May12

Part 1, Why We Built It – Security and the WordPress Simple Firewall Plugin

by Paul G.

6 Flares 6 Flares ×

WordPress Simple Firewall Banner

Articles In This Series:

Part 1: Why we built the WordPress Simple Firewall
Part 2: Plugin Self Protection
Part 3: WordPress Firewall Feature
Part 4: WordPress Login and Brute Force Hacking Protection
Part 5: The WordPress Comment SPAM Killer
Part 6: WordPress Automatic Updates Management

The WordPress Simple Firewall is our answer to WordPress security management.

We built it to solve a few key issues we found with WordPress security and existing WordPress security plugins, namely:

  • Ease of use (or lack thereof)
  • WordPress and web hosting compatibility (or lack thereof)
  • Effectiveness combined with simplicity (or lack thereof)

In this article I’ll give a bit of background to the ethos and motivations behind the WordPress Simple Firewall, and what exactly drives the development of features.

I want to answer some questions, such as why we set out to make this plugin in the first place, and where do we see the plugin going in the future, and why you might use this plugin over some of the more established alternatives.

Hopefully all these questions will be cleared up by the time you reach the end. Buckle in. :)

Why did we build the WordPress Simple Firewall Plugin for WordPress?

Basically it came down to being unhappy with the current state of WordPress security plugins on the market.

Let me first be clear, there is no way to fully secure your sites against all of the many different attack methods out there, and WordPress security should be only 1 part of your security plan. All you can do is reduce surface area to attack.

The best way to understand why we built the Simple Firewall plugin is to see the principles upon which it is constructed. We found many of the pre-existing plugins didn’t meet our requirements for a security plugin, and felt we had a role to play in making WordPress security more accessible, more compatible, and above all… more secure.

Key Tenets of the WordPress Simple Firewall plugin

We made a decision at the beginning of the WordPress Simple Firewall development:

→ to maximise WordPress and web hosting compatibility

What does that mean?

  • it uses as many native (in-built) WordPress functions and features wherever possible and it makes sense to do so. Where necessary, we built in backwards compatibility with older versions of WordPress, and we’re committed to maintaining the plugin to ensure it is fully compatible with the latest available versions of WordPress. It means that if other plugins also use WordPress native functions, we’ll all play happily together :)
  • it has no disk writing dependency. We learned with iControlWP that writing to disk by WordPress is a troublesome thing for many web hosting environments, so while we do write to disk sometimes, we don’t rely on it. And, when we do do it, we use the native WordPress objects where possible.
  • it makes no modifications to site-wide .htaccess files. We will never be responsible for toasting your WordPress site because we introduce a bug and destroy your .htaccess.  Too many plugins are hitting these file, we found, and it more-often-than-not breaks websites because the variables involved are too numerous to count. The last thing we want is a broken .htaccess party – the worst kind of party.

All this means we are far, far less likely to knock your website offline, or lock you out of your WordPress admin, or block legitimate visitors.

When WordPress upgrades, it means we’re going to be compatible, and it means for really restrictive web hosting environments, we still work as we’re not reliant on disk-writing, and we’re using WordPress itself to do our heavy lifting.

We felt it was better to build a plugin that played nice, was highly effective, and was easy for you to get started.

Tenet 1: Our Special No More Tears Formula

There are 2 things we really hate… getting shampoo in our eyes since it really stings, and getting locked out of our websites.

The Simple Firewall can’t stop the tears from stingy shampoo, but it can stop the hair-pulling, frustration-induced, tears that come from being locked out of your website by a security plugin.

We provided a simple “off” switch to completely turn off all firewall features in case you get locked out, or we accidently release a dud (this has never happened!)

Tenet 2: Maximum Compatibility

There are “popular” WordPress security options out there that don’t actually protect your site, they typically add complications to your WordPress installation, and if it goes wrong, locks you completely out of your site.

We’ve opted for Pareto’s Principle and we employ seriously simple security mechanisms to block hugely common attack vectors.  We don’t need to “hide” your WP login page to make your site more secure.  No, that sort of jiggling around with WordPress makes your site more incompatible with just about any other plugin available that might also need to work with the WP login process.

Tenet 3: Easy to use

There’s nothing worse than installing a plugin and being overwhelmed by all the gadgets and gizmos, like buttons, graphs, and everything else that plugin developers squeeze into their products.

We knew this plugin would have a lot of options, there’s no way around that. But we wanted selecting options to be intuitive, and for the users to know why they are choosing an option, and the changes they would make to the site.

Every option in the plugin is a clear checkbox or text area, each option has a summary title and a summary explanation/description. And most now contain direct links to our plugin support centre where the option is explained in much more detail.

We feel it’s harder to make the plugin more accessible for users than it currently is, though of course, we’re always open to suggestions

Tenet 4: Prevent attacks through data posted to the site

This is the main backbone of the plugin – the Firewall.

It analyses all data passed to the site and looks for patterns in that data.  The users have full control over which type of patterns are blocked, and thus it ensures maximum compatibility with all sites, since no one configuration is suitable for everyone.

Tenet 5: Protect against unauthorized security plugin access

WordPress administrator access should not necessarily mean access to WordPress security management.

This plugin is the only security plugin available that allows administrators to completely lock-down access to the plugin options itself.  This means that any unauthorized access, or any uninformed administrator, cannot unwittingly (or otherwise) disable or change any WordPress Simple Firewall options.

Tenet 6: Performance – as small a processing/memory footprint as possible

With so many options, it’s easy to store an option for each setting individually in the WordPress database. This isn’t very efficient.

Instead, we have settled for 1 or 2 options stored per plugin feature section. This makes options storage and loading more efficient, and it only loads those options that are required depending on the features enabled.

We also make full use of WordPress filters and action hooks to ensure that code is loaded/processed only when it’s required.

There are always ways to improve performance and efficiency, and we recognise this an ongoing process. We’re happy to take on any feedback users/developers have on this topic.

Tenet 7: No premium upgrade options or feature-gating

There will never be a premium version of the WordPress Simple Firewall plugin.

Where To Next – the holy grail of WordPress Security Management

It’s important to note that while there is no premium version of the WordPress Simple Firewall, one of our long-term goals for the Simple Firewall is centralized WordPress security management. We plan to achieve this using our iControlWP multiple WordPress Management control panel (there is no way to build this into the plugin itself)

We will be offering the ability to centrally control options across all your WordPress sites at once, instead of directly on the sites.

We feel this is the easiest, most advanced method of WordPress network and security policy management.

This factor was also a motivation for the development of this plugin in the first place.

I hope after reading this you understand much more about the development principles underlying the WordPress Simple Firewall plugin. Please feel free to leave a comment below, or drop us an email if you have any questions.

← Previous Article:

→ Next Article:

{ 8 comments… read them below or add one }

Claude Gelinas May 21, 2014 at 6:59 pm

Your plugin works well with all my blogs and I like the fact it’s free.

I recommend every WordPress blogger out there takes it for a spin. Web attacks are real and a intelligently crafted protection, like yours, evens out the battle field.

Let’s face it, I’m not in front of my computer all the time and if a web attack arrives, I’ll know much later and by that time, there will likely be nothing left of my blog so that’s how important your plugin is, to me.

Continue your great work!

Reply

Paul G. May 21, 2014 at 7:51 pm

Hey Glaude!

Awesome :) I love that the plugin is working for you and as you say, it’s important to have something there especially while you’re not.

Thanks for taking the time to leave a comment and share your thoughts! Much appreaciated.

Cheers,
Paul.

Reply

Keith Davis May 21, 2014 at 8:47 pm

Hi Paul
I love the plugin and your 7 tenets should be the guiding force behind every plugin.

I recently tried a well known slider plugin, which has a premium version and I couldn’t believe how slow the free version was.
Evidently the premium version is 10x faster – not much consolation if you’re using the free version.

I’m glad you shared your long term goals because it’s important for all of us to look to the future.

Reply

Paul G. May 21, 2014 at 8:51 pm

Hey Keith,

Yea, I’m not a big fan of crippling a plugin so as to push sales… just not the angle we want to take with this.

Thanks for dropping in and sharing your thoughts… appreciate your feedback!
Cheers,
Paul.

Reply

Maya May 23, 2014 at 10:42 pm

I just installed your plugin and like the simplicity of it. It’s my one and only security plug in. I’m no pro at all, so I did lots of research… it took me more than a week to decide which plugin to use. That it doesn’t mess with .htaccess was a deciding factor. I added some code there myself. I got rid of jetpack in the process too. I’m curious what you think about cloud flare since its offered by the hosting company I use. Would it work with your plugin? Thanks so much!

Reply

Paul G. May 26, 2014 at 12:28 pm

Hi Maya,

Thank you for your comment, and for putting your trust in our plugin to protect your sites.

As to CloudFlare, we’ve written about it a few times ( http://www.icontrolwp.com/2012/08/cloudflare-boost-wordpress-security-performance/ ) because we use it on nearly every site we run. Definitely worth having is not for the security, but for the caching and speed upgrade.

Thanks again for leaving your comments :)
Paul.

Reply

RahulB June 4, 2014 at 7:09 am

I am really impressed with this security plugin. One question, with this plugin, should i need any other security plugin

Reply

Paul G. June 4, 2014 at 11:48 am

Hi Rahul,

Thanks for leaving us a comment here … glad to hear you like it!

We believe you shouldn’t need another WordPress security plugin – this one covers all the basis. You also shouldn’t need a SPAM comments plugin such as Akismet, or a login attempts/lockdown plugin etc…

Our latest review here told of how they were able to remove 4 other plugins:
http://wordpress.org/support/topic/replaced-3-4-plugins-with-this-plugin?replies=1

Hope that helps!
Paul.

Reply

Leave a Comment

Take Back Control Of WordPress Today