BulletProof Security
[resolved] Top Security Issues (3 posts)

  1. RikkiJ
    Posted 4 years ago #

    Curious to find out if the following security issues are handled by BPS?

    1. Anti-XST feature
    2. Header outputs removed
    3. Proxy login/commenting disabled
    4. WP Database prefix changed
    5. Query Strings modified to deny XSS attacks


  2. AITpro
    Plugin Author

    Posted 4 years ago #

    1. Yes, Track and Trace are filtered to prevent HTTP Trace attack (XST)

    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteRule ^(.*)$ - [F,L]

    2. The filter above results in a 403 error when a HEAD request is made.
    3. No, BPS does not attempt to block by IP, hostname, User Agent or Proxy since these are all easily spoofed/faked and instead takes an action approach to security instead of a ban approach.
    4. No, BPS takes an action approach to security instead of a hiding approach to security.
    SQL Injection filter below in BPS blocks all SQL Injection attacks so there is no point in changing or renaming the WP Database Table Prefix name because the attack will be blocked no matter what the Table Prefix is named.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

    5. No, because BPS takes an action approach to security. The malicious Query strings themselves are Forbidden by BPS Security filters so there is no need to attempt to rename them.

    The BPS Action Security Approach:
    X does bad action Y = Z is the result = Forbidden

  3. RikkiJ
    Posted 4 years ago #

    This is good news. You should make it a product. I would buy.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic