Wordpress Barbed Wire From WordFence

Wordpress security can be strong, and WordFence provides the firewall to make it stronger.

ITPro Today

January 23, 2019

5 Min Read
ITPro Today logo in a gray background | ITPro Today

 

 

 

 

Wordfence is a Wordpress plug-in that provides firewall features to Wordpress. In its basic form, it allies Wordpress protections from foes and “friends” and in advanced use has amalgamated threat protection and selective international access. I’ve been using this product for a while, and part of what I’m going to reveal is anecdotal, the result of being a volunteer for a busy website that is not only extra large (150GB+) but also wasn’t maintained very well for almost a decade.

 

The website content grew, and not unlike the Alice’s Restaurant Massacree posit (when you have a huge spot, you’re not motivated to take out the trash). By sheer luck, they’d only suffered now and then from not updating the side. Luckily, they were never held hostage or ransomed. And everyone remembered the passwords.

 

This site, like many Wordpress sites, was on a shared host system. Shared systems are great for those that don’t want to maintain the host operating system, or simply don’t care to avail themselves of the responsibility for maintenance. In my example, there were at least four hundred other logons on the same host shared by the website.

 

There was dirt and junk and leftovers also on the site. The attack surface of the site was huge, and many people knew the passwords over the decade the site had been online. Its huge size meant that daily postings were dutifully done, along with MP3s, podcasts, and other interesting bits.

 

Slowly but surely, the site started to slog and stall with too much traffic, huge up and downloads, and the incredible weight of thirsty crawlers, spiders, and podcast-harvesters. The site would get slow enough to lockout admins, editors, and internal updateres of the site. During peak periods, the site would go 503-- preventing legitimate public users of the site, as crawlers sucked down changes.

 

Clearly, some maintenance was in order. The breadth of the content of the site couldn’t be shaved or cut down with out a lot of work, and finding people to do this for this volunteer-run not-for-profit was difficult. They’re all pretty busy and not many people knew the difference between PHP and an earthmover. I volunteered.

 

Wordfence has a nearly perfect method of blocking crawlers, bots, and allows administrators to find sites that have been attempting hacks. The imperfection is that currently, Wordfence doesn’t allow total blocks, as it exempts Facebook. Although some referrals come from clicked links from within Facebook, Facebook has crawlers and for reasons unknown, Wordfence totally refuses to block them.

 

Personal experience says that Wordfence will block everything else that an administrator desires in the current release. Google? MSN? BingBot? You can block them by IP address, although these and other crawlers and bots have many IP addresses available, and each one needs to be blocked individually if this is your goal.

 

Many administrators reading this are currently shrieking, thinking that their business depends on getting ranking inside of Goggle, MSN/Bing, and other crawlers that aid them in their quest to monetize their site or otherwise attract users. It will come as a great surprise that there are sites that actually don’t want this, don’t actively seek to monetize their site, and otherwise don’t want to become part of someone else’s money making opportunity. This is the case here; this NFP isn’t interested in

AdWords, doesn’t take money through purchases (only donations), and has no interest in becoming part of an income scheme.

 

And so, to free up the site, I started blocking crawlers and bots diligently. It took some time, dozens of hours, to block them (all except Facebook). Wordfence displays the site visit activity divided into All, Humans, Bots, Crawlers, Google Crawlers, Pages Not Found, and then into Blocked categories. The Blocked categories is important, because accidental blockings are possible as traffic rapidly scrolls by the eyes of the blocker.

 

Automation of this activity is part of the Premium version of Wordfence, which is not inexpensive. The first helpful component of the Premium edition is the ability to geo-fence a site internationally. The website I’m using as an example benefits only a narrow geography. There is no reason why a Ukranian website should be interested in their content, especially when the Ukranian website is attempting to login as administrator to the Wordpress site in a crack attempt.

 

This is the beauty of the Pages Not Found listings. Each could be blocked although some site visitors just make a mistake. When attempting to login as Test to /website/wp-admin/, it’s not a mistake, it’s another crack attempt, and such crack attempts occur dozens of times each day, fueled by bot attackers.

 

Along with international geo-fencing is the ability to slow down any crawler or human if they do too much, too quickly. Administrators can slow them down, or decide that if they misbehave over a threshhold of time, to actively and permanently block the IP address of an offender. This feature is a bit tricky because well-intentioned humans sometimes do things very quickly and mistakenly-- resulting in an administrative block that then generates the motivation for a support contact. It also means you can throttle a connection of anything, human or bot, that’s dominating the resources of your website host without actively thinking about it, or as I did for a while, watching site stress and correlating it to crawler and bot blocking.

 

And this is my only other problem with Wordfence, that it has trouble sometimes distinguishing between actual fast humans and bots. Some humans surf a website with characteristics that make them appear as though they are bots, but they’re just silly humans making mistakes. Wordfence, in its nervousness, mistakenly classifies these mistakes as bots, but other times very accurately distinguishes bots employed by humans visiting a site from innocuous sources such as Comcast or Verizon.

 

Amalgamated blocking behavior is perhaps the most interesting feature of Wordfence, inasmuch as detected zero-day malware sources are updated to each protected website automatically, once detected. This renders an umbrella-like protection to Wordpress sites covered by the optional premium protection.

 

Wordfence comes in two editions, free and premium. Many casual sites need features in the free edition. The premium edition, however, for sites that are considered production sites that need to be up, need to be actively blocking bad guys, and those that are rated by their progenitors in uptime importance.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like