Hardening WordPress using AIOWPS with Cloudflare

This is a follow up to: https://www.johndball.com/hardening-wordpress-even-my-mum-can-do-it/

If you’re using the “All In One WordPress Security & Firewall” plugin in conjunction with Cloudflare, there are a few tweaks you’ll need to make to ensure proper compatibility.

One of the biggest changes, which might not work unless you have server-side access to make changes, is to configure the server to allow real IP’s to pass through as opposed to Cloudflare-obscured IPs. If you have server-side access then I strongly recommend this feature be enabled. Details can be found here: https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-Cloudflare-s-IPs-using-Cloudflare-

Additionally, if you are using a Cloudflare paid plan, there is a very brief article on Cloudflare setup for WordPress here: https://support.cloudflare.com/hc/en-us/articles/228325187-Hardening-WordPress-Security

Using this guide in conjunction with other WordPress plugin security features will give you a massive leg up on hardening your site whether it is personal or corporate. Check out those other guides here: https://www.johndball.com/?s=multi+part&id=m

Now, for those updated AIOWPS settings:

Under “WP Security” Plugin

  • Settings
    • WP Version Info
      • Check “Remove WP Generator Meta Info”
  • User Accounts
    • List of Administrator Accounts
      • Ensure the accounts are not labeled “admin”, “administrator”, “root”, “guest”, or “default”. If they are, change it.
    • Display name
      • Change display name if same as login name
  • User Login
    • Login Lockdown tab – Note: these login lockdown features are based on IP address. These will only work if you enable real IP when using Cloudflare otherwise Cloudflare IPs will be locked out.
      • Enable Login Lockdown Feature: Enabled
      • Allow Unlock Requests: Enabled
      • Max Login Attempts: 3 to 5
      • Login Retry Time Period: 5 min
      • Time Length of Lockout: 60 min
      • Display Generic Error Message: Enabled
      • Instantly Lockout Invalid Usernames: Enabled
      • Notify By Email: [optional]
    • Force logout
      • Enable Force WP User Logout: Enabled
      • Logout the WP User After XX Minutes: 30-60
  • User Registration
    • Manual Approval tab
      • Enable manual approval of new registration: Enabled
    • Registration captcha tab
      • Enable Captcha On Registration Page: Enabled
    • Registration honeypot
      • Enable Honeypot On Registration Page: Enabled
  • Database Security
    • DB Prefix tab
      • Generate New DB Table Prefix: Enabled and click “Change DB Prefix” – ONLY DO THIS IF YOU ARE USING A UNIQUE DB TO YOUR WORDPRESS SITE
  • DB Backup tab
    • Enable Automated Scheduled Backups: Enabled  – ONLY IF YOU ARE USING A STANDALONE INSTANCE OF WORDPRESS, NOT ON A SQL/MYSQL cluster.
  • Filesystem Security
    • File Permissions tab
      • Ensure your permissions are set: green across the board otherwise remediate
    • PHP File Editing tab
      • Disable Ability To Edit PHP Files: Enabled
    • WP File Access tab
      • Prevent Access to WP Default Install Files: Enabled
  • Blacklist manager
    • Enable IP or User Agent Blacklisting: DISABLED – be careful not to blacklist Cloudflare or yourself – ideally you would blacklist at the firewall/edge and not server level
  • Firewall
    • Basic Firewall Rules tab
      • Enable Basic Firewall Protection: Enabled
      • Completely Block Access To XMLRPC: DISABLED (see note below)
      • Disable Pingback Functionality From XMLRPC: Enabled (see note below)
        • Note: Please beware that if you are using the WordPress iOS App, then you will need to deactivate the “Completely block access” feature in order for the app to work properly and check the accompanying option “Disable Pingback” to allow the WordPress app – Corporate users enable this option on a site-by-site basis, standalone users optional
      • Block Access to debug.log File: Enabled
    • Additional Firewall Rules tab
      • Disable Index Views: Enabled
      • Disable Trace and Track: Enabled
      • Forbid Proxy Comment Posting: Enabled
      • Bad Query Strings: Enabled
      • Enable Advanced Character String Filter: Enabled
    • 6g Blacklist/Firewall Settings tab
      • Enable 6G Firewall Protection: Enabled
      • Enable legacy 5G Firewall Protection: Enabled
    • Internet Bots tab
      • Block Fake Googlebots: Enabled
    • Prevent Hotlinks tab
      • Prevent Image Hotlinking: Optional but prevents wasted system resources – I’ve had mixed success with this behind Cloudflare.
    • 404 Detection tab
      • Enable 404 IP Detection and Lockout: DISABLED
  • Brute Force
    • Rename Login Page tab
      • Enable Rename Login Page Feature: Enable

        • Note: Set this something that you will write down and remember like “access”, “allow”, “homepage”, or random characters. If you forget you will need console access (or shell access) to the server to bypass this feature. You will need to logout, flush browser cache, and use new login to access the site. Due to server/site caching, the first few attempts to access the site usually results in a “Page cannot be found” at login at the new URL. It resolves itself after about 5 minutes.
    • Cookie based brute force
      • Skip these settings
    • Login Captcha tab
      • Enable Captcha On Login Page: Enabled
      • Enable Captcha On Custom Login Form: Enabled
      • Enable Captcha On Woocommerce Login Form: Enabled (even if you aren’t using Woocommerce)
      • Enable Captcha On Woocommerce Registration Form: Enabled (even if you aren’t using Woocommerce)
      • Enable Captcha On Lost Password Page: Enabled
    • Login Whitelist tab
      • Login IP Whitelist Settings: Enabled for corporate sites. Set to internal IP only (management IP, etc). Optional for standalone users.
        • Note: Must be used with real IP option to work with Cloudflare if allowing external logins.
    • Honeypot tab
      • Enable Honeypot On Login Page: Enabled
  • Spam Prevention
    • Comment spam
      • Enable Captcha On Comment Forms: Enabled
      • Block Spambot Comments: Enabled
    • Comment SPAM IP Monitoring
      • Enable Auto Block of SPAM comment IPs: Enabled
      • Minimum number of SPAM comments: 3
        • Note: must use real IP if using Cloudflare
  • Miscellaneous
    • Copy Protection tab
      • Enable copy protection: based on your requirements
    • Frames tab
      • Enable iFrame protection: Enabled
    • Users Enumeration tab
      • Disable Users Enumeration: Enabled
    • WP REST API
      • Disallow Unauthorized REST Requests: based on your requirements

Leave a Reply

Your email address will not be published. Required fields are marked *