Comment on Beware New WordPress Security Theat: The WordPress Misinformation Virus by Paul G..
Hi Martin,
In the case of white listing IP address, this may open you up to problems if your web hosting server doesn’t report the correct IP address of the visitor. If somehow this is compromised, then yes, a visitor could “pretend” to be from your IP address.
The likelihood of this is incredibly small though since its nature is more complex. WordPress security starts with closing the most obvious holes in your environment and ensuring that logged-in users and administrators have been correctly validated and are entirely legitimate. This will stop by far and away the largest majority of potential problems.
The minority of remaining threats will come down to poor security practices, mis-configured web hosts and servers, and direct, concentrated attacks on *you* in particular.
The role of this plugin is to ensure that your WordPress site is sured-up against the majority of threats you’re likely to face.
I hope that helps.
Paul
Paul G. Also Commented
Beware New WordPress Security Theat: The WordPress Misinformation Virus
That’s great! I’m glad it made sense to you. We have since put in an automated system for blocking IPs:
https://www.icontrolwp.com/2015/08/wordpress-security-plugin-update-automatically-block-malicious-visitors/
Beware New WordPress Security Theat: The WordPress Misinformation Virus
Absolutely Nick! There are a lot of contradictions out there in our behaviours towards security… all we can do is educate and try and stay on top it all…
Beware New WordPress Security Theat: The WordPress Misinformation Virus
Hi Fiona,
If you don’t have the server management skills, I would recommend either making use of a really good web host who knows what they’re doing, or hire someone to do it for you. Cheap hosts, with poor security principles and bad server management will likely let you down badly in the long run.
CloudFlare cannot protect you against poorly managed hosting…
Thanks!
Paul.
Recent Comments by Paul G.
Security: Hide The WordPress Login and Admin Pages (wp-login.php)
Hey Rob,
Brilliant news… Glad it’s working so well for you!
Part 5: Ultimate Comment SPAM Killer – Shield WordPress Security Plugin
Why does WordPress need to do that? I’ve no idea… that’s the way the author of this particular code decided to implement this. 🙂
My approach is to take each “spam” word/pattern and I use “stripos()” on each item of the comment that needs to be checked.
The truth is that efficiency isn’t hugely important in this area because it’s only run when a comment is posted. I could probably optimize my approach too, but again, it’s not critical.
Further reading: http://lzone.de/articles/php-string-search.htm
Part 4: Login Protection – Shield WordPress Security Plugin
There’s nothing you can do about that unfortunately if the bots are cracking away at your page. Most bots would get blocked by the automatic blacklist if they’re repeatedly hitting you with this.
As to XML-RPC, we have a couple of options ranging from by-passing the login/user sessions systems to completely disabling it:
https://www.icontrolwp.com/2015/10/automatically-block-brute-force-amplification-attacks-against-wordpress-xmlrpc/
Further WordPress Admin Access Lockdown
Eileen, Lynn,
The automatic updates system is WordPress-controlled and run on a WordPress cron. The Security admin access shouldn’t affect this. If you have enabled automatic updates, but restricted the system using the admin access and you find it’s not working as it should, please let me know in the support forums.
To your first question, if you enable this Security Admin system and lock-down any features, then you must, as an administrator or not, authenticate with the Security Admin system before you can make changes to the zones that have been restricted.
Let me know if it’s still unclear and I’ll elaborate further on areas you need.
Thanks!
Part 5: Ultimate Comment SPAM Killer – Shield WordPress Security Plugin
This is something that you’ll have to test with your particular installation(s) and configuration. Aggressive page caching will probably affect this functionality, but that is the double-edged sword that is “caching”.
I’d be interested to hear what you find with your tests.
Thanks!
