How to Firewall Your WordPress Blog
You already know to use a decent password for your blog, but brute-force or dictionary attacks aren’t the only attacks used against bloggers. It’s much cheaper and faster to exploit software flaws, and that the hackers do. A programmer’s oversight may allow a hacker to gain access to your blog to insert spyware, adware, or links to various pharmaceuticals you’d prefer not to speak about in front of your mother.
And it’s not just WordPress proper. WordPress has caught some major criticism for its security holes — but lately it’s been a bunch of insecure plugins, not WordPress itself. Matt Mullenweg counters the argument that WordPress is insecure over here. I think he’s totally right — WordPress has a rich “plugin ecosystem” that no other blogging platform can touch.
However, the problem remains. WordPress has some great plugins that are written by people with the best of intentions — but who may not understand the importance of sanitizing data provided by untrusted users, and its relationship with security. Upgrading often, setting permissions, using good passwords, etc. — that all helps a lot — but unless you have the time and ability to painstakingly audit all program code for security vulnerabilities, you’d be best off running one of the WordPress firewalls —
1. WPIDS
The WPIDS offers protection for your Blog from malicious code injections. Any Request considered as malicious is logged into a database for later analysis. You can also set up email notification for attacks with very high impact. The back-end pages of the plugin will notify you if new filter rules are available and you can check a list of latest intrusion attempts.
But the most important feature of the WPIDS is that you can block attackers for some time if they are running wild on your blog. The plugin is built on the 0.3.2 core of the PHPIDS – a version shipped with the coming 0.4 milestone will be released soon.
This hasn’t been updated in a while and only works with PHP5. I’d nag BlogSec guys for an update before using it. More info here
2. Maximum Security
This one looks pretty good. For now it’s vaporware. But I expect it will be good when it does come out, though. It does more than firewall. It also removes version signatures, sets Apache passwords, etc. There are plenty of plugins that do that, but if you like integration, it will probably be a good install.
Link: http://wpsecurity.net/
3. Firewall Script
Firewall Script has a WordPress module that can be installed to protect WordPress. It looks promising, but some of the claims on the web site make me nervous. I think it might be a great product, and I was going to try it — but he claims 100% protection, and that you don’t need to upgrade for security anymore. That was a turn-off for me. In fact, the folks at Maximum Seucurity say “Beware of those guys out there who claim that their so-called security solution can ’stop all attacks’ because that’s a flat out lie based in either deception or shear ignorance.”
Link: http://firewallscript.com/wordpressfirewall.htm
4. WordPress Firewall SEO
Disclaimer: This one’s by my company. While it’s not the most robust, it does what it does well. It basically has a set of hard-coded things that it rejects, prefitted whitelist to make it work out-of-box — so comments don’t blow up when someone types wp_whatever, and a configurable set of extra whitelists. Emails are sent when a bad boy attacks your blog. They look like this —
seoegghead
Link: http://www.seoegghead.com/software/wordpress-firewall.seo
Summary
They all have their advantages. I haven’t tested all of them at length, and in the interest of being fair, I’ve put mine last. I think ours does a bunch of things right. For one, we make sure we’re the first plugin to load, so if another plugin executes something outside of a hook, it’s still intercepted. Then again, ours might not catch as much as WPIDS — being based on PHPIDS. But it’s certainly by far the easiest to install as a 1 file plugin.
Don’t obsess over which to install — just do some research and install one of them. It won’t protect you against everything, but you’ve got nothing to lose.
About Author
Jaimie Sirovich is a search engine marketing (SEM) consultant. He works to build powerful online presences for his clients. Jaimie enjoys working to improve site-architecture with regard to search engine optimization without sacrificing usability. He also loves to talk shop, so don’t hesitate to drop a line when you have a question.
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
I heard I’m biased ;) But I probably recommend mine and blogsecurity.net’s when they update it.
His is better in substantial ways because it’s based on a more robust framework (PHPIDS). But its robustness also makes it more complex. Mine is pretty simple to install and gets you most of the benefit.
I have reservations about the claims of Firewall Script, as does the guy at Maximum Security.
Maximum Security may turn out to be the best solution — and better than everything else out there, but I’d like to see it all work before I comment on it further.
Hope this helps …
J.
[...] second is “How to Firewall Your WordPress Blog” by Jaimie Sirovich of SEO Egghead guest blogging on BlogSecurity. He covers options to help [...]
I couldn’t find your plugin when I searched the WordPress Plugins. Will it be included there as an “official” plugin? I generally don’t install anything unless I find it at WordPress.
Amazing. Thanks a lot. After my blog was hacked once, I highly recommend all security measures and plugins which can protect your blog. Must be very very careful. Specially SQL injection threat. Upgrade is essential always.
