Plugin Author
Paul
(@paultgoodchild)
Hi Marc,
All good questions and I would say that you’ve just got to find something you’re comfortable with.
I use this plugin (obviously 😉 ) with CloudFlare on all my sites and we’ve yet to be hacked and I have zero problem with comment spam.
If you have all the features of this plugin installed, with regards WordPress you:
– are protected against brute force login attacks
– all user logins are authenticated i.e. all users verify they are who they say they are when they login (two-factor authentication)
– you are protected against automated bot-based comment spam: I dare say one of the most powerful available
– you are protected against human entered comment spam using a publicly, free, available content scanner
– you have full control over WordPress automatic updates
– you have users sessions: you can see who is logged in, from where, and you can control how long sessions last and when they expire.
– you don’t need to “hide” your wp-login.php because you’re protected against brute force logins.
Separately:
-while the plugin lets you hide/change your WordPress version, it usually causes more problems than it’s actually worth. Hiding your WordPress version isn’t a security measure. If you keep your WordPress version up-to-date, what is there to hide? Lesson – keep your WordPress up-to-date
– This plugin doesn’t disable anything related to XML-RPC. Again, this isn’t quite a security vulnerability. I may yet though add an option to disable XML-RPC altogether, but this will kill your iPhone/Android app.
– you should change your WordPress database prefix from the default wp_. You don’t need a plugin to do this and you shouldn’t really, because other plugins can be hard-wired with your prefix. This should always be tested and done in a controlled manner – ideally during installation.
– this plugin actively doesn’t edit or modify your .htaccess and wp-config.php files ( http://www.icontrolwp.com/2014/05/wordpress-security-wordpress-simple-firewall-plugin-part-1-why/ ). You should research some standard/basic .htaccess rules to protect the basics of your site (we will release an article on the blog for this soon). Again, you don’t need a plugin for this.
I hope that helps Marc! 🙂
Cheers,
Paul.
Hi Paul,
Thnx for all the info, great! A question though. You write:
I may yet though add an option to disable XML-RPC altogether, but this will kill your iPhone/Android app.
What app do you mean?
And another one: if I start using this plugin (as a non-geek), where can I find the best step-by-step manual?
Cheers,
Marc
Plugin Author
Paul
(@paultgoodchild)
There is no one single downloadable manual, but there is a series of 6 parts that starts here:
http://www.icontrolwp.com/2014/05/wordpress-security-wordpress-simple-firewall-plugin-part-1-why/
As to the App I’m referring to, if you disable XML-RPC, then the WordPress iPhone/Android apps will not work.
Hope that helps!
Paul.
Hi Paul, thnx for the additional info! 😉
