any suggest on configration with Defender

Hi Alex,

I never use Defender. So I’ll check its functionality. Please wait.

I am a WPMUDEV client and also use Defender. It works well with IP Geo Block. I’ve referred them to this plugin because they’ve been discussing IP geo-blocking as an addition to Defender, but to me it seems like a huge waste to duplicate the effort and with them probably not getting it right for a few years. That’s no slam on them. They’re focused on a lot of plugins and a lot of functionality, and they simply can’t get in all of the features that are in this one dedicated plugin.

If I were in this position I would approach them with a development partnership to integrate these fine plugins via API while still maintaining the plugins separately. IP Geo Block does a great job at identifying IPs and failures by location but I need to manually copy/paste specific IPs that I don’t want to geo-block, and paste them into Defender. How primitive is that?

HTH

@alexlii, there is no interaction between these plugins, what’s your concern? That you just don’t want them to stomp on one another? I haven’t seen that happen.

• This reply was modified 7 years, 2 months ago by Tony G.

Thanks @starbuck for you practice case.

From my view, there are three kind of security issue:

1# Application server and WordPress, I am using nginx, so I use itheme security or Wp-defender, how do you think?

2# account related

3# spam: ip Geo block.

I know there are some comprehensive plugins,
But there always some problems with WordPress multisits, or need to do too much configuration, it is not good to upgrade WordPress.

I am very care about the performance and conflict between Wp defender and Ip Geo block.

What do you think? Your reply is expected.

Thanks

Alex

Hi guys,

Thank you for the discussions.

I tested Defender under the following conditions:

• Server: Apache on MAMP PRO 3.5.3
• PHP: 5.6.10
• WordPress: 4.8.1
• Multisite: yes
• Post Simulator: I used my original tool which simulates posting malicious requests of not only spam comments but also some attack vectors such as CSRF, XSS, LFI, AFU. This tool is designed base on the analysis in this and that.

1. Statical performance
This means that if there’s some abilities for scanning malware, expired plugins/themes, checking password strength and more. IPGB has no ability for this category.

2. Real time protection performance
At first, I activated only Defender and investigated which attack vectors could be blocked using “Post Simulator”. The result showed nothing could be blocked. It blocked only login attempts when it reached to “Lockout threshold 5 of failed logins“. It meant that Defenter can protect only login attempts for real time protection.

On the other hand (of course), IPGB could block all the requests when IPGB was configured by “Best for Back-end” and the requests came from outside the white-listed country.

3. Site speed performance
Here is the result by P3 by “Manual scan” that scanned only public facing pages when I activated both Defender and IPGB.

IPGB was 10 times faster than Defender.

Conclusion:
I think that the combination of Defender and IPGB is one of a good choice because those can cover both statical and dynamical performance for security.

And it’s good to use Defender for preventing login attempts, because its UI is better than IPGB. The UI of Defender can specify the IP addresses as “Ban” or “Whitelist” by one click.

But for other real time protection, you had better to enable “Prevent Zero-day Exploit” for all the targets in IPGB.

I hope this short report may help you.

Thanks.

Thanks for sharing great analysis, and I really like that IP-Geo-Block covers so much dynamic and real time protection.

As to make clear setting practice, I would like to share my understand and my setting, if I am wrong, please correct me in the following two questions:

1# It would be better to close 404 DETECTION in Wp defender, since IP-geo-Block has cover that, but leave Wp-denfender “Login protection” working, right? what about if I close “Login protection” and leave IP-Geo_bloack to handle all dynamic security?

2# Secondly, since Security is much more complicated for a site, and also I noted the performance of WP-defender is really need more server resources, we all know there are a lot of security plugins, but a lot functions are over-covered each other, it is really tough problem for us to spend more time and understand which one much match with IP-Geo-Block. So, it would be great apprecitated if you can recommend some other security plugins to match IP-geo-block to cover a site comprehensive security.

Thanks so much, have a nice day.

Alex

• This reply was modified 7 years, 2 months ago by alexlii.

Hi Alex,

1#

It would be better to close 404 DETECTION in Wp defender, since IP-geo-Block has cover that,

May be you’re right. I think “404 Detection” in Defender may be intended to block malicious requests which would attempt to find a hidden page. It also can detect “dumb requests” that would be thrown by amateur hackers using a exploitation tool. But if your site had a vulnerable plugin and an attacker threw a payload for that vulnerability before “404 Detection” worked, your site might be exploited.

what about if I close “Login protection” and leave IP-Geo_block to handle all dynamic security?

I think it should be also OK ??

2#

we all know there are a lot of security plugins,

Yeah, it’s really tough work to find the best choice for security plugins. Here are my opinions. The most important functions for security are:

1. Integrity and malware scan for WordPress core files
2. Real time protection
3. Backup and restore

On the other hand, we don’t need to keep functions activated such as:

• Checking password strength
• Checking permission in WordPress tree
• Changing prefix of MySQL database
• Some other tweaks that doesn’t work for real time protection.

because it is sufficient to execute them once.

