Custom Security Header

Posted on February 26, 2022 by Kenny

As a precaution against distributed denial of service (DDOS) attacks, I allow access to my websites only through Cloudflare. Direct access – for example using my IP number – is not permitted. I put a bit of code in my htaccess file that checks to see if the Cloudflare IP Country header is present. That worked fine but would be pretty easy for a determined bad guy, gal, nonbinary person, or bot to defeat – especially since I posted here about it.

Recently CF added a Transform Rule feature. It consistently amazes me the great features that CF makes available on their free tier. Using a Transform Rule, I can create a custom, secret request header which I can then check for using htaccess. Something like this …

7G Firewall

Posted on March 13, 2020 by Kenny

In late January 2020, Jeff Starr of Perishable Press transitioned the 7G Firewall from beta to production, but I just caught wind of it today.

WP Security Approach: Maginot Line vs. Kursk

Posted on July 27, 2019 by Kenny

There are various approaches to WP security, but I’ll vastly oversimplify it into two: Maginot Line or Kursk. (1)

.htaccess impact on site speed

Posted on June 24, 2019 by Kenny

I’m a big fan of the 6G firewall, from Jeff Starr of Perishable Press. It lives in my .htaccess file, and does a great job of protecting my site against a wide variety of malicious requests, bad bots, spam referrers, and other attacks. It adds 76 lines to my .htaccess file, some of them filled with long regular expressions. WordPress and Litespeed Cache also add chunks to my .htaccess file. And, .htaccess being exceptionally flexible and useful, I add other stuff as well.

Crazy long, but free – Cloudflare firewall rule

Posted on June 15, 2019 by Kenny

On Cloudflare’s free tier I am allowed five firewall rules. This is very generous of Cloudflare, considering the free part. But it turns out to be much more generous than it first appears.

DDoS Protection

Posted on June 13, 2019 by Kenny

A distributed denial-of-service (DDoS) is a large-scale attack using multiple IP addresses, attempting to overwhelm a site with requests, crashing it or slowing it to a crawl. DDoS attacks vary in sophistication. The most sophisticated use thousands of IPs accessing multiple URLs with random query strings to bypass caching and increase the CPU load.

Allowing only Cloudflare traffic

Posted on July 23, 2018 by Kenny

In other posts I give my point of view on the security advantages of using Cloudflare. But what’s to stop a bad guy, gal, or bot from accessing my site directly by IP address? I can try to keep my IP address secret, but a determined hacker will find it without too much trouble. He or she or his/her robot minions could then avoid Cloudflare security by attacking my site directly – unless I take explicit measures by allowing only Cloudflare traffic.

htaccess tricks

Posted on January 3, 2018 by Kenny

Along with the excellent 6G firewall (update: 7G firewall) from Jeff Starr at Perishable Press, certain htaccess tricks improve WP security. Examples …

6G Firewall

Posted on December 24, 2016 by Kenny

There are a number of comprehensive security solutions available for WP, notably including the very popular Wordfence Security plugin. I have a Wordfence quibble, which I whine about in another post, but to the best of my knowledge, Wordfence is an excellent choice for most WP users. My preference though is for light, fast, specific solutions as opposed to a single, relatively heavy, Swiss-army-knife style tool.

One such light, fast, specific solution is the 6G Firewall from Perishable Press.

403 Text String

Posted on December 23, 2016 by Kenny

If my site gets attacked, it could serve up a lot of 403-Forbidden error pages, which would use a lot of resources, slowing my site or even bringing it down. For 404-Not Found errors, I want to serve a friendly helpful page that fits in with the look and feel of my site. Legitimate visitors should rarely if ever encounter a 403-Forbidden error though, so I prefer to politely limit resource use to the extent practical. My solution is a custom 403 text string, using the following line at the beginning of my .htaccess file:

ErrorDocument 403 "403: Sorry, not permitted."

htaccess