress users go with Post name — /post-name/ — for blogs and business sites, and for good reason: it’s clean and SEO-friendly. With that setting, your URLs end up looking like this:

example.com/
│
├── /about/
├── /contact/
├── /services/
├── /pricing/
├── /faq/
├── /team/
│
├── /my-first-post/
├── /how-to-use-wordpress/
├── /getting-started-with-seo/
├── /top-10-plugins/
├── /wordpress-tips-for-beginners/
├── /how-to-speed-up-your-site/
├── /best-themes-for-blogs/
├── /how-to-install-a-plugin/
├── /customizing-your-homepage/
└── /writing-your-first-blog-post/

The trouble is, that makes writing firewall rules a bit of a headache since there are just too many URL variations to account for.

A Cleaner Structure

A cleaner structure would look like this:

example.com/
│
├── /about/
├── /contact/
├── /pricing/
│
├── /blog/
│   ├── /blog/wordpress-tips-for-beginners/
│   ├── /blog/how-to-speed-up-your-site/
│   └── /blog/writing-your-first-blog-post/
│
├── /tutorials/
│   ├── /tutorials/how-to-install-a-plugin/
│   ├── /tutorials/customizing-your-homepage/
│   └── /tutorials/how-to-use-wordpress/
│
├── /seo/
│   ├── /seo/getting-started-with-seo/
│   ├── /seo/top-10-seo-plugins/
│   └── /seo/on-page-seo-basics/
│
└── /reviews/
    ├── /reviews/best-themes-for-blogs/
    ├── /reviews/top-10-plugins/
    └── /reviews/best-hosting-providers/

With a structure like that, you only need to whitelist your domain, a handful of pages, and the four main category URLs and everything else can be locked down.

Here’s how I’d handle it in Cloudflare using the skip action

(ends_with(http.request.full_uri, "example.com")) or (ends_with(http.request.full_uri, "example.com/")) or (starts_with(http.request.uri.path, "/about")) or (starts_with(http.request.uri.path, "/contact")) or (starts_with(http.request.uri.path, "/pricing")) or (starts_with(http.request.uri.path, "/blog")) or (starts_with(http.request.uri.path, "/tutorials")) or (starts_with(http.request.uri.path, "/seo")) or (starts_with(http.request.uri.path, "/reviews"))

Then I would block everything request not made from my IP address

(ip.src ne 192.5.56.240)

In plain terms: whitelist what you want the world to see, and block everything else.

Conclusions

Since we’re blocking everything except your whitelisted URLs, the main thing this won’t protect against is attacks targeting those whitelisted pages themselves.

• DDoS attacks flooding your public pages.
• Form spam.
• Scrapers and bots hammering your whitelisted URLs.
• Your server security

This will protect your sites from:

• Random exploit scanners probing common WordPress paths.
• Brute force attacks on your login page.
• Plugin and theme vulnerability scanners that probe known exploit paths.
• File injection attempts targeting WordPress core paths.