In my previous blog on Ithemes Security, we went through Dashboard, Configuration and Global Settings. In this second part of the blog series, A detailed understanding of sections 404 Detection, Away Mode, Banned Users will be covered.
Hackers are always looking for vulnerabilities that can be exploited. Some vulnerabilities can be found as easily as by just loading the page of site and scanning it’s content. While some other vulnerabilities might not be as easy to detect, and hence attackers will have to use automated scripts to shoot multiple requests for the same. Most of the requests will fail, but some of them may yield a result. The failed attempts will result in a 404 error. By blocking out users when a certain number of 404 errors are generated, we can effectively protect the site. There is a way in which we can return a code other than 404 or 410 for a non-existent page (or redirecting users to another page, such as the homepage, instead of returning a 404).
But this is just a workaround, and we still need to mitigate the actual problem. And this is where iThemes Security steps in. iThemes Security can block the IP after a limit we set, which is 20 errors in 5 minutes by default.
It essentially applies the Lockout rules we set in the Global Settings. For detailed information you can refer to the previous blog of the series.
1) Minutes to remember 404 Error
This option remembers the time duration in which the 404 error responses are made i.e. The time in which the threshold number of 404 responses will be counted.
2) Error Threshold
The number of 404 error that will result into a lockout. This option along with the previous option implements the lockout procedure. Suppose, there is twenty 404 error in a period of 20 minutes, then the corresponding user/host will be locked out.
3) 404 File/Folder White List
There are instances of page and files which are not accessible or they fail to fetch at times. So, the WordPress administrator knows that the common file/page is giving the error. This option gives us the flexibility to add such pages to White List to avoid genuine users from getting locked out. This option is very effective as locking out an authentic user affects the user experience in a very negative manner.
* We have whitelisted the file /robots.txt in our case.
We do not necessarily need WordPress dashboard to be available all the time. This can be due to multiple reasons like:
- We don’t need authors editing their blog posts after work hours say 6 PM.
- We will not be using WordPress for few days as we are out of town.
* Make sure that the correct time according to the current Timezone is set in the “Settings” section of WordPress.
1) The option “Restriction Type” provides two type of restriction to the dashboard: Daily, One time.
2) “Start Time” is the time we set when the dashboard should get unavailable.
3) “End Time” is the time we set when the dashboard should become available again.
Attackers make a number of malicious requests or repetitive requests to the server. The same can be stopped by banning the particular user or by banning the IP from which the requests are being made. This option enables us to ban a user, host and user agents as per our requirement:
1) “Default Blacklist” option provides added benefit by providing a default blacklist created by hackrepair.com. This can be very useful to mitigate some well-known attack vectors on our WordPress website.
2) “Ban Users” will enable banning as per specified categories i.e. User, Host and user agent.
3) “Ban Hosts” will let us specify the host or a list of hosts we want to block. This can be done by entering an IP address or a range of IP addresses.
4) “Ban User Agent” will enable us to ban a set of browsers by entering the names of the same. As in our case we have entered chrome to deny it’s access to our website. Similarly, more such user agents can be entered in the same field.
A detailed understanding of section Brute Force Protection will be covered in my next blog post. Stay tuned for my next blog in the iThemes series.