There are various approaches to WP security, but I’ll vastly oversimplify it into two: Maginot Line or Kursk. (1)
Rambling thoughts about WordPress
Security
JavaScript Challenge Rule
In addition to my crazy long Cloudflare firewall “block” rule, I use a JavaScript challenge rule for pages that I want to restrict to human users, keeping out bots.
Crazy long, but free – Cloudflare firewall rule
On Cloudflare’s free tier I am allowed five firewall rules. This is very generous of Cloudflare, considering the free part. But it turns out to be much more generous than it first appears.
DDoS Protection
A distributed denial-of-service (DDoS) is a large-scale attack using multiple IP addresses, attempting to overwhelm a site with requests, crashing it or slowing it to a crawl. DDoS attacks vary in sophistication. The most sophisticated use thousands of IPs accessing multiple URLs with random query strings to bypass caching and increase the CPU load.
Robots dot text
Robots dot text (robots.txt) is a really interesting, conflicted, frequently disrespected – but useful – little file. Its intended purpose is to give me control of how bots visit my site. Depending on the bot though, my robots dot text directives might be obeyed, ignored, partially obeyed, and/or interpreted in different ways.
McAfee SiteAdvisor Rocks!
Big shout out to McAfee SiteAdvisor for quickly correcting their assessment of this site and one of my other sites.
A bit of background ….
Zero-Day WP Plugin Vulnerabilities
New zero-day WP plugin vulnerabilities are announced with alarming frequency. I gotta keep all my plugins up to date so that any new vulnerability gets patched. I use my custom plugin to auto-update everything – WP, themes, and plugins.
Bad Bot Honeypot
Jeff Starr of Perishable Press offers what appears to be an excellent, free Blackhole for Bad Bots. Unfortunately it does not work with all cache setups, and I use some pretty crazy aggressive caching to boost site speed. I have not been able get Jeff’s plugin to work for me. I decided to make a very much simplified, less automated version, that will require an ongoing bit of my time but hopefully will thwart naughty bots.
Cloudflare Access
Back in January 2018, Cloudflare introduced a new service, Cloudflare Access. As is their generous habit for many of their features, CF even made it available on the free tier. CF describes Access as “a perimeter-less access control solution for cloud and on-premise applications”. Basically, Access lets me host internal applications on the Internet, where use is controlled, authorized, authenticated, and encrypted. For the end user, it works very similar to two-factor authentication. But it all happens on Cloudflare’s servers.
Cloudflare Firewall Rules
Cloudflare announced the introduction of firewall rules on October 3, 2018. Surprisingly, five firewall rules are even provided on the free plan. By comparison the Pro plan provides 20 firewall rules. Unlike Page Rules, additional firewall rules can *not* be purchased. I get five, that’s it – but as we will see a single firewall rule can do a bunch of different stuff provided that the final action is the same. Pretty generous of CF, I think, seeing as I use only their free tier.
WP Contact Form Security
There are a couple of aspects to the security of my Contact Kenny page.
2FA
Two factor authentication (2FA) is an extremely strong security measure to keep bad guys, gals, nonbinaries, and bots from hacking into my important accounts – WP admin, email, registrar, cPanel, and so on. And … I’m just not a fan.
cPanel and FTP security
I take numerous precautions to prevent malicious logins to my WP admin account. None of which will do me a bit of good if my cPanel or FTP accounts get hacked. I don’t even use FTP. On those infrequent occasions when I need to transfer files, I use my cPanel file manager. I would disable FTP completely – except that I can’t find a way to do it. I also can’t find a way to obfuscate cPanel or FTP login, add a reCaptcha, limit login attempts, or add a security question. Very strong passwords are a good start, but I hate relying on just one lock.
Danger, Will Robinson!
I use Cloudflare page rules to keep bad bots completely off my login screen and admin area. And they have always done a great job. Until recently. Now – Danger, Will Robinson! – bad bots are waltzing merrily past my precautions and attempting to login, or creating bogus subscriber accounts.
WP Malware Scanners
I take a number of security precautions to keep my sites free of malware. But what if malware gets past my defenses? I need to be able to detect it so that I can eradicate it. With WP malware scanners, as with everything else WP, I prefer free. I know of three types of free WP malware scanners: Host-based; Web-based; and Plugins.