Thanks for putting this information for us Wordpress users. Both me and my wife both use WP and I will now look in to these options for better protection for us. Thanks
@Cheryl F. I’m going to submit my next version to the official plugins directory. I understand your concerns, but we haven’t had the time.
The next version has a few bugfixes … a few oversights and better protection around some edges.
What’s the difference between the protection provided by WordPress Firewall SEO and Firewall Script compared to that of ModSecurity?
Trey, thats a good point, we didn’t touch on ModSecurity which we probably should have. We have got some info on implementing ModSecurity with Wordpress (a bit outdated though):
http://blogsecurity.net/wordpress/modsecurity-and-wordpress-defense-in-depth
For clarity’s sake, in this particular article the term “vaporware” obviously means that someone has the code – but not you.
In other contexts it might mean “so far it remains an empty promimse” – but in terms of Maximum Security that’s not the case – because I do have a copy and it does work. It’s in its alpha stage right now.
Based on what I’ve heard it hasn’t been released to beta yet because about 80% of the people who signed up to beta test didn’t bother to follow the sign up instructions so they can’t be expected to be reasonable beta testers since they won’t follow beta instructions either. Therefore the code will have to be relatively idiot-proof before it can go out to beta.
@G:
That’s a strangely defensive response, considering I emailed Maximum Security (I’m assuming you’re friendly or involved over there) quite a few times expressing interest — and even referenced that I wanted to see it before guest-posting here. I only said it was vaporware after getting no response from the developers. I apologize if that was premature.
If you want me to review it … by all means send me an email.
I think it was a fair assessment. I’m sorry if I’ve offended anyone, and I gave them a plug.
I have no doubt that it will be great — and I said that — when/if it comes out. However, in the interest of being honest, I had to say it didn’t exist.
Yes, I checked before I wrote the article.
Thanks,
Jaimie Sirovich
SEO Egghead, Inc.
Hey, I’d like to thank you guys for this article. I installed the WordPress Firewall SEO last week and today someone from China tried to hack our site multiple times (we received 7 emails showing 7 separate attacks from the same person).
The plugin blocked their attempt, sent us emails, showed us what they were trying to do and gave us their IP address.
We immediately banned their IP through .htaccess. Their IP was from China. I can post the IP if you’d like, but I’d like to ask first.
Thanks again. Also, is there a donate link for the plugin anywhere – I think it’s only right, even if it’s just a few bucks.
[...] Security Posted on Sunday, April 12, 2009 by Tim Fehlman Recently found How to Firewall Your WordPress Blog to be useful. From the website: You already know to use a decent password for your blog, but [...]
You’re too kind. As far as I’m concerned, it’s vaporware until proven otherwise. It was announced back in mid to great fanfare. A beta test version would be forthcoming “soon”. I guess that depends on what “soon” means. The last blog post on the site was January 24. The forum contains messages from people who signed up for the beta test but never heard anything more. That would include me and I do know how to fill out a form properly, at least the simple ones like that one.
Just because somebody claims to have an alpha copy doesn’t make it real. Still waiting!
Another layer available for *nix users is .htaccess. A very powerful set of .htaccess directives is available at http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-blacklist/
I’d really like to use your plugin but don’t understand your install instructions for WordPress Firewall Plugin.
You’ve got a download file and then instructions to copy a program – how can you copy a program to a file?
How about doing a camtasia video so we understand how to install your plugin? Would be really helpful.
Thanks!
[...] relatively recent review of other blog security plugins can be found over here — fair warning: haven’t tried any of them, but some of them do sound [...]
I have the firewall script installed. Problem is, it worked too well. The wannabe hackers from China became frustrated, and simply sent a DDoS attack after the server. :-(
hi,
yes, ı am using myself web blog this script.
it is considerably to succesfull.
http://ugurengin.com/blog/wordpress-firewall-script-plugin/
Just installed your one on a site as its been having all kinds of problems of late. One thing I always say to people who mention .htaccess (this is aimed at the comments above, no OP!) is that, if you can, you should use httpd.conf instead of .htaccess for speed. I won’t go into the reasons, just do some logical google searches!
I will let you know what your plugin turns up for us if and when it does!
Hi Jaimie
Thanks for taking the time to review the security plugins.
I’m new to wordpress and all I read about is worms and injection attacks.
Think I’ll use your “WordPress Firewall SEO” plugin.
Couple of questions:
1 Is your plugin free?
2 Are the best settings for the plugin the ones that you show in the screenshots?
Many thanks.
Hi Jamie
Just set up your plugin.
Great review of setting it up at
http://wpbloghost.tv/seo-egghead-wordpress-firewall-plugin/comment-page-1/
Regards
Great post! Which one you recommend us to install?