All-in-One WP Security and Firewall plugin can be spectacular, but be careful

Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.

The lesson, as with many security tools, is to proceed with caution.

The Good

All-in-One WP Security and Firewall plugin does some nice things, including writing rules that block subnets that are behaving badly. This consumes some CPU power, but typically can be a net gain because it means the system isn’t executing PHP code to deal with the bad behavior–the web server deflects the request before it gets to PHP.

The Bad

The scariest thing I learned in the process, I think, was how many Eastern European botnets were actively trying to hack my admin account. Dealing with spam is one thing; losing control of the site is another. My password is complex enough that it was unlikely, but I have to wonder how many people with simple passwords have lost control of their sites and have no idea.

The downside, if you get too aggressive, is that you can inadvertently break some things. In my case, one of the rules I enabled blocked access to CSS files, so my web site started looking like something out of 1995. And by the time I noticed, I didn’t know which one it was.

Recommendations

So, while I recommend All-in-One WP Security and Firewall plugin, phase the rules in slowly. Implement the four critical features–the admin username, file permissions, basic firewall, and login lockdown–first, then make sure everything still works, then enable the rest of the rules slowly and carefully and one at a time, perhaps as slowly as one rule per day. Make sure you measure their effects, on several browsers and platforms, and keep a log as you go along. That way you can reverse any negative changes before they impact your site and you don’t know which change it was that broke something.

As for me, in the course of aggressively pursuing security with reckless abandon I broke the Comet theme I’ve been using. It was fast, but I needed the firewall more than the theme. I reverted to WordPress’ Twenty Fourteen theme, which has the side effect of being much friendlier to smartphones, a bit easier to navigate, and is arguably more professional-looking, though there probably are a few million other sites that look just like mine now.

The temptation with security is to go to extremes–do nothing, and stay more vulnerable than you need to be, or try to hit a 1,000-foot home run, fall on your face, and make things worse. My standard advice applies: Work at a measured pace and get there eventually. Fix the most critical issues first, then come back later for the rest. It’s better to get to a good place a couple of months late than not at all.

Here are some additional WordPress security tips if you’re interested.

One thought on “All-in-One WP Security and Firewall plugin can be spectacular, but be careful

  • June 1, 2015 at 7:38 pm
    Permalink

    As best I can tell, it’s the advanced string query filter in the advanced firewall settings that broke CSS for me. Anyone else’s mileage may vary, but both XSS protections in the advanced firewall settings warn they may interfere with some themes.

    Protecting against XSS is a very desirable feature, but security is all about trade offs.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux