These days I’m even more behind on reviews than usual. But I have a good excuse. About a month ago, my brother’s web site got hacked into. The attacker used an insecure feature of WordPress to find out all his user names, and kept doing brute force attacks against the site until it found a user with a weak password, and them BOOM, his site was hacked.
Being a software developer with 20 years of experience, I wanted to know everything about how people attack WordPress, and what I could do about it. So, after lots of research, and trying about a dozen free security plugins that I hated, I started building my own!
It’s been a fun little project building this plugin, and I’ve learned so much! I knew there were public databases out there which tracked threats on the internet, but I had no idea how many. I wanted to check public block lists for known attackers, and use geo-location to find out where the attackers are.
The project kind of spiraled out of control, and ended up as an industrial strength firewall with a modular services architecture, which is a fancy of saying I can add whatever services I want, without having to redesign the whole plugin every time I think of a new idea. The design works better than I thought it would, so I deleted all the unfinished services to focus on the ones I thought should be in the core product.
Of course, in addition to all the configuration options you’d expect from a security plugin, each service has its own configuration unique to that service, like this one for the SANS Institute’s block list, which is completely free for anyone to use. Which is another reason I built this plugin: most of the security products out there charge you a monthly subscription when behind the scenes, they are likely utilizing all these free, public services.
I had the throw-together prototype protecting a bunch of web sites, and over the last few days I’ve been testing the Beta version on this web site. Let’s just say that it’s worked like a charm!
When the plugin blocks someone for being naughty, I can see everything they’ve done with the system, and a large amount of information about them. Below is a site from China that was blocked by my little firewall. Drilling down from the visitor screen, I can see what the firewall’s services had to say about this visitor. Here’s just one example of hundreds:
Hmm I see that it was not only the SANS Institute’s public block list for being naughty, but it also tried to guess the site’s users just like the attack that got my brother’s web site. Looking at its requests, I can also see that it tried to use non-sequential numbers as to sneak past any security software!
Guessing non-sequential numbers didn’t help this attacker, because the intrusion detection and public block list services blocked it the very first request it made.