Drawbacks on multisite
-
I just tried All In One WP Security & Firewall on a WordPress multisite. While I like most features and would tend to trust it in a single install, I must say it seems to me that there is a whole lot that needs to change before it can be useful for multisites. So, here are my findings. I hope it’s helpful.
Settings per site
One of the advantages of multisite is that a lot can be dealt with simultaneously for all sites, which makes it easier and it’s useful for site admins, since they do not need to worry about it. So, on a multisite there is hardly any need to have settings for every site separately. It could be useful for a few settings, like to change the login URL, but it’s not a necessity and the disadvantages heavily outweigh the advantages.
Also, in most scenarios there is no need to share security info with all site admins. This counts double, in fact, it’s a security issue when anyone can create a new site. F.ex. the WP table prefix is made public through system info, backups and the AIOWPS log (which has info on all sites). I do think the backups per site can be useful, but since it’s the network admin who needs to repair sites when something goes wrong, there is no need for site admins to take a backup. There is no reason why they should see the log either.
Another important reason why I feel the settings should move to the network admin area is that site admins do not know what security measures have been taken, without the All In One WP Security & Firewall. F.ex. I use a different plugin to prevent spam, so this should not be activated. I also have X-Frame-Options SAMEORIGIN in .htaccess, so they do not need to enable it.
Disable all settings
Except upon uninstalling perhaps, I’m not sure how “Disable Security Features” and “Disable All Firewall Rules” can be useful, because it doesn’t make it clear what exactly may cause a problem, but the weirdest and worst part is that site admins do not have access to the firewall rules, yet they do see the button to clear the rules and when they press on it, they see “All firewall rules have been disabled successfully!”, yet on the main site nothing seems changed. Looking in .htaccess, however, all settings are indeed gone. This is terrible. Besides the fact that, obviously the site admins should not be able to erase the firewall settings, the settings do not reflect the real content in .htaccess.
Security Strength Meter
I like visual, so I like the security strength meter, but the score doesn’t reflect the real security measures. It only looks at the settings. Especially on a multisite, where site admins don’t know about other security settings, it is then better not to have a score at all. Moreover, the score does not reflect the network wide settings. F.ex. on the WP Security dashboard the basic firewall looks as if it’s turned off. It’s better to give a false sense of insecurity than the other way around, but it gives a poor impression.
Display Name Security
Any bit of a hacker would look at the author URL, not at the screen name, so I don’t see how this is useful.
Also, when using login via Social networks, the username gets generated automatically. Even if it were somewhat useful for admins to use a different username, it doesn’t matter for members.
Smarter would be to check whether the admin or network admin have posts and to recommend to change the author of these posts to someone with only author rights.The list with user accounts does not stick to only the site’s users. Instead it shows all users on the multisite, in every site. Besides being confusing for site owners that they do not see those users in their user list, it’s also a privacy issue.
Password Strength Tool
From a password strength tool I would hope to get an idea of the password strength of users on the site. It would be useful to force strong passwords and a password change. The worst part however is a sense of false security. According to the tool it would take approximately 1931 years, 9 months to crack “fd4fd46fdf54d”. Yet in 2013 hackers already cracked 16-character passwords in less than an hour.
Re-insert the security rules in your .htaccess
Upon activation the plugin asks: “Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?” I didn’t try the plugin before, so this was confusing. My thought was to do that after changing the setting, yet by doing so all settings got removed.
Moreover, the question is shown to all members of the site. I’m not sure what would have happened when someone else would have clicked it, but I would guess the same, so it shouldn’t be visible to anyone other than the network admin.
Account activity log
This tab is said to display the login activity for WordPress admin accounts, but on the main site a regular user, who has a site on the multisite, is shown in the list on the main site. On the subsite where this user is admin, the list was empty.
Logged in users
On subsites the list seems to show all users on the network. Possibly it is only the users who are members of this site. I didn’t verify, but kind of doubt it.
PHP File Editing
Removing the ability to edit PHP files via the WP dashboard can be useful, yet if someone has access to the editor in WordPress, they also have access to the settings where they can enable it. So there is no point in having that setting, unless the setting screen is protected.
404 Detection Options
It’s useful to track repeated 404 errors and to be able to block related IP’s, but it makes little sense to do this manually. This means you have to catch the attacker in the act. Blocking the IP afterwards makes little sense, because attackers most likely use different/dynamic IP’s. This feature would be a lot more useful if it worked like limiting login attempts: when X number of 404 errors are produced within X seconds then the IP gets banned for X minutes.
Prevent Image Hotlinking
This feature doesn’t work on multisite, at least not in combination with domain mapping, when backends use the subdomain and frontends use the mapped domain. I didn’t try without. Weirdly, the images are shown when logged in, but not when logged out. It would be useful if it were possible to hotlink images on all sites on the server (verify IP instead of domain?).
—
I could add a lot of positive feedback about the plugin too though. In fact, I wouldn’t write this if I didn’t think highly of it. So, as said, I hope it helps.https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
- The topic ‘Drawbacks on multisite’ is closed to new replies.