There are various approaches to WP security, but I’ll vastly oversimplify it into two: Maginot Line or Kursk. (1)
The Maginot Line was a monolithic line of defense consisting of concrete fortifications, obstacles, and weapon installations. It was built by France in the 1930s to deter invasion by Germany. It was considered to be impervious to most forms of attack, including aerial bombings and tank fire.
In contrast, the Russian defense in the battle of Kursk used security in depth, with three main defensive belts. Fortifying each belt was an interconnected web of minefields, barbed-wire fences, anti-tank ditches, deep entrenchments for infantry, anti-tank obstacles, dug-in armored vehicles, and machine-gun bunkers. Behind the three main defensive belts were three more belts prepared as fallback positions.
How did these two approaches fare in practice? The German armies simply went around the Maginot Line and quickly conquered France. (2)
The layered defenses at Kursk were so effective that Germany’s extensive losses of soldiers and material ensured the Soviet Red Army would have the strategic initiative for the remainder of the war. (3)
How does this apply to WP security? Think of an all-in-one security solution like WordFence (4) as the Maginot line. It is strong and protects against a variety of threats. But it is a single line of defense. If a hacker finds a way around it, game over. It also can only combat threats that have already hit my site.
A Kursk approach to WP security would involve multiple lines of defense. For example …
- Page rules, firewall rules, and miscellaneous (security level, browser integrity check, HSTS, DNSSEC) provided by Cloudflare on their free tier. This reverse proxy is my front line of defense, blocking bad guys, gals, and bots before they even get close to my site.
- The excellent 6G firewall – also free – from Jeff Starr of Perishable Press lives in my htaccess file. It runs at the server level, after threats hit my server but before they hit my site.
- More security stuff on my site – which I hope is never needed. I want threats stopped before they get that far.
To be fair …
- The Maginot Line and Kursk defenses had much in common – soldiers, machine guns, artillery, etc. Similarly, the two WP security approaches have much in common. For example every WP site should be kept up to date, have regular backups, and have a very strong admin password.
- The French expected the Germans to go around the Maginot Line, attacking through Belgium (I wonder what the Belgians thought about that plan). The French planned to concentrate their forces at that point of attack, with the Maginot line protecting their flank. What they didn’t expect was a lightning-fast German blitz through the Ardennes forest.
- The Soviets also suffered horrific losses in the battle of Kursk, losing even more soldiers and material than did the Germans. However, the Soviets could replace their losses, the Germans could not.
- I like to pick on WordFence in part because it is the king of the hill when it comes to WP security. Also, I have a couple of legitimate quibbles – I don’t like WordFence stealing my secret username, nor that it does not clean up after itself when deleted. But – WordFence is very widely used and trusted. It is recommended by many experts. It is not for me, but I believe it to be a valid security solution for most WP users, who value its relatively headache-free set-it-and-mostly-forget-it convenience.
WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.