defender | The Blog Pros

October 27, 2019

How To Add Security Headers + More New Defender Features

Defender’s back in the ring for round 2.2.2. And he’s coming in hot with three brand new security features – all specifically designed to lay the smackdown on cowardly hackers and bots.

Your website’s safety is at stake, so let’s not delay.

Defender 2.2.2 recently entered the ring complete with a brand new set of knockout security features.

And in this article we’re shining the spotlight on three of the standouts:

HTTP Security Headers
Prevent User Enumeration
Block WordPress Rest API

I’ll also be showing you how easy it is to instantly arm your website with these new weapons.

Because the truth of the matter is, if you’re not constantly updating your site’s security, you’re playing with fire.

Every day hackers and criminals are finding new ways to exploit even the most ‘secure’ of websites.

And if you’re not up with the latest website security measures, you’re leaving your site vulnerable.

That’s Where This Large Wrestler Dude Steps In…

Defender Pro is all you need for a safer website

New Round Here?

Meet Defender, our premiere security plugin and your personal [internet] crime fighting machine (he’s not as scary as he looks, unless you’re an evil hacker).

Hackers… Brute force attacks… Malicious bots…

They’re all no match for Defender’s mighty WordPress security shields and cloaking technology.

Tag-team with this plugin for instant access to: user security scans, vulnerability reports, two-factor authentication, safety recommendations, and tons more!

The point is…

Defender Has The Scariest Web Villains Squirming

And in it’s latest update, this robust plugin adds even more notches to it’s heavyweight security belt.

The best part?

Enforcing most of them takes no more than a click of a button.

But before we press on, PSA:

All of the features covered in this article are only available with Defender Pro (as opposed to the free version of Defender).

A WPMU DEV membership gives you full access to this, and all of our other award winning premium WordPress plugins. There’s also a 100% risk-free 30-day trial – so you’re welcome to try before you buy.

But as I said earlier, the safety of your website depends on this – so on to the barnstorming features!

Hit Hackers Where It Hurts: HTTP Security Headers

Much like relationships, communication is one of the keys to a safer and more secure website.

And effective communication is what HTTP security headers do best.

In simple terms, these head-butting headers talk to web browsers and tell them how to act during interactions with your website. Helping to double down on your security and prevent malicious attacks.

HTTP security headers come in various shapes and sizes (I cover each below) – all safeguarding you against different types of attacks.

They’re also super easy to implement on your website. And like most Defender features – they’re literally a click away from being instantly weaponized.

*This security feature was originally requested by our WPMU DEV community member Gary. Thanks again for your input Gary!

How To Activate Defender’s HTTP Security Headers

From the Defender dashboard, find the “Security Tweaks” section (you can’t miss it!). You’ll see a preview list of the security tweaks Defender recommends for your website.

Either click one of these, or click “view all.”

Alternatively, you can navigate to Security Tweaks directly via the side menu:

Or select security tweaks from the side menu

Once you’re through to the Security Tweaks page, you’ll see Defender points out the current security issues with your website.

Since security headers are a new feature, they’ll automatically appear on this list.

To activate a security header, start by clicking on one.

Click on a security header to enforce it

When you’ve clicked through you’ll then be given more info about each header.

Here’s an example of what you see when you click the “X-Content-Type-Options” header:

An example of one of the security headers

Like I said earlier, one click is all it takes.

Hit that “enforce” button and KAPOW! You’ve just beefed your security up a level.

Once you’ve enabled any header it’ll automatically be moved to the “Resolved” section of Security Tweaks.

You can also disable a security header here too if needed.

Once security headers have been activated they become resolved

Alrighty, now that you know how to enforce security headers, let’s dive deeper into the headers themselves and what they do.

Meet Defender’s New ‘Heads’ Of Security:

1. X-Content-Type-Options Header

The X-Content-Type-Options header is quite the warrior, defending you against nasty MIME sniffing and XSS attacks.

