Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Blocking access

From: WordPress 3: Developing Secure Sites

Video: Blocking access

In this screencast, we equip ourselves with a powerful way to protect our site against the bad guys. Keeping an eye on our server log files, we employ the excellent WP-Ban plug-in to block specific threats and other malicious behavior. To really take your security to the next level, it's important to keep an eye on your server access and error logs. Such logs are readily available from your server control panel and elsewhere, so ask your host if you don't see them. Here we have an excerpt from a hypothetical error log where various details are recorded for each 404 Not Found error.

Blocking access

In this screencast, we equip ourselves with a powerful way to protect our site against the bad guys. Keeping an eye on our server log files, we employ the excellent WP-Ban plug-in to block specific threats and other malicious behavior. To really take your security to the next level, it's important to keep an eye on your server access and error logs. Such logs are readily available from your server control panel and elsewhere, so ask your host if you don't see them. Here we have an excerpt from a hypothetical error log where various details are recorded for each 404 Not Found error.

Each of these are malicious requests, as evidenced by the nasty-looking URL. Timewise, these requests happened about a minute apart. Usually they're more frequently, but it also depends on your server and what your server is capable of. They all have the same recorded IP address, and they all also have the same user agent. The sort of malicious activity recorded here happens constantly, and it does a good job of wasting server resources and slowing things down for your legitimate visitors.

There are many solutions for defending against malicious requests, but for WordPress-powered sites the easiest way is to simply block them with a plug-in. Going to the Plugins menu, let's click on the Add New button and do a quick search for the WP-Ban plug-in. Enter the name and click Search, and WP-Ban should be listed among one of the first few results. So we see it here, and we click on the Details link to learn a little bit more about this plug-in.

As we see here in the description, the plug-in provides a way for WordPress users to block malicious requests and other malicious activity using the IP address, user agent, and other aspects of the request. It's been a while since this plug-in was updated, but it has been downloaded many times and enjoys good ratings. The installation, if we go to the web site, we see that the installation is typical, and as we see here, the plug-in is already installed on the site, so we are ready to jump into the Plugin Configuration page to configure the plug-in.

We click on the Ban link in the Settings menu to go there. Here at the WP-Ban Settings page, first and foremost, the plug-in tells us our own IP address, hostname, user agent, and so on. Next, we have the banned fields themselves, where we will be listing and blocking the bad guys. We can ban by IP, IP range, host name, referrer, user agent, and we can even exclude IPs, and customize the banned message that blocked requests will receive.

Really, at this point, there's nothing to configure, but just beneath the Banned fields, there are two more sections worth mentioning. First, the Ban Stats panel, where we can see the statistics about what's being blocked, and then beneath that an Uninstall option, should you decide to remove the plug-in later. So there is nothing to configure upfront, but let's return now to our hypothetical error log and see how to immunize our site against future attacks. There are lots of choices for blocking.

We can block by the IP address, referrer, user agent, and request string. If we determine that the user agent EmailSiphon is a bad bot, we can block it with WP-Ban. We can also block the IP address specifically. So let's start with the IP address. We copy that and return to the plug-in page and in the Banned IPs field, we just paste the IP address. Then let's returned to the error log and grab that user agent, copy, and then return to the plug-in page, scroll down, and paste it into place.

Once we have these two items in place, we click Save Changes, and done. Any requests meeting our new criteria will now be blocked and presented with the official 'you've been banned' message. Now, let's see it in action. We can't spoof an IP here, but we can spoof a user agent by going to bots versus browsers. We need two things to see this demonstration work. We need the user agent, which we had EmailSiphon, and we need the URL for our web site, so we can try to access it.

Once these two items are in place, we click the Go button and see the ban message. We have been banned. Anyone requesting our web site from using this user agent, EmailSiphon, will be banned. Likewise for the IP and likewise for any other item, host name, IP range, referrers and so on. This plug-in will ban malicious requests and specific threats. Finally, back at the Banned Options page, let's scroll down and verify that that request was actually recorded in the Ban Stats section of the plug-in, and here it is here.

Here is our IP address, here is the attempt, and if we would like, we can reset this. This is a great way to keep an eye on the different requests that are being made by the things that you are blocking. So in this screencast, we've seen how to get more fine-grain control over your site's security. The powerful WP-Ban plug-in makes it easy to block specific threats and keep your site safe, secure, and performing great.

Show transcript

This video is part of

Image for WordPress 3: Developing Secure Sites
WordPress 3: Developing Secure Sites

36 video lessons · 11402 viewers

Jeff Starr
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now "Already a member? Log in

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed WordPress 3: Developing Secure Sites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.