Support

Video Tutorials

Admin Tools for WordPress Configure WAF (Web Application Firewall)

Credits: Video Training produced by Brian Teeman


Transcript of this course

Probably the most important part of Admin Tools is the Web Application Firewall, as this provides a suite of tools to protect your web site.

We can configure it from the Security section by selecting "Web Application Firewall". Here you can see several options. The most important one (and the one we will concentrate on is this video) is Configure WAF. WAF is just an abbreviation for Web Application Firewall.

Click on the Configure WAF icon. The first part covers the Basic Protection Features: whether we should allow administrators access to the web site based on an IP address or whether we should use a custom admin url. (This is covered in more detail in the video “restricting access to WordPress”.)

Moving on to the Request Filtering. This is the important stuff that protects your web site from malicious people. I strongly recommend that you stick to these defaults settings. You can read all about these options in the information areas and you will find even more details in the documentation section at the akeebabackup.com web site.

With this default setting your web site is being protected from many of the most common types of vulnerability that exist on the web.

The next tab covers Hardening options. The first of these, when enabled, will warn users when they register if they are using a well known password, and you can limit this warning to different user groups.

The next two will remove links in the header of your site for RSS or remote blog clients. If you are at all unsure, I recommend that you leave these at the default of no.

By default WordPress sets session duration to 48 hours or 2 weeks if the option remember me is checked. This is a very long time and you can change the duration here.

The most importaant option on this page is whether we treat failed logins as security exceptions. By default this is set to Yes, and you should leave it at this. We will talk about security exceptions later.

Finaly we can prevent anyone from signing up to our web site from a domain. Perhaps you want to block anyone using a disposable email address such as those from mailinator. Simply enter the domains you wish to block here.

In the cloaking tab you will find some options to hide the type of web site that you are running. Many people believe that it's good to hide the fact that you are using WordPress for your web site. There are many ways you can identify a web site as running WordPress, one of which is the metagenerator tag. If you wish to you can hide or customise this tag by setting this to "yes" and setting your own generator tag here if you so wish. Perhaps as a joke you might want to set it to Joomla.

Project Honeypot is an external application. It is designed to prevent people using contact forms for spam. You can find out more about Project Honeypot at their website following the link from here.

The final sections cover logging and blocking repeat offenders. Before blocking anyone you might want to ensure that users from a certain IP address or domains are never blocked by adding them to a whitelist.

Each time someone makes a failed attempt we log it, and after a defined number of attempts we block them from accessing our web site completely. The way to do this is by IP address.

An IP address is a unique number assigned to every internet connection. Of course this isn't perfect because a good hacker may well be using a randomised IP address, but it does prevent the script kiddie. So I recommend that you set this to yes.

Now we need to decide - do we want to email someone to say that there there has been an automatic ban. I'd like to know that something is going on so I'm going to put my own email address in there.

I can now choose what the trigger is for the ban. By default it is 3 attacks in 1 minute, but you can change that to whatever criteria you want. Then it's how long you want to ban that person for. I usually set that to 1 day.

We can additionaly permanently block an IP address if it is a repeat offender. When a person tries to access your site from a blocked IP, the onlly thing they will see is this message which you can customise if you wish.

There are a few different types of logging that AdminTools offers you. First, it is possible to add a note for every single user to store the IP address that they used when they signed up.

You may need to log this for regulatory purposes if so you should enable it.

Now is the main one which is logging the security exceptions. Obviously we want to log them so this should remain set to yes.

Again we can choose to send an email on every single security exception. If you want to apply this just enter your email address in here. Personally I don't bother setting this, as there can be quite a lot of exceptions; they just mean someone has tried and failed. I only know want to know if someone has been blocked.

However, you might want to choose to enable the next one - to send an email every time somebody logs in to your administrator.

Now if you've got a lot of administrators you probably don't want to set this. But if you are the only one and somebody is able to log in then that's a security issue and I'd want to know about it. So I'm going to enter my email address in there so that now if anybody logs in to the administrator of this web site I will be notified.

Once you've configured the Web Application Firewall exactly how you want it and made sure that you've read the documentation to understand what the settings are, press Save Changes and all those configured options for the Web Application Firewall are now in operation.

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.