An example of this is when a website allows users to upload content, but then, *PLOT TWIST, the user disguises a specific file type as something else. Sneaky sneak!

This gives them a dangerous opportunity to perform cross-site scripting and compromise your website. You’ll definitely want to activate this puppy if your website allows users to upload content.

2. Feature-Policy Header

The Feature-Policy response header helps control which browser features can be used when web pages are embedded in iframes (HTML documents embedded inside other HTML documents on a website).

Examples of this include: Embedding an iframe where you don’t want the embedded site to have access to the visitors camera, or when unoptimized images are output to your website from a CMS.

This security header also gives you additional options to prevent unwanted actions when your webpages are embedded elsewhere:

The feature policy header gives you extra options

3. Referrer-Policy Header

The Referrer-Policy HTTP header tells web-browsers how to handle referrer information when a user clicks a link that leads to another page.

Referrer headers let website owners know where inbound visitors came from, but sometimes you might want to control or restrict the amount of information shown.

You can also choose what referrer information is sent, along with requests:

Choose different options with this security header

4. Strict-Transport-Security Header

The HTTP Strict-Transport-Security header (HSTS) lets your website tell browsers they should only be accessed by HTTPS (rather than HTTP).

This is especially important for sites that store and process sensitive information (e.g. eCommerce stores) and it helps to prevent “protocol downgrade” and “clickjacking” attacks.

You can also set your Transport-Security Header requirements (see below). This will convert all non-HTTPS links, and will block insecure connections coming into your website.

A look at the strict transport header in action

5. X-Frame-Options Header

The X-Frame-Options HTTP header controls whether or not a browser can render a webpage inside a <frame>, <iframe>, or <object> tag.

This can help avoid clickjacking attacks by ensuring your content isn’t embedded into other websites.

Avoid clickjacking attacks with this security header

6. X-XSS-Protection Header

The X-XSS-Protection header stops pages from loading whenever it detects reflected cross-site scripting (XSS) attacks on Chrome, Safari, and more.

For the most part you don’t need these headers in modern browsers, as most websites have a strong “Content-Security-Policy” that disables the use of inline JavaScript.

But this header still protects users of older web browsers that don’t support CSP.

You can choose what level of X-XSS protection you would like to apply when XSS attacks are detected. Whether it’s sanitizing the page (removing unsafe parts), or blocking the attack completely.

We’re not done yet…

Here Are Two More Lethal Security Moves Defender’s Been Perfecting:

1.Catch Bots Off Guard With “Block WordPress Rest API”

The WordPress Rest API allows your website to communicate with internal and external services and applications.

This allows developers to create single page apps on top of WordPress. It also unlocks a whole world of opportunities (especially with Gutenberg).

However, if you’re not using any external services that require public access to the API, it’s potentially another access point for bots and hackers.

This security tweak allows you to only allow authorized requests. Which is recommended if you don’t require API access from third party apps and software.

Alternatively, if you have external services that require API access you can ignore this security tweak.

This tweak also comes with a sliiight warning (dun dun duuun…).

It could prevent your website from working properly – so only activate this tweak if you know what you’re doing.

Like the security headers, the Block WordPress Rest API feature can be found in “Security Tweaks” and enforced in one click:

You can choose to block WordPress Rest API

2.Prevent User Enumeration And “KO” Brute Force Login Attempts

A common method for bots and hackers to access your website is to figure out login usernames and brute force the login area with a bunch of dummy passwords.

There are two sides to this hacking method. The passwords are random guesses, and are harder to get. On the other hand, your username can be easily accessed by redirecting “?author=1” to “/author/username/.”

This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames.

You’ll find Prevent User Enumeration in “Security Tweaks,” and it can be activated with a click:

defender can help with preventing user numeration

*Shoutout to WPMU DEV community members Richard and Michael for requesting this feature.

Sometimes Offense Is The Best [Security] Defense

It’s a scary internet world out there, and every day hackers and other despicable web villains are finding new ways to run-a-muck with innocent people’s websites.

