All In One Security – Firewall
Script & Screenshots
In this video I’m going to walk you through the All In One Security Firewall setting.
This is where we will configure the Firewall.
To get to it, click on WP Security, then Firewall.
The first tab is the Basic Firewall Rules. This tab allows you to activate some basic firewall rules for your site. The will insert code into your .htaccess file. This should not have any impact on your website, but before enabling any of these you should take a backup of this file and then test to make sure your site is still functioning correctly.
The first setting is the Basic Firewall setting. This setting will deny the hackers from accessing to the .htaccess & wp-config.php files.
For the WordPress XMLRPC & Pingback Vulnerability Protection. If you are using the WP XML-RPC functionality and you want to completely block external access to XMLRPC, you should block access to this. It will disable access to the xmlrpc.php file. This will stop hackers from exploiting various vulnerabilities such as Denial of Service (DoS) attacks and scanning ports. I’ve never had any issues when enabling this setting. If you’re unsure if you’re using this functionality, you should be ok if you enable it. Be sure to test your sites functionality to make sure everything is still working correctly.
For the second checkbox, Disable Pingback Functionality from XMLRPC – if you use the Jetpack plugin, then you should enable this feature and leave the first box – Completely Block Access To XMLRPC checkbox unchecked.
Blocking Access to debug.log File. The debug.log file may contain sensitive information. Checking this box will block external access to this file to hackers.
Click on the Save Basic Firewall Settings button to save your changes.
The next tab is the Additional Firewall Rules. Everything on this tab is an intermediate or advanced setting. Any of these features could break some functionality for certain plugins. The first setting is the Listing of Directory Contents. If you enable this setting, it will prevent the listing of contents for all directories.
The Trace and Track protocols are HTTP methods used in the debugging of webserver connections. These methods are useful for legitimate purposes, but they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the Trace and Track methods to intercept your visitors’ sensitive data. Disabling this on your site will help prevent HTTP Trace attacks.
Proxy Comment Posting: This setting will deny any requests that use a proxy server when posting comments. By disabling proxy comments, you are also eliminating some spam and other proxy requests.
Bad Query Strings: This feature will write rules in your .htaccess file to prevent malicious string attacks on your site using XSS. Some of these strings might be used for plugins or themes so this setting could break some functionality. If you’re unsure, enable it and check to make sure everything still works on your website.
Advanced Character String Filter: This is an advanced character string filter to prevent malicious string attacks on your site coming from Cross Site Scripting (XSS). I rarely enable this setting as I have had some issues with it blocking images from showing up on mobile devices. It may or may not cause your site any issues.
Once you’ve made changes, click on the Save Additional Firewall Settings button to save your changes.
The next tab is the 6G Blacklist Firewall Settings. The 6G Blacklist is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website.
The added advantage of applying the 6G firewall to your site is that it has been tested and confirmed by the people at PerishablePress.com to be an optimal and least disruptive set of .htaccess security rules for general WP sites running on an Apache server or similar. Check the first box to enable the 6G Blacklist. The second box enables the legacy 5G Blacklist protection. So far I have not come across any issues with this setting. Since it makes changes to the .htaccess file, I’d recommend backing it up first.
Click on the Save 5G Firewall Settings button if you made any changes.
Internet Bots tab. A bot is a piece of software that runs on the Internet and performs automatic tasks. One example is when Google indexes your website, it uses automatic bots to do this. A lot of bots are legitimate and non-malicious but not all bots are good. Often you will find some that try to impersonate legitimate bots such as Google bot, but they have nothing to do with Google at all. On this tab you can block bots that are fake Google bots.
Block Fake Google bots. Check this box to block all fake Google bots.
Click on the Save Internet Bot Settings button to save your changes.
Prevent Hotlinks. A Hotlink is where someone displays an image on their site which is actually located on your site by using a direct link to the source of the image on your server. This isn’t necessarily a security issue, it’s more for protecting your bandwidth. For the Prevent Hotlinking option, check this box to prevent hotlinking. This will prevent others from doing this and save your bandwidth for you. This is a basic setting and shouldn’t have any bad side effects on your website.
Click on the Save Settings button to save your changes.
The next tab is the 404 Detection tab.
404 Detection Options. A 404 or Not Found error occurs when somebody tries to access a non-existent page. Typically, most of these errors happen by accident when people have entered a bad URL or to page that no longer exists. However, in some cases you may find many repeated errors that occur in a short amount of time, from the same IP address, and attempting to access a bunch of non-existent pages. This type of behavior can mean a hacker might be trying to find a particular page or URL with bad intentions.
Check the Enable 404 IP Detection and Lockout option to enable this feature. Then next option is the lockout length. I’d leave this at the default, sixty minutes since it would be rare one of your customers will lock themselves out this way. The last option, 404 Lockout Redirect URL, defaults to taking them back to your home page. This too should be ok left as is, but feel free to change it to another page if you like.
Click the Save Settings button to save your settings.
In the 404 Event Logs box, it allows you to monitor all 404 events that occur on your site. Here you can add an IP to the blacklist, temporarily block them, or you can delete a listing from the log.
Custom Rules tab. This feature can be used to apply your own custom .htaccess rules if you need to tweak the existing firewall rules or add your own. You should not do anything on this tab unless you know what you’re doing. Otherwise, please ignore this tab.
That’s it for this video. I’ll see you in the next.