Implementing a firewall
Video: Implementing a firewallThe more popular your site gets, the more of a target it becomes for automated malicious attacks. Scripted attacks occur frequently and involve automated requests for known and/ or potential security vulnerabilities. In this screencast, we protect against these relentless automated attacks by implementing a strong firewall. As seen here in an excerpt from one of my personal error logs, malicious requests such as these are a constant threat to your site.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Implementing a firewall
The more popular your site gets, the more of a target it becomes for automated malicious attacks. Scripted attacks occur frequently and involve automated requests for known and/ or potential security vulnerabilities. In this screencast, we protect against these relentless automated attacks by implementing a strong firewall. As seen here in an excerpt from one of my personal error logs, malicious requests such as these are a constant threat to your site.
In addition to the ongoing risk that these unwanted requests bring, they also chew up your server's precious resources, like bandwidth and memory. This slows things down for your legitimate users and reduces the overall performance of your web site. Fortunately, there's a 'set it and forget it' solution to stopping a great deal of this malicious nonsense. It's a plug-in called WordPress Firewall 2, and it's one of best ways to protect against evil requests.
Let's go to the Add New Plugins page and search for the plug-in to take a look. You just type 'WordPress Firewall 2' and click Search Plugins. It should be the first result, so just go ahead and click Details to learn a little bit more about the plug-in. It says here that the plug-in has not been tested with our current version of WordPress, but indeed it has. We've run this plug-in on our site digging in to WordPress, and it works great. It also says that it's compatible with WordPress 3, which is the current version of WordPress.
It's been downloaded over 12,000 times, enjoys excellent ratings based on 11 votes, and it was updated not too long ago. As it describes in the description here, this plug-in is a powerful way of stopping automated attacks and known exploits. In the Installation screen we see that the installation is typical, and as it shows here, the plug-in is already installed on this demo site. So let's close out of the screen and go to the Plugin Configuration page to configure the plug-in and get it working for our site.
Here at the Plugin Settings page, first we have the Security Filters options where the default settings are indeed optimal. We want to block everything, except for the last option, which is useful but may also cause problems with various plug-ins and scripts, so we leave this one unchecked. Then next, we have Upon Detecting Attack. This is your choice. I wish there were an option for a simple 403 Forbidden error, but there's not, so we choose to display the 404 error page, just in case a legitimate visitor is making the request.
Next, in the Email panel set your email preferences, enter your email address here, and for Email type, choose either plain text or html format. And here for Suppress similar attack warning emails, go ahead and leave that set to off for now and then change it later if needed. Finally, we have two boxes, one for whitelisting IPs and one for whitelisting pages. For whitelisting IPs, we will leave this blank for now, but you should definitely add your own IP when configuring your own site.
And here for Whitelisted Pages, if you have any issues with the plug-in blocking specific pages, files, or variables, just enter them here and the plug-in will ignore them, and that's really all there is to it. WordPress Firewall 2 is now working silently behind the scenes, blocking tons of ill requests and other malicious nonsense from getting into your site. With WordPress Firewall 2 in effect, you can sit back, relax, and enjoy better protection against malicious requests.
Whenever the plug-in blocks something, you will get an email notification alerting you of the event. As you'll see, this as an excellent way to keep an eye on your site anytime, anywhere.
There are currently no FAQs about WordPress 3: Developing Secure Sites.