Skip to content

Simple Security for preventing comment spam and brute force attacks.

License

Notifications You must be signed in to change notification settings

msigley/WP-Simple-Security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
 
 
 
 
 
 
 
 

Repository files navigation

ko-fi

WP-Simple-Security

Simple Wordpress Security plugin for preventing comment spam and brute force attacks.

Installation

  • Load the wp-simple-security folder into your WP plugins directory and activate the plugin in the WP panel

General WP Protections

  • Exits bad requests early to prevent attacks from consuming a large amount of server resources
  • Implements an HTTP tarpit against bad login requests to deter attackers and waste their time. https://github.com/msigley/PHP-HTTP-Tarpit
    • The default is to send "Access Denied" messages on bad requests.
    • If you wish to enable the HTTP tarpit, add define('SIMPLE_SECURITY_USE_TARPIT', true); into your wp-config.php file.
  • Sanitizes the version query arguement on .css and .js files to prevent version fingerprinting.
    • If you wish to customize the version number, add define('CSSJSVERSION', 'version_number'); into your wp-config.php file.
  • Completely disables the XMLRPC API.
  • Block external wp-cron.php requests if not using ALTERNATE_WP_CRON. This prevents potential DDOS vectors.
  • Removes the WP version from the site header to prevent version fingerprinting.
  • Disables the author query var to prevent user enumeration.
  • Blocks common bad requests for the following attacks:
    • Directory traversal
    • Cross site scripting
    • SQL injection
    • Remote file inclusion

WP Admin Protections

  • Access to WP Admin area is blocked unless current user has the 'edit_posts' capability.
  • Option to limit access to whitelisted IPs.
    • If you wish to enable this feature, add define('SIMPLE_SECURITY_ENFORCE_WHITELIST_ADMIN_ACCESS', true); into your wp-config.php file.

Anti Spam Features

  • Completely disables trackbacks.
  • Limits the length of all fields on a comment form to prevent SQL injection.
  • Adds nonce protection to comment forms.
  • Adds a hidden captcha field to all comment forms.
  • Removes bad comment author urls from comment listings.
  • Spam requests are forwarded to a honeypot script.
    • If you wish to enable this feature, add define('SIMPLE_SECURITY_PROJECT_HONEY_POT_URL', '<honeypot_url>'); into your wp-config.php file.
    • You can obtain a honeypot script by joining Project Honey Pot here: https://www.projecthoneypot.org/index.php
  • All non-GET requests are checked for the following:
    • Common headless browser user agent strings.
    • Unsafe referer urls.
    • Bad IP reputation with the http:BL service.
      • If you wish to enable this feature, add define('SIMPLE_SECURITY_PROJECT_HONEY_POT_HTTP_BL_ACCESS_KEY', '<http:BL_access_key>'); into your wp-config.php file.
      • You can read more about the http:BL service here: https://www.projecthoneypot.org/httpbl_api.php
  • Adds Cloudflare turnstile to all comment forms.
    • If you wish to enable this feature, add define('SIMPLE_SECURITY_CLOUDFLARE_TURNSTILE_SITEKEY', '<cloudflare turnstile sitekey>'); and define('SIMPLE_SECURITY_CLOUDFLARE_TURNSTILE_SECRETKEY', '<cloudflare turnstile secretkey>'); into your wp-config.php file.

Login Form Protections

Login Form Nonce Verification

  • Adds a nonce field to the the wp-login.php form.
  • Protects the wp-login.php form from external POST requests. This makes brute force attacks more difficult.

Hidden Login Form

  • Hides the wp-login.php form from public view.
  • Protects the wp-login.php form from brute force attacks by adding a second layer of authentication.

How to use the hidden login form

  1. Add define('SIMPLE_SECURITY_LOGIN_TOKEN_NAME', 'token_name'); into your wp-config.php file.
  2. Add define('SIMPLE_SECURITY_LOGIN_TOKEN_VALUE', 'token_value'); into your wp-config.php file.
  3. You login form can now only be accessed via the following url: https://example.com/wp-login.php?token_name=token_value

IP Blocker

  • Blocks all requests to your site for one hour from IPs that have made 5 or more bad XMLRPC API or login form requests in the last 30 minutes.
  • Supports IPv4 and IPv6 addresses.
  • Blocked visitors will receive a message stating their IP has been blocked with a link to unblock their IP address.
  • Blocked visitors that attempt to manipulate the unblock system recieve a permanent hour block.

How to use the IP Blocker

  1. Add define('SIMPLE_SECURITY_USE_IP_BLOCKER', true); into your wp-config.php file.
  2. Add define('SIMPLE_SECURITY_BLOCK_INTERNAL_IPS', true); into your wp-config.php file if you wish to block internal and reserved IP ranges. The default is to not block these IP ranges.

Whitelisted IPs

  • Prevents a list of IP addresses from being sent to the tarpit or from being blocked by the IP Blocker.
  • IPs on this list will still recieve access denied messages on bad requests.

How to whitelist IPs

  1. If you are using PHP 7 or above: a. Add define('SIMPLE_SECURITY_WHITELISTED_IPS', array( '127.0.0.1', '192.168.10.0/20', '::1' ) ); into your wp-config.php file.
  2. If you are using PHP 5.6: a. Add define('SIMPLE_SECURITY_WHITELISTED_IPS', serialize( array( '127.0.0.1', '192.168.10.0/20', '::1' ) ) ); into your wp-config.php file.

IPv4 addresses, IPv6 addresses, and IPv4 CIDR blocks are supported.