The more I worked on the WordPress Simple Firewall plugin, the better I’ve come to understand the problem that is WordPress Security.
This takes time. WordPress security has many facets, that are constantly changing as the technology behind it developments.
One of the greatest challenges to WordPress security is education, and it’s a complex topic and implementation isn’t easy. This is a problem we’ve addressed with the WordPress Simple Firewall plugin.
In this article I’ll discuss one of the greatest threats to WordPress security – the Misinformation Virus – and debunk an example myth that’s still being perpetuated by WordPress administrators and security plugins.
The responsibility of a WordPress Administrator is not to know everything but to verify everything
Yes, it’s true, you don’t have to know everything. And this certainly includes all the intricacies of WordPress security.
Securing a WordPress site is not trivial. I know this, not because I’m told it’s not trivial, but because I built the WordPress Simple Firewall plugin from scratch, learning first-hand what’s involved in securing a WordPress site.
Do I profess to know everything? No.
Is there still a lot to learn? Absolutely yes!
What I understand about WordPress security comes from my research into the topic, while creating our own WordPress security plugin. It didn’t come from drinking the WordPress security cool-aid piped to us from every WordPress security “expert” with an opinion.
This lets me see through the B.S. that’s put out there. And unfortunately there’s a lot of it.
So, what you need to realise from this article, if nothing else, is that you can’t know everything. And that’s okay – it’s okay to rely on information you receive and read on the Internet. BUT…
But, you should always question what you’re told, and ask whether the source of this advice is qualified to be giving it.
Start with me… you should already be questioning whether I’m qualified to talk on this topic. Well am I?
Who am I exactly?
What do I know about WordPress security?
If you have your doubts, shoot me an email and see what I’m about. Look around the site and the blog for our articles on security and discover whether we know much about WordPress or not.
What’s my point? Do your research.
So what is the Misinformation Virus and how does it spread?
An example of the misinformation virus works like this:
- WordPress Security Plugin offers FeatureX.
- Some WordPress administrators love the sound of FeatureX and implement it on their sites.
- These administrators believe FeatureX is important and useful to their site security.
- FeatureX may have either been recommended to them by someone on a forum, or the vendor of the actual plugin.
- These administrators probably haven’t taken time to consider what this feature means fully in the context of WordPress security. But the fact they believe it to be important is all that matters.
- They love FeatureX. They love it so much that they now also offer help in forums, to their friends, or to any one that will listen to them, suggesting they use this FeatureX and the plugin that carries it.
- Whether the FeatureX is actually important or not doesn’t matter, but it makes everyone feel warm and fuzzy inside. They’ve “secured” their site from a particular threat, and they’re helping others do the same.
- And so the misinformation virus spreads.
This Misinformation Virus arises from two core characteristics of this behaviour:
- Firstly, FeatureX was assumed to be amazing and useful, and effective for the job it was purported to do.
- Second, after the initial assumptions were made, it was spread to other people in the community as “fact”, and so was rarely, if ever, questioned let alone verified.
Example of the Misinformation Virus pertaining to WordPress Security
Buckle in! Hold on to your hats!
What I’m about to tell you flies in the face of conventional “wisdom” and practice within the WordPress security community. Why? Because this idea has been perpetrated endlessly, by some who think they’re in the know.
But the fact of the matter is, when we take a step back and question certain assumptions we hold to be true, we may find that they’re actually completely baseless.
So let’s take an example of misinformation that I saw (again) today, that prompted me finally write this article you’re reading:
IP Addresses can be used reliably as a basis of identifying undesirable traffic to a site.
By “undesirable”, I mean for example comment spammers, brute force attackers, DOS attacks, or any such traffic that we wouldn’t normally call legitimate.
What does this mean, exactly? Consider the following features you find in most WordPress security plugins:
- IP Address Ban-/Black-lists
- Geo-location blocking, such as country-based visitor blocking
- Limit login attempts based on IP addresses that fail to login
- Basically anything that “punishes” an IP address by restricting it from either logging-in, posting a comment, or even loading a page
So why do I call this misinformation? Because it’s wrong – IP addresses cannot, and really should not, be used as such.
To understand this we must first understand a bit more about IP addresses. Below are some important facts relevant to this topic:
- An IP address identifies a unique location or node on the Internet network.
- Most nodes on the network are transient… that is, they are allocated an IP address dynamically which will change within a certain period of time.
- IP address can be faked.
- Geo-location (i.e. the mapping of an IP address to geographical location) is not entirely accurate.
