Wordfence and ClassicPress

3 posts were split to a new topic: Malware Protection Discussion

By the way, my post adding support for this request seems to have been “moderated” out.

Not much point WordFence “closely monitoring forums” if we aren’t able to post mention of it.

Anyway, I’m quite happy with Shield.

I use it now. Works without flaws and I am more comfortable with Ninja Firewall rules than WordFence 30 days delayed rules. Some folks reported superior results in catching malicious requests, maybe because of that.

Just can’t decide, which firewall is better - Ninja Firewall or Cerber security. So, I have both installed

Fast-forward 5 years, what security plugins are you using?

I got a CP site hacked, and I got Wordfence to help. But the Core check is unusable, as lots of files have been changed between CP and WP.

I have it enabled now for the firewall only, as it seems to do its job.

I am also working on my own security plugin.

A lot of times CP/WP sites are hacked through the back door using xmlrpc.php and you need to block access to that file in .htaccess

# Deny access to xmlrpc.php
Redirect 403 /xmlrpc.php

Even then you need to use some sort of brute force login protection, to stop people hammering your admin login.

I have used WPS Hide Login on all my sites for years. It moves your login page to a URL of your choice, so they don’t even know where to go to log in.

Of course, that doesn’t help much if people need to create an account on your site, although there are membership plugins that will allow you to have a special front end login page.

Thanks, I already have XMLRPC blocked, and the login is hidden.

Hackers gain access via different methods. I am working on a security plugin right now.

I already have this one, and I want to add more detection patterns.

I didn’t realize you were a developer yourself. Preaching to the choir!

I must have been very lucky then that, touch wood, nobody has hacked any of my sites so far.

I am managing 400+ WordPress websites and 4 ClassicPress ones. They have all been hacked. While I successfully used Wordfence for WP, there is nothing for CP out there.

Shield security but I do not know if it compares to wordfence

I tried it on a few websites (the advantage of maintaining 400+ websites is that I can experiment with different plugins — security, SEO — and pick the best one) but I kept getting some API errors. There was no obvious cause for these errors, so I didn’t feel like digging deeper.

I have now 2 ClassicPress websites where I’m testing WP Guardian. I built an SQLite database to hold the logs, so it’s faster than a regular MySQL plugin. We’ll see how it goes.

I also still use Wordfence, as a web firewall I would say it is still a good choice even if you do lose the core file checks. I use a handful of file edits and other stuff as well.

Still using BPSpro on multiple sites, both on Classicpress (12 sites) and Wordpress (6) - see earlier in this thread

To prevent malicious request even reaching your ClassicPress setup best is to have mod_security, couple of rules in Apache (web server) config that prevent access to xmlrpc and wp-config files, prevent execution of php in wp-content/uploads and pass protect wp-admin folder with exceptions for couple files that are needed in frontend.

This removes entry point for I would say 90% of attempts.

FWIW, if you use a strong password and don’t allow public logins, you do not need Wordfence, a WAF, Cloudflare or any other security plugin.

Most publicized hacks in the news were due to poor system administration (shared hosts jailing user accounts) which is really a Linux and/or MySQL issue, has nothing to do with WordPress.

While I can agree that not every security issue is on the site owner, and that many factors are involved… I do not agree with your advice of not needing security measures.

Even if the user registration is disabled, CP (like WP) still has ONE user account. The Admin one, that is. The registration page might not be there, but the login one is. Where there’s an user there’s a point of entry.

Security is a result of many factors - given time and resources it can be breached; this is a fact.

The only way to be secure (and not share our data) is to go completely offline and off grid; and this is another fact.

Between the two extremes (Going off grid and being overly cautious implementing security at the highest level for a plumber’s site) I think that implementing security correctly without overdoing/over-killing at each level can result in a lower risk. In that regard some security plugins might come in handy because they help in keeping threats at bay,

It’s not a fact. If you have evidence, then show it. This is absolutely false. If it was true, then the core code would be fixed immediately, as millions of websites would be at risk.

Security has LAYERS

First layer is the server, second is the code, third is the admin and their behavior, fourth is the eventual user/site visitor and lastly the devices involved in managing/visiting the site.

To be REALLY secure a site needs to implement security on each level. Having a SAFE code on an unprotected server means no security.

However, even the most secure banks can get robbed. This requires the robber having information about the bank systems and the resources/time to circumvent security levels.

That is why systems with high security risk do update/change their security systems to adapt to threats.

Fact is that telling someone “you do not need security at site level” - is detrimental. You do not know their setup. you do not know the server level (are they on a crappy shared because it’s all they can afford? did they spun their own? are they on a big badass secure server?) or the code (did they tampered with the code making it more vulnerable?) or their visitors/users behavior is risky? or the devices involved is not secure? (devices, even a server, can have faults leading to threats). And even knowing their setup, it’s risky to put out there such a laid back advice IMHO.

Proof is that even sites we deem SECURE get hacked, breached and data is stolen/damage is done. Even when they implement security measures at each level.

This because we are humans, and if s*** has to hit the fan it will (Murphy’s laws are real). Acting without a care in the world will only help that.

I dont think so its a fact

You’re changing the subject. More software != more security. Just the opposite. When you introduce Wordfence into the equation, you’re introducing more complexity, more unknowns, more possible attack vectors, and possible conflicts of interest from a separate company.

1. Wordfence itself may have vulnerabilities opening new attack vectors. You can’t assume security software is secure, as we recently saw with CrowdStrike.
2. Recent Wordfence updates were not designed for ClassicPress, even more risk.
3. Will ClassicPress backtest on all previous versions of Wordfence? To do so would be unreasonable, counterproductive and misguided.

It’s important to keep in mind, if Wordfence actually found a real vulnerability in WordPress, that would be rectified in core. And no doubt the fix would be backported into ClassicPress, if necessary.

Often security problems are introduced along with new changes, which means generally speaking you’re safer with ClassicPress which a) has fewer contributors introducing fewer changes introducing fewer security problems, b) is less appealing to hackers (lower reward) compared to WordPress, ceteris paribus.

To be clear, I’m not suggesting any blog is perfectly secure. That’s a different subject. Point is, nobody is getting more security by adding Wordfence. To believe otherwise, I’d say you were tricked by some clever marketing.

Some things are a matter of opinion or personal choice and in either case very few people will change their minds even when wrong. If you believe security software makes your site less secure, then nothing anyone says is going to change that, same in the reverse direction. As with most things, reality is probably someplace in the middle.