I was replying to a post on the Self Managed WordPress Facebook group and decided to write an article about this specific question a user asked
Anyone have security plugin recommendations?
I’m using iThemes security pro for a pretty good while, but I keep running into issues with it on Gridpane, especially multisite.
Or is GP’s built in security enough to not have to worry about a separate security plugin?
I’ve been doing lots of research in this area. There are lots of plugins to stop in-line attacks, similar to a WAF.
WordFence is one I’ve used and was a small shop similar to GridPane and eventually grew bigger. Unfortunately, any plugin you add isn’t going to protect you 100% due to the fact it can only be initiated on WordPress pages. This means that you won’t have protection on PHP pages that don’t actually call WordPress core.
Granted you shouldn’t even have files, but if you’re already infected or a file is uploaded via FTP or another method. There is no real protection since WordFence or other plugins can’t see these files.
There is where WordFence provides to check all files “The Extended Protection mode of the Wordfence Web Application Firewall uses the PHP ini setting called auto_prepend_file in order to ensure it runs before any potentially vulnerable code runs.” But requires some modifications to NGiNX or Apache which should be supported via a .htaccess or .user.ini
The issue with a PHP WAF is that it’s slow and takes lots of resources, which is an issue with PHP by design. Facebook tried to solve the PHP issue with HHVM, but that’s now abandoned due to PHP getting better overall performance-wise and trying to make everything work properly started to become a toll.
A traditional WAF will inspect traffic during the client connection to the server. Cloudflare does this as all traffic is passing through Cloudflare, unless the attacker knows your origin, watch out for the ftp.domain.com record. There’s also WAF’s available in popular web server software like Apache/NGiNX/LiteSpeed using modsec rules, which is what GridPane is using. However it’s actually very taxing when you use a large amount of rules and will actually slow down the number of requests you can serve, so for large sites, this might be an issue.
Supposedly Varnish can do some sort of WAF, but now you have a pretty complicated stack of Varnish->NGiNX->PHP.
There are some pretty cool PHP modules that have some decent speed like
Anyways, I’m going to set this up as a draft and write more about it.