WordPress Security Plugins vs automated Fail2Ban
There’s some wonderful WordPress security plugins out there. They all start with good intentions but then become too complex. In any case, WordPress is not the right place to start security, security should be at the server-level, built into your environment, whether you use Apache (IP Tables; easy end user version .htaccess) or Nginx (IP Tables in this case).
Fail2Ban can help with illegal search strings and not just brute-force logins
We build custom servers and install Fail2Ban. Fail2Ban helps picking up over-excited bots, but doesn’t protect WordPress itself. A great place to hunt hackers is in the WordPress search field. For some reason, hackers like to search with what should be forbidden terms in WordPress search. Swiftype coughed up a list of over 11,000 dirty searches in one week on one client website which gave us a rich sample from which to work.
After removing potential false positives (we’re a tech site, someone might legitimately search for phpMyAdmin for instance) we compiled potential Fail2Ban terms into this nice short list:
'/.env',
'/.github/workflows',
'/.ssh',
'/boot.ini',
'etc/passwd',
'/ftpsync.settings',
' onerror=',
' onload=',
'/phpMyAdmin/server_import.php',
'/phpmyadmin/scripts/setup.php',
'/win.ini',
'/wp-config.php'
Unless you are Joel Spolsky1, you don’t want any IP who searches for these strings on your site.
Handling Searches
To be perfectly safe, we exclude the search requests (?s=…) from the WAF. Otherwise if your website is about computer, some normal searches might ban a visitor.
To avoid this Iwe put in these slashes at start of most of the keywords. That way visitors can still search the articles for say .env like this: https://foliovision.com/?s=.env
and it’s not considered a hacking attempt. So only https://foliovision.com/.env
is considered a hacking attempt.
If a visitor searches for /.env
like this: https://foliovision.com/?s=/.env
– then s/he still gets banned.
bbPress Searches
We’re still working on what to do with bbPress searches which look like this /{forum-base}/search/{keyword}
. On a tech site, which forums often are, including our own, some of the keywords could look suspicious.
How to ban nasty searches from your own site
First you need to install Fail2Ban. So this is kind of a developer’s tool for those publishers running a website large enough to get its own VPS. You would have to be on a very good webhost indeed to get Fail2Ban on shared hosting. Let me know if you about any.2
Second, to use our code, your CMS must be WordPress3. From there, it’s very easy. Just install our own BusinessPress plugin which will help you control auto-updates, reduce WordPress branding, control ad notices, add your own branding, put your settings panel in alphabetical order, protect XML-RPC, disable Generator Tags, REST API, even emojis or oEmbed. BusinessPress will also give you Google style search results with the default WordPress search plugin, enhancing SearchWP results too. The interface is super simple:
It’s split between just three themed tabs: Update Management, Preferences, Branding.
For our purposes now, BusinessPress supports Fail2Ban for too many failed login attempts. For those on shared hosting our banning also supports LoginLockdown.
For the bad searches, you will need Fail2Ban as the IP ban must be done at server level. If you have Fail2Ban setup, BusinessPress will add the IP addresses with bad searches to auth.log
which will automatically add the hacker IP’s to the ban list within a minute or two, along with failed login attempts.
If you have Fail2Ban installed with auth.log
running, search term banning with the sensible default list above will just work. We plan add the opportunity to customise the illegal search list, but starting with good simple defaults.
Amazing but so much functionality in one plugin?
If you are wondering why we don’t build this out as a separate plugin, we want all this functionality as a starting point for any Foliovision website. Most of this functionality would otherwise have its own fixer plugin. In case you don’t know how the WordPress plugin repository works, every plugin must be manually updates with every WordPress revision, however, minor or it quickly disappears from search. Matt Mullenweg and Automattic have made maintaining free plugins so onerous that most free plugin developers have just abandoned their plugins.4 Moreover updating a dozen more plugins on every site doesn’t sound much fun in terms of maintenance.
The good news for you is that it’s all free and you don’t need to enable any features you don’t need or want. You’ll probably find you can drop half a dozen branding, XML-RPC, CDN and admin notice plugins for the simple and elegant BusinessPress.
-
Publisher of StackOverflow.com and its network of (mostly) tech sites. Joel and his colleagues at Fog Creek Software also created the ground-breaking collaborative public Kanban tool, Trello. Joel’s (almost) retired weblog is an astonishing resource of code development insight, sort of a War and Peace of software development. Even Tolstoi’s novel has a beginning and end. ↩
-
Albeit, modern WordPress has spent far more developer hours attempting to become a clunkcy pagebuilder/landing page builder than improving its CMS functionality. One can only weep or laugh at the million developer hours lost to Gutenberg, which could have been spent making WordPress core more robust or more secure as a CMS. Serious publishing is still all the rages, I don’t know why Matt Mullenweg is obsessed with landing pages and one-off marketing pages. ↩
-
Sadly, we’re a long way from the open source beginnings of WordPress (I was there). It’s a nasty commercial WordPress world out there. Even the rats have begun abandoning ship. Latter two developers on this list are very good developers who mostly worked with their users’ interests top-of-mind. The pro WordPress community will be worse for their absence. Wow, even Justin Tadlock has left us. I wanted to write “At least Justin Tadlock is still with us but decided to check first. WordPress’s most serious long term analyst, PostStatus founder Brian Krogsgard has sold off PostStatusleft WordPress to pursue NHT of all things. We’re still here! ↩
Alec Kinnear
Alec has been helping businesses succeed online since 2000. Alec is an SEM expert with a background in advertising, as a former Head of Television for Grey Moscow and Senior Television Producer for Bates, Saatchi and Saatchi Russia.
Leave a Reply