Bad Bot Honeypot

Jeff Starr of Perishable Press offers what appears to be an excellent, free Blackhole for Bad Bots. Unfortunately it does not work with all cache setups, and I use some pretty crazy aggressive caching to boost site speed. I have not been able get Jeff’s plugin to work for me. I decided to make a very much simplified, less automated version, that will require an ongoing bit of my time but hopefully will thwart naughty bots.

Read more Bad Bot Honeypot

Cloudflare Access

Back in January 2018, Cloudflare introduced a new service, Cloudflare Access. As is their generous habit for many of their features, CF even made it available on the free tier. CF describes Access as “a perimeter-less access control solution for cloud and on-premise applications”. Basically, Access lets me host internal applications on the Internet, where use is controlled, authorized, authenticated, and encrypted. For the end user, it works very similar to two-factor authentication. But it all happens on Cloudflare’s servers.

Read more Cloudflare Access

CloudFlare Firewall Rules

CloudFlare announced the introduction of firewall rules on October 3, 2018. Surprisingly, five firewall rules are even provided on the free plan. By comparison the Pro plan provides 20 firewall rules. Unlike Page Rules, additional firewall rules can *not* be purchased. I get five, that’s it – but as we will see a single firewall rule can do a bunch of different stuff provided that the final action is the same. Pretty generous of CF, I think, seeing as I use only their free tier.

CloudFlare Firewall Rules

Read more CloudFlare Firewall Rules

2FA

Two factor authentication (2FA) is an extremely strong security measure to keep bad guys, gals, and bots from hacking into my important accounts – WP admin, email, registrar, cPanel, and so on. And … I’m just not a fan.

2fa

Read more 2FA

cPanel and FTP security

I take numerous precautions to prevent malicious logins to my WP admin account. None of which will do me a bit of good if my cPanel or FTP accounts get hacked. I don’t even use FTP. On those infrequent occasions when I need to transfer files, I use my cPanel file manager. I would disable FTP completely – except that I can’t find a way to do it. I also can’t find a way to obfuscate cPanel or FTP login, add a reCaptcha, limit login attempts, or add a security question. Very strong passwords are a good start, but I hate relying on just one lock.

Read more cPanel and FTP security

WP is not ready for CSP

WP is not ready for CSPA Content Security Policy (CSP) relies on code headers to help prevent cross site scripting and other malware, providing a great addition to a layered security approach. I think of it as a reverse firewall. It tells browsers exactly what content should be accepted from my site. All other content – malware for example – should be rejected. So, it doesn’t exactly protect my site. But if my site gets infected, it can prevent the infection from spreading – possibly saving my reputation

A correct CSP is a really good thing, adding to interweb safety. So, why do almost no websites – something incredibly small like 1% of 1% – have a CSP? Partly because it is not very well known yet, but also because it is really complicated to create a correct one. It is much more likely that I will screw up my WP site and deliver false errors to my visitors than it is that my CSP will work properly.

Read more WP is not ready for CSP