Security and locking things down

jambo
User w
User w
Posts: 8
Joined: Fri May 15, 2020 7:23 pm

Security and locking things down

Post by jambo »

Th plugin is working GREAT and its time to lock things down and make sure the security is good before my site goes to the outside world.

I have read post viewtopic.php?f=2&t=80 and I see that it is dated in 2016. I also see some mentions to wordfence and All In One WP Security in 2017.

I am currently running Wordfence, I have not enabled the "add sessions keys Brute Force countermeasure" yet. I was wondering if with the latest version of Wordpress 5.4.1 and Wordfence if I still need to enable "add sessions keys Brute Force countermeasure" and if so, should I be looking to using All In One WP Security instead of Wordfence? It looks as if you are leaning to All in One WP Security in stead of Wordfence and I wanted to ask your guidance on making my site as secure as possible.

Guidance would be much appreciated.

All the best!!! Thank you!

James

User avatar
axew3
w3all User
w3all User
Posts: 1936
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Security and locking things down

Post by axew3 »

Hello James!
I just use the All in one and akismet here in this install, in true i have after not follow testing with wordfence. But the code is standalone like all the rest, should work fine, will cause nothing to your install in any case.
viewtopic.php?p=320#p320
The session keys countermeasure is important because things works with cookies values, a script could be created to present many times different values to try to guess the right phpBB session presented via this plugin code to wordpress. To avoid this as explained into the linked post, the code do the follow:
if a fake session presented via cookie then it will be treated as brute force attack, and the code fire a fake/failed login on background, so if you install a plugin that block a login for an user, if after tot times it do not match a password, the plugin will recognize a failed login. The user will be redirected to wp login page. Anyway, even if you do not install a strike system login, until a valid login is not recognized, simply the integration plugin will refuse to execute unwanted code, making the attack not a problem for what concern the integration plugin. But a default wordpress still will be exposed. Even if to guess a random string that is rand about length and chars that presents millions of millions of combinations is very very hard, better to sleep well and secure at night time.
The logged in user (of the may same attacked account) will not be affected any way by the session brute force plugin's countermeasure option.

Try to install Word Fence if you prefer it and test things, may report if you find any problem, so we can resolve making the plugin more compatible with more plugins, but as said all should work fine. And remember you can always momentary disable the plugin if anything goes wrong.

What you want to stay secure, leaving register/login wp side is:
enable the session bruteforce countermeasure into integration plugin admin

enable at least a firewall strike system that block logins when done more then 3 or 5 times, allowing to reset logins via email to users
may enable a recaptcha for registration page, or something that not allow fake accounts to be registered
that's are common security measures applied everywhere

phpBB come already with several protections that you may already know, whenever you let login or register users into phpBB side

jambo
User w
User w
Posts: 8
Joined: Fri May 15, 2020 7:23 pm

Re: Security and locking things down

Post by jambo »

Thank you, I turned it on and will let you know if I see anything.

Post Reply