That’s why it’s important to ensure your website is well armed with the latest security features.

Thanks to Defender Pro’s newly introduced security headers, as well as the ability to block WordPress Rest API and user enumeration – your website is in safer hands than ever.

If you already have Defender Pro installed and you haven’t yet updated… get to it silly! Your website’s safety depends on it.

Now’s The Time To Get Defensive

Again, if you’re new around here and you want to beef up your website’s security with this plugin… the best place to start is by signing up for a free 30 day trial with WPMU DEV.

That way you can take the mighty Defender (as well as all of our other premium plugins) for a test drive first. If you’re not satisfied within the 30 days, just cancel your sub and we’ll try to do better for you next time. No harm done.

(There’s also the free version of Defender if you’re not ready for that kind of commitment).

Special thanks to the amazing team (superheroes in their own right) that made Defender 2.2.2 possible:

Lead Developer: Hoàng Ngô, QA: Devendera Mishrades, and Lead Designer: Andy Crone.

Also be sure to check out our Product Roadmap to see what’s on the horizon for Defender in future updates.

April 16, 2019

Breath Freely! Your Security with WPMU DEV is Stronger Than Ever

Is WordPress security a big deal to you and your clients? Why would I ask such a silly question? Because our security suite has new superpowers including Defender location-based IP blocking and Automate Safe Upgrade scans…now on up to 5 pages.

What’s the WPMU DEV Security Suite, you Ask?

We’ve built a fierce set of WordPress protectors to help ward off core, plugin, and theme attacks, minimize downtime, clear blacklisting, and backups that restore your services in case of emergency. If you are not familiar with our security hero lineup here’s an overview:

Defender – He’s the brute-squad of WordPress security optimization. 2-factor authentication, audit logs, security tweaks, 404 and IP lockout, blacklist monitoring, scans, security recommendations and more.
Automate – Most successful hacks are the result of out-of-date software – core, plugins, or theme files. Automate make sure your site is always up-to-date. And he uses Safe Upgrade to ensure the updates won’t break your site. It’s safer and a huge time saver.
Snapshot – He’s got your backups covered. Scheduled and on-demand backups that include 10GB of secure cloud storage.
24/7 Hero Support – Has your site already been hacked? We have experts standing by to help with the cleanup and restoration.
Managed Hosting – If most successful hacks come from out-of-date software. The other half is unsecure hosting. Our members now get 3 free hosted sites built with the ultimate in speed and security in mind (more on that in the coming months).

If you’re not running Defender, Automate, along with our complete security toolkit get started free now for the next 30-days. Then come back and see how the new features work.

Defender Geo-Based IP Lockout

While working on the Roadmap Roundup I realized we hadn’t properly introduced Defender 2.1 and its fancy new features. While 2.1 one is not completely new (I’m sure you’ve familiarized yourself with the UX improvements and hero hidder), the big addition is Geo-based IP Lockout.

That’s fancy talk for blocking users based on the country they’re located in. If you don’t expect or want traffic from a specific country, blocking the IP will protect your site entirely from unwanted hackers and bots.

This could be great for a local service-based business looking to eliminate spam requests or hack attempts from foreign countries.

And it really couldn’t be easier to set up.

In Defender’s IP Lockout module under IP Banning you’ll find a new Locations setting. Just click to Download for the latest Geo IP Database.

Defender Geo-location IP Lockout — Click download to get started.

It only takes a few seconds. Then pick the countries you want to include or exclude from having access to your site. It’s that easy!

Country select for geo-location IP ban in Defender — Pick the countries you want to ban or whitelist.

It’s one more way Defender makes complex security features easy for the everyday WordPress user.

Automate Safe Upgrade Technology X5

Not so long ago, the idea of running automated WordPress updates was laughable. Especially on complex sites with multiple integrations. “What if the update crashes my whole site and I’m not there to fix it?

This made managing WordPress updates, especially across tens or hundreds of sites, a nightmare.

Automate changes all that. When a core, plugin, or theme update is detected, Automate runs a Snapshot backup, updates your site, and uses Safe Upgrade to scan your home page for changes. If your site breaks it will revert to the previous version.

Hundreds of thousands of sites are now using Automate with Safe Upgrade.

It’s pretty awesome, but we wanted to make it even Safer. So now you can apply the Safe Upgrade scan to 5 pages of your choice.

Take a look see!

Visit the Automate tab in the Hub and scroll to the Settings. Under Perform Safe Upgrade Check click the Home page option.

Automate Performance Safe Upgrade Check. — Add pages to the Performance Safe Upgrade Check.

In the popup module, add your five most valued pages and save.

Add extra pages to check in with Automate Safe Upgrade — Choose pages to scan with Safe Upgrade.

Now Automate will scan and report on each of the pages you’ve added. And if anything goes wrong during an upgrade, he’ll automatically revert to the previous version.

With Automate, you don’t have to sacrifice safety or convenience.

WPMU DEV Gives you a Stronger Faster WordPress

We know security is not one-size fits all and not everyone can afford a team of security experts. So we’ve made Defender free on WordPress.org. Including Geo-location IP lockout.

But if your not sure and really want to try WPMU DEV’s pro tools packaged with 24/7 support and expert site cleanup we’ve set up your free 30-day trial here. Enjoy!

April 3, 2019

Hello, Hackers! Best Practices for WordPress Security

When talking about WordPress security, it feels like we’re left with 2 choices, devastating paranoia or ignorant bliss.

With all the news of our personal information, usernames, passwords, and identities getting jacked and sold on the dark web, the topic of web security to a noobie sounds impossible.

But after falling hard into the deep end of web security, I’ve discovered some “not-so-common-sense” WordPress security best practices and pro tips (literally I talked to a pro) to help put your heart at ease. We’ll look at free tools and how to implement them on your websites and in your life.

Maybe reality isn’t as depressing as we all fear.

WordPress Security For Dumb-Dumbs…Like Me

In episode 3 of Hello, WP!, “Hello, Hackers!”, we took on the complexity of security in and around WordPress.

If you haven’t listened to Hello, WP! yet, On the show we take on different topics by calling on the pros…kinda like your favorite true crime podcasts, but minus the crime.

Anyway, for our Security episode, previous SiteLock employee (now GoDaddy employee), Adam Warner, joined me and shared 7 security best practices that I found extremely valuable. Adam and I had a much longer conversation than I could fit in the show, so I’m bringing it here, with links, practical recommendations, and tips.

Quick sidenote: outside of our podcast, Adam has done talks at several different WordCamps about these best practices. If you’re interested in hearing more from him, here’s a session he did at WordCamp Portland 2018.

So what do you say? Let’s jump in with best practice #1.

1. Backups

Backups allow you to travel back to your site’s golden days if it ever experiences a breach *tosses salt over his left shoulder*. There are a whole lot of great tools out there to help you get the job done, but there’s one especially important feature to look out for – off-site storage. Saving your backup files on a different server than your site will prevent the backups from being compromised in the event of hack-attack.

Depending on your budget, there are several free and paid plugins that make manually or automatically backing up your site very simple. Updraft Plus has a free version of there plugin that allows you to connect a Dropbox or Google Drive folder.

Or, if you’re already a WPMU DEV member, Snapshot Pro is included with all the backup bells and whistles you need including 10GB of remote cloud storage.

2. Updates

Keeping with the times and running updates on themes, plugins, and WordPress core plays a pivotal role in maintaining your site’s security. Sure, some updates only fix bugs or improve performance, but others patch security vulnerabilities. THIS is why using well-maintained products is so important because if a plugin sits untouched for too long it becomes more susceptible to intruders.

If you’re just running a site or two, like me, then logging into the WordPress admin and clicking “Update Plugins” isn’t too much of a hassle. It becomes more problematic when you have a lot of sites to look after. If that’s you, it might be time to consider a site management hub.

