Join Jeff Starr for an in-depth discussion in this video Block access, part of WordPress: Developing Secure Sites .
- [Tutor] In this video, we equip ourselves with a powerful way to protect our site against the bad guys. Keeping an eye on our server log files, we employ the excellent WP-Ban plugin to block specific threats and other malicious activity. To really take your security to the next level, it's important to keep an eye on your sites error logs, and activity logs. Such logs are readily available from your server control panel and elsewhere, so ask your host if you don't see them. Here we have an excerpt from a hypothetical error log where various details are recorded for each URL request.
These are malicious requests as evidenced by the nasty strings contained in the URLs. The rate of these bad requests are about one per second. And they all have the same recorded referer, IP address, and user agent. This sort of malicious activity happens constantly, and does a good job of wasting server resources and slowing things down for your legitimate visitors. There are many solutions for defending against these types of bad requests, but for WordPress powered sites, the easiest way is to simply block them with a plugin such as WP-Ban.
Here it is. Checking the details, everything looks good. It's current with the latest version of WordPress, it's been recently updated, it's popular with over 20,000 active installs, and it has decent reviews. And reading the description, we see that this plugin enables us to ban users based on their IP address, host name, and referer. Looks like some good features, and the installation steps are typical and straightforward.
In fact, WP-Ban already is installed on this demo site. So let's go ahead and activate the plugin and see how it works. Once the plugin is activated we can visit its settings page by going to settings + ban. Here on the WP-Ban settings page, first and foremost the plugin displays your own IP address, host name, and other details. Then you have an option to check if your site is behind a proxy server.
Go ahead and leave this setting as is unless you know for sure otherwise. Next we have the banned fields themselves, where we can block requests by various criteria. We have banned IPs, banned IP range, banned host names, banned referers, banned user agents, and so on. There's also a banned message that would be displayed for any blocked request. The default message is pretty basic, so feel free to spice it up with whatever floats your boat.
Really, at this point, there's nothing to configure. Everything is ready to go out of the box. Also notice, just beneath the plugin settings, is a section that displays the details of any blocked requests. We'll revisit this section a bit later. To see how the plugin works, let's return to our hypothetical error log and immunize our site against future attacks. There are plenty of ways to block these types of requests. We've got the referer, IP address, user agent, and the request string.
If we determine that the user agent, Evil Bot, is a bad bot, we can block it with WP-Ban. We can also block the IP address, which we'll go ahead and do. For example, so we copy the IP address and return to the WP-Ban settings page. Then we scroll to the banned IPs section and add the IP address. If desired, we can also block the associated user agent, Evil Bot. We scroll to the user agents section, and type Evil Bot.
Then we scroll down to the save changes button to save our changes, and that's all there is to it. Any request matching either IP address or the user agent will be blocked and presented with the banned message. And of course, this message is customizable, using any of the variables shown here. Now let's see the plugin in action. We can't spoof an IP address here, but we can spoof a user agent by going to a site such as Request Maker.
First, set the request method or type to post. Then enter the URL of our demo site or your site if you're following along. We'll copy our domain from here and just paste it into place. Then add another request header, for the user agent, And for the value, enter Evil Bot. Then click submit to send the request, and great. Viewing the response, we see that the Evil Bot has been banned.
Notice the highlighted text which shows that our banned message has been sent. Finally, let's return to the WP-Ban settings and verify that it recorded the block request. We scroll down and see that yes, the blocked request was recorded. This makes it easy to keep an eye on things from within the admin area. Note that the plugin also provides a way to reset the ban stats if necessary. Going further, in addition to manually bad bots with WP-Ban, you can use my plugin Blackhole for Bad Bots, to automatically block bad bots in virtual black hole.
It's all done silently and behind the scenes, keeping bad bots at bay and normal visitors happy. In this tutorial, we've seen how to get more fine-grain control over your site's security. The powerful WP-Ban plugin makes it easy to block specific threats and attacks, so you can keep your site safe, secure, and performing great.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security