Firewall settings allow to protect your WordPress site better along with other options like brute force and comment spam prevention. One of the easy ways to enable firewall for your WordPress site is to use plugins like “All in one WP security and firewall” (AIOWPS). In this article we will discuss in detail how to protect WordPress site with firewall settings offered by AIOWPS plugin.
Firewall Settings Offered by AIOWPS Plugin
Once the plugin is installed and activated, navigate to “WP Security > Firewall” menu to see the following options:
- Basic Firewall Rules
- Additional Firewall Rules
- 6G Blacklist Firewall Rules
- Internat Bots
- Prevent Hotlinks
- 404 Detection
- Custom Rules
Enabling most of these options will insert code in .htaccess file and prevent hackers to access your site. It is highly recommended to backup your whole site and .htaccess before enabling firewall options. Also check the accessibility of your site after enabling the firewall. For example, use fetch as Google option in Google search console or PageSpeed Insights tool to check whether Googlebot can access your site with firewall.
The plugins offers points for enabling each firewall setting and add up the points to show the total points under “Dashboard” section. More points indicate the higher security of your site, but consider the accessibility of your site is not impacted.
Basic Firewall Rules (Total 40 Points)
You have three options under basic firewall rules tab.
1. Basic Firewall Settings (15 points)
This option will add the following features to your site:
- Deny access to .htaccess and wp-config.php file
- Disable server signature
- Limit file upload size to 10MB
Ideally you should be able to activate this option without any other adverse impact to your site.
2. WordPress XMLPRC & Pingback Vulnerability Protection (15 points)
You can see there are many bots trying to access “xmlprc.php” file on your site when you monitor the traffic using one of the statistics tools available in cPanel hosting account. Hackers use this XML-PRC API service offered by WordPress to attack your site using methods like “Denial of Service” (DoS). Ensure you are not using XML-PRC for other features like posting through WordPress iOS / android apps. If enabled, you can’t post through mobile apps.
3. Block Access to Debug File (10 points)
When debugging is enabled WordPress will generate a debug.log file under “wp-content” folder. This file may contain important information and enabling this option will deny access to the file. You can access the debug file through FTP account.
Additional Firewall Rules (Total 55 Points)
Here you can find advanced firewall settings for your WordPress site.
1. Listing of Directory Contents (5 points)
This option will disable to the directory listing view on the browser. Generally WordPress allows you to list the directory of files which allows anyone to view the directory structure of your site. For example, users can view “yoursite.com/wp-content/uploads/” to see all uploaded files on your site. Hence, it is recommended to enable this option to prevent directory listing. In case if you find this option is not working you can discuss with your host whether the hosting server is configured to support this feature.
2. Trace and Track (10 points)
Disabling trace and track will help to prevent HTTP trace attacks. This type of attacks are generally used to extract cookie and other information from HTTP header requests.
3. Proxy Comment Posting (10 points)
Enable this option to prevent comment posting using proxy servers. It is believed that most of the bots use proxy server to post comments hence enabling this option will stop spam comments.
4. Bad Query Strings (15 points)
Stopping bad query strings will prevent cross scripting attacks (XSS). Since plugins and themes can use query strings, ensure that enabling this option is not breaking your site.
5. Advanced Character String Filter (15 points)
This is similar to the previous option and prevent the use of some advanced character strings. When hacker uses one of the strings the plugin will return 403 access denied and protect your site. This option may also break your site if any of your plugins or theme uses the character strings prevented by AIOWPS plugin.
6G Blacklist Firewall Rules (Total 20 Points)
6G firewall rules are .htaccess directives defined by the third party site Perishable Press. It is the updated and improved version of the legacy 5G firewall blacklist. The 6G protection includes the followings:
- Block characters generally used in attacks.
- Block malicious encodes URL characters.
- Stop hackers using illicit characters in the query strings.
- Protect against the common patterns of exploiting.
You can enable both 5G and 6G firewall protection for your site. Again ensure the site is not broken and search engine bots can access your site after enabling the firewall settings.
Internet Bots (Total 5 Points)
The plugin will block all fake bots having string like “Googlebot” by testing the bots and save bandwidth.
Prevent Hotlinks (Total 10 Points)
Hotlinking indicates the use of your images on some other sites. This will drain your server resources every time the images are loaded on some other site. Enabling the checkbox “Prevent Image Hotlinking” will deny the access to your images when linked from other sites.
404 Detection (Total 5 Points)
404 error page is shown for the users who tries to access non-existing URL on the site. But sometimes some bots can repeatedly try to access old or non-existing page and consuming bandwidth. You can enable the checkbox “Enable 404 IP Detection and Lockout” to monitor and block the IP addresses you suspect.
Under this section you can write custom directives and insert in .htaccess file to improve the security of your WordPress site. Use this section only if you know how to write directives otherwise just leave it unchecked.
The AIOWPS plugin offers 135 points only for the firewall section out of total 470 points. This is an indication of how importance to use firewall for your WordPress site. At the same time, we have noticed some of the options will brake the site or block Googlebot accessing the site. Ensure to test the accessibility of your site and enable only the options required for you though the total points count is less.