This is one of the big reasons why I don’t use comprehensive security plugins …
Discontinued Security Plugins Expose Many WordPress Sites to Takeover – SecurityWeek
And why I don’t use site builders …
WordPress Site Builder Closes – Devs Forced To Rebuild Client Sites (searchenginejournal.com)
Given the current explosion in viciously evil advocacy for genocidal anti-sematic terrorism, and its inevitable bleed-over to murderous anti-Americanism, I decided to add a CF firewall rule to annoy the worst-offending countries with a managed challenge. For good measure I added a few additional nefariously evil countries. I was sadly unable to find a way to include the diabolically depraved pro-Hamas wing of the U.S. democratic party, and its barbaric supporters.
Read more Fighting terrorism, one managed challenge at a time
Guest post written by AI (ChatGPT)
User: Write a blog post about DDoS protection using the Cloudflare free plan.
ChatGPT:
Introduction: Maintaining a secure online presence is of utmost importance in today’s digital landscape. However, the rising threat of DDoS (Distributed Denial of Service) attacks poses a significant challenge to the availability and security of websites and applications.
Read more Safeguarding Your Online Presence: Cloudflare’s Free DDoS Protection
According to Cloudflare, “Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your domain”. It attempts to identify traffic from bots that are absent from Cloudflare’s good-bot list, and – unfortunately does not block them, but rather issues “computationally expensive” challenges to make them expend time and resources before moving forward with their potentially nefarious mission.
I think this is pretty funny – iThemes Security Review | Sucuri, and Sucuri Video Review: Cory Miller, CEO of iThemes (screen shot below).
Read more Pretty funny – iThemes uses Sucuri for WP security
Every time I create a new post or page using WP, the post or page is automatically duplicated in an RSS feed – for example wppov.com/mynewpost/feed. It isn’t exactly an evil twin, just antiquated and – by 2023 standards – more troublesome than useful.
RSS feeds were popular and useful a decade or two ago, but not so much in 2023. These days feeds are more likely used for content scraping, data mining, and spamming. No thanks, I’d rather block this bad behavior.
I review my Cloudflare firewall rules infrequently – maybe every couple of years – so I didn’t notice immediately when early in 2022 CF retired their CAPTCHA (thus ending the Cloudflare CAPTCHA Kerfuffle – oh well, it was fun while it lasted) and deprecated their JavaScript Challenge in favor of their new, more advanced Managed Challenge.
Toward the end of September 2022, Cloudflare breathlessly announced the introduction of Turnstile, a free “user-friendly, privacy-preserving alternative to CAPTCHA”
As a precaution against distributed denial of service (DDOS) attacks, I allow access to my websites only through Cloudflare. Direct access – for example using my IP number – is not permitted. I put a bit of code in my htaccess file that checks to see if the Cloudflare IP Country header is present. That worked fine but would be pretty easy for a determined bad guy, gal, nonbinary person, or bot to defeat – especially since I posted here about it.
Recently CF added a Transform Rule feature. It consistently amazes me the great features that CF makes available on their free tier. Using a Transform Rule, I can create a custom, secret request header which I can then check for using htaccess. Something like this …
Every once in awhile I login to Cloudflare and browse around the dashboard, looking for any new features on the free plan – to their credit CF adds helpful new features frequently. Today I noticed the new Security Center, and I was anxious to try it out.
Read more New Cloudflare Security Center – Beta, use with caution
Cloudflare is being sued in California court by two wedding-dress makers – yep, wedding-dress makers – for copyright infringement. According to Mon Cheri Bridals and Maggie Sottero Designs, Cloudflare has “failed to terminate sites” that the plaintiffs claim are selling counterfeit dresses.
Read more Cloudflare – responsible for copyright infringement?
In early 2020, Cloudflare switched from Google’s reCAPTCHA to Intuition Machines’ hCaptcha. It was a business decision – although CF made a ridiculously hypocritical attempt to excuse the switch as a moral imperative. hCaptcha is much less expensive for CF than the Google alternative, but hCaptcha provides a lesser user experience. The CF community was – and remains – unhappy about the switch. Read more The Cloudflare CAPTCHA Kerfuffle Continues
WordPress encourages users to use the latest version of PHP. This makes sense since each new version of PHP is faster and more secure, among other purported benefits. But exactly how much faster will my site be if I upgrade PHP?
Read more PHP 8.0 is 18+% faster, so my site will be much faster, right?
Back in September 2019 I developed my Greetings byGosh plugin, got it approved, and uploaded it to the WP Plugin Repository. Just recently, I released an updated version, following this guide: How to update an existing WordPress plugin SVN repository.
Read more Updating My Plugin in the WP Repository – Major Security Hole
The Wordfence 2020 WordPress Threat Report notes more than 90 billion malicious login attempts on the 4+ million sites using Wordfence in 2000. Doing a bit of math, that’s about 60 malicious login attempts on every site every day. I’m not at all sure 60 is exactly correct, but it seems about right based on what I find in my Cloudflare firewall logs – and it’s a big number.
