Superior to other solutions!

LOL – NO mention of whether it does it’s job properly or better – Based solely on the UI you declare it superior?

ROTFL

@grumblenz: I mentioned API key complications and trouble-shooting complications with regards to the other security plugins. Neither of these constitute as basing my review “solely on the UI”.

That being said, I take your point. I do somewhat trust iThemes Security’s quality as a plugin more due to its well-designed and highly intuitive UI. However, I do plan on more adeptly trialling the other plugins but it won’t be until a later stage this year. I’ll revert to this post when I do.

My inner-child wanted to respond “LOL – NO mention of why it doesn’t? ROTFL.” or “Apt alias! :-P” but in lieu of that, feel free to articulate any findings you may have the are contrary to my review or what you feel it omits.

We’re an open-source community. We help each other, particularly, through the sharing of knowledge, not facetiousness.

Personally, when I read any review I like to hear also about how well the product does it’s job, be it washing machine or plugin. That’s why I seek out reviews. Part of a review is ease of use, which you had issues with – Fair enough. What I took issue with was the missing other part of how well it did it’s job.

Anyway, as you rightly say – Let’s be positive and helpful. My facetious humour was evidently ascendant on that day.

iThemes does not play well with MainWP, so I removed it as MainWP is essential to me. I have tried Wordfence, and keep it as it immediately blocks bad logins – a useful feature.

However, the recent Soaksoak attack that hit well over 100,000 sites last year (and continues to hit sites via the RevSlider plugin) was missed by ALL ‘security’ plugins. This pushed me to investigate why.

Having removed Soaksoak from 5 of my 55 sites and from 30+ of another person’s sites, I explored how it happened and how to prevent it happening again.

6 weeks of on and off research led to:
No plugin can work because WordPress is underneath the server and cannot have the necessary permissions to instruct the server.

PHP and MySQL have no inbuilt security and can’t be made more secure

The best option is a very tight .htaccess file that prevents long parameters, directory browsing etc.

Coupled with CloudFlare CDN which serves results from a ‘local’ copy, this prevents the ‘source’ from being interrogated.

I have implemented this regime to great success on most of my sites.

PS – I use the Cloudflare geo blocking extensively – Makes a massive difference to the number of hacking attempts.

I hadn’t heard of the SoakSoak/RevSlider issue. Very alarming considering how many premium themes it comes bundled with.

1. Delving straight into the root of your solution, can I ask if you’re manually arbitrating your .htaccess file or if you’ve discovered a reliable plugin/program? Though you’ve stated WordPress security plugins weren’t effective based on your research, since iThemes Security can directly edit .htaccess files, does/should this not fall within iThemes Security’s remit?
2. CloudFlare CDN seems very reasonably priced and very flexible. Based on your experience, would you recommend the free option for low-content, mainly static websites? e.g. a business website that infrequently updates their blog.

Clarus – Look at https://blog.sucuri.net/ – Some alarming stuff happening. SQL injection attacks gone from 0 to off the chart in less than 6 months.

The overall issue is plugins that are coded on the cheap by freelancers. Like Walmart – they sell it, but it was made in China. RevSlider is ne of those – Made by a contractor who got low wages and simply does not care or have an interest.

I built my own .htaccess file from scratch and included some of 5g’s firewall from Perisable press. It stops all sorts of ‘actions’ such as directory exploration, sql parameters and a heap of others.

There is no plugin I know of that is as complete as the hand built one I made. Some do some things, but running 12 plugins for security (tried that) just slows the site and fails to adequately protect. No plugin can stop the server issuing a ‘Look here’ instruction. It has to be ‘between’ WP and the server. So the attacker says ‘I want to go to this directory’, the server says ‘sure’ but the .htaccess says ‘no entry’.

Servers just issue commands, WP, MySQL just respond to commands, so you need a ‘gatekeeper’ which is .htaccess.

You can’t build a waterproof house from the inside.

Whilst iThemes can build an .htaccess file, it’s another plugin slowing the page serve time. I’ve stripped out 8 security plugins, got faster page loads and editing .htaccess is easy in cPanel, so why use a plugin?

I use the free Cloudflare and have most sites on it with severe geo blocking. Interestingly, the research shows that SQL injection attacks come from : China, India, Indonesia and…………………USA.

Have a look at https://jam88.com/index.php/blog/ for the Soaksoak cure and more about (some of) my .htaccess rules.