3. Strong passwords

I’m a “keep it simple, stupid” kinda guy, and the whole “strong” and “unique” passwords thing really throws a wrench in that. These days, our browsers and even WordPress make strong password suggestions. That’s cool and all, but with all the accounts we have across emails, social media, and WordPress, the greater battle is remembering all of those strong and unique logins.

Thankfully, there are a bunch of password managers out there that allow me to maintain my KISS lifestyle. LastPass has a free and paid version. 1Password starts at $2.99. Both of these password managers can store, generate, and paste your powerful passwords on demand. All you have to remember is ONE “master password”.

4. Firewalls and Content Delivery Networks (CDNs)

Okay, when it comes to Firewalls, I can’t/won’t suggest any free options. Here’s why:

There are two types of firewalls, network firewalls, and web application firewalls (WAFs). Network firewalls happen on a hosting level, and quality hosting costs money!

If you listened to the episode of “Hello, WP!” that inspired this blog post, then you know that we aren’t (or at least our CTO isn’t) big fans of having WAFs in plugins. Firewalls stand between your site and its users by overseeing incoming and outgoing traffic…kinda like a fence around a house. Putting a firewall in a plugin is like putting a fence inside your house…and who does that? So for that reason, we don’t include a firewall in our security plugin, Defender.

Instead, we encourage the use of services like Cloudflare. Cloudflare offers a paid WAF service that is constantly updated and monitored.

Cloudflare WAF service landing page — For real protection use a server-side WAF like Cloudflare.

5. Monitoring

In some way, shape, or form monitoring is included in every one of these best practices. For example, you gotta monitor your website in order to keep up with updates, the internet must be monitored to maintain a strong firewall, and you use your strong and unique passwords in order to monitor your websites.

Monitoring is key to running a tight ship, but if you’re like me and know very little about code, or even if you’re not like me and are a coding wiz, running regular security scans help us tie up the loose ends, and alert us when things are running amuck. Our free security plugin, Defender, can run automatic malware scans, make security suggestions, checks code, and much more. Oh yeah…and he’s free!

You can also use a free site scanner like WP Checkup for a complete site diagnostic or Sucuri’s free malware/security specific scanner to find issues and stay ahead of vulnerabilities.

6. Two-Factor Authentication or 2FA

Defender 2-step verification Google integration — Use Defender to quickly setup Google’s 2-Step Verification on any WordPress site.

This probably goes without saying, but 2FA is when you verify an account by receiving a special number by call, text, or the like. Google is the master of 2FA. So I’ll keep this simple, you can enable two-factor authentication for free on your WordPress site with our luchador friend mentioned above, Defender, or with a slew of other great plugins like Google Authenticator.

7. VPN or Virtual Private Networks

Prior to speaking to with Adam, I had never heard of a VPN. But as one of those coffee-shop-dwelling hipsters and remote WordPress-er…I should have been using one a long time ago! A VPN encrypts your data before the internet provider gets it.

Without a VPN, a tech-savvy person with loose morals could hop on the same open wifi network as you, see what you’re up to, and even access personal information. In recent years, internet browsers have begun to block non-private networks. If you browse with Google Chrome, you might be familiar with their block message that says, “Attackers might be trying to steal your information from [domain] (for example, passwords, messages, or credit cards).”

If you’re interested in implementing a VPN, TunnelBear has a FREE plan available. Not to mention…they also just have fun branding!

The Seven Wonders of Internet Security

In a way, engaging in internet security best practices are ways of following the golden rule. Create safe and secure websites for your users, because you want a safe a secure world wide web!

If this gets you excited, checkout our Ultimate Guide to Security and don’t miss a thing with our 32-point WordPress security checklist.

Finally, take your WordPress security to the next level with 30-days of our premium security, backups, hosting and performance optimization free. If your site’s already been hacked we’ll help you clean it up.