Simple Wordpress Security plugin for preventing comment spam and brute force attacks.
- Load the wp-simple-security folder into your WP plugins directory and activate the plugin in the WP panel
- Exits bad requests early to prevent attacks from consuming a large amount of server resources
- Implements an HTTP tarpit against bad login requests to deter attackers and waste their time.
https://github.com/msigley/PHP-HTTP-Tarpit
- The default is to send "Access Denied" messages on bad requests.
- If you wish to enable the HTTP tarpit, add
define('SIMPLE_SECURITY_USE_TARPIT', true);
into your wp-config.php file.
- Sanitizes the version query arguement on .css and .js files to prevent version fingerprinting.
- If you wish to customize the version number, add
define('CSSJSVERSION', 'version_number');
into your wp-config.php file.
- If you wish to customize the version number, add
- Completely disables the XMLRPC API.
- Block external wp-cron.php requests if not using ALTERNATE_WP_CRON. This prevents potential DDOS vectors.
- Removes the WP version from the site header to prevent version fingerprinting.
- Disables the author query var to prevent user enumeration.
- Blocks common bad requests for the following attacks:
- Directory traversal
- Cross site scripting
- SQL injection
- Remote file inclusion
- Access to WP Admin area is blocked unless current user has the 'edit_posts' capability.
- Option to limit access to whitelisted IPs.
- If you wish to enable this feature, add
define('SIMPLE_SECURITY_ENFORCE_WHITELIST_ADMIN_ACCESS', true);
into your wp-config.php file.
- If you wish to enable this feature, add
- Completely disables trackbacks.
- Limits the length of all fields on a comment form to prevent SQL injection.
- Adds nonce protection to comment forms.
- Adds a hidden captcha field to all comment forms.
- Removes bad comment author urls from comment listings.
- Spam requests are forwarded to a honeypot script.
- If you wish to enable this feature, add
define('SIMPLE_SECURITY_PROJECT_HONEY_POT_URL', '<honeypot_url>');
into your wp-config.php file. - You can obtain a honeypot script by joining Project Honey Pot here: https://www.projecthoneypot.org/index.php
- If you wish to enable this feature, add
- All non-GET requests are checked for the following:
- Common headless browser user agent strings.
- Unsafe referer urls.
- Bad IP reputation with the http:BL service.
- If you wish to enable this feature, add
define('SIMPLE_SECURITY_PROJECT_HONEY_POT_HTTP_BL_ACCESS_KEY', '<http:BL_access_key>');
into your wp-config.php file. - You can read more about the http:BL service here: https://www.projecthoneypot.org/httpbl_api.php
- If you wish to enable this feature, add
- Adds Cloudflare turnstile to all comment forms.
- If you wish to enable this feature, add
define('SIMPLE_SECURITY_CLOUDFLARE_TURNSTILE_SITEKEY', '<cloudflare turnstile sitekey>');
anddefine('SIMPLE_SECURITY_CLOUDFLARE_TURNSTILE_SECRETKEY', '<cloudflare turnstile secretkey>');
into your wp-config.php file.
- If you wish to enable this feature, add
- Adds a nonce field to the the wp-login.php form.
- Protects the wp-login.php form from external POST requests. This makes brute force attacks more difficult.
Hidden Login Form
- Hides the wp-login.php form from public view.
- Protects the wp-login.php form from brute force attacks by adding a second layer of authentication.
How to use the hidden login form
- Add
define('SIMPLE_SECURITY_LOGIN_TOKEN_NAME', 'token_name');
into your wp-config.php file. - Add
define('SIMPLE_SECURITY_LOGIN_TOKEN_VALUE', 'token_value');
into your wp-config.php file. - You login form can now only be accessed via the following url:
https://example.com/wp-login.php?token_name=token_value
- Blocks all requests to your site for one hour from IPs that have made 5 or more bad XMLRPC API or login form requests in the last 30 minutes.
- Supports IPv4 and IPv6 addresses.
- Blocked visitors will receive a message stating their IP has been blocked with a link to unblock their IP address.
- Blocked visitors that attempt to manipulate the unblock system recieve a permanent hour block.
- Add
define('SIMPLE_SECURITY_USE_IP_BLOCKER', true);
into your wp-config.php file. - Add
define('SIMPLE_SECURITY_BLOCK_INTERNAL_IPS', true);
into your wp-config.php file if you wish to block internal and reserved IP ranges. The default is to not block these IP ranges.
- Prevents a list of IP addresses from being sent to the tarpit or from being blocked by the IP Blocker.
- IPs on this list will still recieve access denied messages on bad requests.
- If you are using PHP 7 or above:
a. Add
define('SIMPLE_SECURITY_WHITELISTED_IPS', array( '127.0.0.1', '192.168.10.0/20', '::1' ) );
into your wp-config.php file. - If you are using PHP 5.6:
a. Add
define('SIMPLE_SECURITY_WHITELISTED_IPS', serialize( array( '127.0.0.1', '192.168.10.0/20', '::1' ) ) );
into your wp-config.php file.
IPv4 addresses, IPv6 addresses, and IPv4 CIDR blocks are supported.