IMO, Wordfence is a great plugin for 1. and 2. Its firewall is based on the real attack vectors that have been already disclosed. Only one defect of it is so “heavy” and costs a certain server resources such as CPU performance and memory consumption. Please see this article to know how WF is heavy.

I think that there’s no perfect solutions for security, but the combination of IPGB and WF can cover each other’s weaknesses.

How do think?

Hello,

Thanks for your great sharing analysis.

For my site, since I am using Multisite Auth, I think I should just leave file scan and close all ip and login block in wp-defender, and leave all login block to IP-geo-block to handle.

As to other security plugins, Wordfence is really need a lot server resources, also there always some conflict with other plugins, so I tested a lot of other plugins which are friendly to nginx.

iThemes Security seems quite match with IP-geo-Block, but it seems not match IP-geo-block so much.

Anyway, it is still a task for me to find a security plugin to match with IP-Geo-Block, and it is really appreciated if you would like to recommend, since it is comprehensive for site administrator to choose security plugins.

Thanks again for your great work, have a nice day.

Alex

RE: Real time protection
“nothing could be blocked”
What does that mean? Could you tell us specifically what is not blocked? I think you mean XML-RPC. IPGB blocks XML-RPC by client location but what else does it do in that area if we do not want to completely close off external requests?

“Defender can protect only login attempts for real time protection”
What else is there?
Yes, the lockout threshold can be set to any number of failed attempts within a defined number of seconds. Then it can permanently ban the IPs. I don’t believe IPGB does that.
Defender also bans when a banned username like admin is used.
It is for these reasons and others that I use both of these plugins. They simply do different things. And that means it is Not good to disable login protection in Defender.

P3? I’m surprised that’s even working in WP4.8. You note that IPGB loads faster than Defender. A performance comparison is only valid when the two sides are the same. Defender does a lot that IPGB does not, and IPGB does things that Defender does not. Load time is irrelevant. This should not be an either/or comparison. When Defender adds geo blocking, sure it would be nice to see a comparison of abilities to effectively handle that function, but again, load time is irrelevant when we know both plugins do many other things.

“Conclusion: I think that the combination of Defender and IPGB is one of a good choice because those can cover both statical and dynamical performance for security.”
We agree.

“But for other real time protection, you had better to enable “Prevent Zero-day Exploit” for all the targets in IPGB.”
That’s good advice but Defender does scan the entire code base for such vulnerabilities, and I’ve reported to WPMUDEV that it erroneously flags IPGB as malicious simply because it has similar functionality.

RE: 404 protection
As with login protection, Defender optionally maintains a permanent block list when the same IP hits too many 404’s. IPGB does not.

Where an IP block list becomes important: Abuse from a given IP is likely to come in different forms. Today they’re hitting the login page and tomorrow they are hitting XML-RPC. Rather than blocking activity based on what is attempted, if we know that an IP is a source of malice, block ALL connections from it. That is something that IPGB does not do – the blacklist is manually maintained. We must read the statistics and logs to see what specific IPs are doing, and then blacklist them in IPGB. My preference is to blacklist everything in Defender – it doesn’t matter where an IP is blacklisted, if one plugin blocks an IP the other plugin should never need to process related requests.

RE: over-coverage, or cross-coverage
That’s a big topic. No one plugin does everything. We are doomed to find our own combination of plugins that cover what we want, doing it well, and without doing too much.

RE: only checking functions once
I completely agree with this, except for permissions which once in a while can get tweaked by a rogue plugin or some other accident. Note however that Defender does file system checks on a timed basis, not in realtime. Those functions are not “active”, but I agree that it would be good to check to see if that code is loaded when not used.

As to other plugins, I use a different page name for logins, not wp-login. I also have reCAPTCHA protection (though I still get a lot of login requests that make it through this where Defender then catches banned names), and I use a customized version of Ban Hammer to prevent login/registration of patterns of names and email addresses. (I will be doing a pull request of my customizations soon.)

@starbuck

Thanks for sharing, are you using Wp-defender Pro? I just guess @tokkonopapa tested the free version.

I understand you did a lot for security, change the the different page for login? If you are running multi site, try the plugin of Multiste Auth, I would like to have you comment.

Thank

Alex

Hi Tony,

I have to solve misunderstanding about two things.

Regarding to “nothing could be blocked”, I had to say that “all of 15 requests which simulate malicious access could not be blocked”. The 15 requests are just for testing IPGB’s functionality including spam comment, login attempt to wp-login.php/xmlrpc.php, CSRF, AFU, LFI to the admin area/post/ajax, and so on. I think those test vectors were a bit unfair to indicate the ability of Defender.

Secondly, I didn’t intend that IPGB is better than Defender with the sentence “IPGB was 10 times faster than Defender”. Of course, I’m proud of the speed performance of IPGB. And I believe that I as a developer should take care of the balance between speed performance and protection performance. I also believe those are the key factor to select one’s preferable plugins. So I always activate Query Monitor plugin and sometimes execute P3.

I do not plan to make this plugin full-spec, but keep it high performance on a specific aspect.

Other things, I agree with you.

Thank you for the great discussion.