- A bot-net is made up of hundreds of thousands of machines/nodes – i.e. 100,000s of IP addresses.
- There are around 4.3 billion addresses available on the standard IPv4 system.
- When we finally fully move to IPv6, there will be: 3.4×1038 addresses (that’s a LOT by the way!)
There are no awards given for having the largest IP address ban list, and there’s nothing to feel good about completely blocking access to your site by a single node. What matters most is whether a visitor was prevented from causing any disruption.
Ask yourself, do you feel you make your website more secure by blocking a single node at a time on your own little WordPress site?
Do you think that protects you? Does that make your WordPress sites more secure?
Why blocking IP addresses doesn’t make your site more secure
Throughout, when I refer to “node”, I’m referring to a unique IP address on the internet. This could be a computer, a server, a bot, a phone… anything connected to the internet.
Given all those characteristics of IP addresses given earlier, here are some reasons that blocking activity on your site based on IP addresses makes absolutely no sense:
An IP blocked today may not block the same node tomorrow
IP addresses are transient, remember? Most machines connect to the internet with a dynamic IP address as assigned by their internet service provider. So if you block a particular node today, that node may change it’s IP address in an hour from now, and your website will be none-the-wiser.
IP Blocking doesn’t scale
Remember how many actual IP addresses are available on the net?
Imagine there’s a global, distributed attack against WordPress sites in progress. “Distributed” in this case means that the attacks are coming form hundreds/thousands/hundreds of thousands/millions of nodes spread across the globe.
Each node has a particular IP address. Let’s say you get hit by this attack and most nodes try 3 times per attack. And, your WordPress security plugin blocks an IP address after 3 attempts.
Can you just imagine the size of your lookup table for blocked IP addresses? It’s going to HUGE!
Not only do you force legitimate users to be checked against this ballooning database, which takes time, you are slowing down your server with each database query…
- One query where you add the IP address to the lookup database (making sure to only add it one – i.e. check all the others)
- Then the query to lookup the database for every page visit.
These attacks may not overwhelm your server, but the extra strain you place on your MySQL database server might just push it over the edge.
Blocking visitors based on country is a sledge-hammer to a nut approach to problem solving
Not only is Geo-location an in-exact science, you potentially block all legitimate visitors to a site that may be in a country that you’ve blocked. Why should I, as a visitor, be locked out of visiting a site because I’m travelling through India or China, for example?
Is the risk of blocking legitimate foreign traffic worth it because your WordPress security plugin is too lazy to intelligently block bad visitors?
You can never be sure nodes are who they say they are
IP addresses can be faked. I can send information to a server on the internet and tell them my IP is in the US even if it isn’t. Is your WordPress plugin smart enough to detect that?
If someone really wanted to overwhelm your server using fake originating IP addresses, no amount of bad-behaviour IP blocking will help you with that.
Using WordPress to block IPs is grossly inefficient
If your site is really being hammered by a particular set of IPs, you deal with it at the server’s network layer, not on the application (WordPress) layer. I also don’t even believe IP address blocking using Apache (.htaccess) is viable either.
You need to protect the server itself from suspicious activity, and you or your host can do this at the server level. You can of course use a service like CloudFlare which uses crowed-sourced data to identify suspicious activity to your website (before it even touches your server).
Note: IP White Listing is not the same as IP Black Listing
IP White listing is not the same as black listing because the scale is much smaller. When you white list an IP for a very specific task, you identify a single node, for a single function/resource.
For example, you could add your (static) IP address to your .htaccess file for accessing your WordPress wp-login.php. That makes perfect sense, though not if your site has hundreds of users.
Identifying particular nodes as being authorized for particular server access makes good security sense, when those resources that are being accessed are accessed by small, limited number of nodes.
How To Protect Against The WordPress Misinformation Virus?
Simple. Accept you can’t be an expert in everything, but question the validity and source of the information and advice you receive.
We can’t know everything about everything, but we can get educated about where our information comes from. Before we start giving advice and spreading information, we just need to be informed and actually understand what we’re saying.
When you recommend a plugin, state why you recommend it, and if you feel you can’t do that, that’s okay! All the more encouragement to learn the reason why.
Warm and fuzzy good-feelings from a brand is a not a good enough reason to advise fellow WordPress administrators… it’s time we educated ourselves and our community better.
Spread The Cure!
If you believe the MisInformation Virus is a serious concern, please share this with others you know, on Twitter or Facebook, or in your community WordPress forums and groups.
Prevention is better than cure! 🙂