Application security

DEFENDER: WordPress Plugin Evaluation

Introduction

In this article, we will look at the DEFENDER WordPress plugin. This plugin is touted to provide layered security for WordPress sites/blogs. This plugin is available in the plugins store as "Defender Security, Monitoring, and Hack Protection." This plugin blocks attackers at every level and provides hardening techniques to administrators. Some of the features of this plugin are available as free whereas some features require upgrading to Pro version. In this article, we will look at all the features available in free version.

Test-Environment

• Installed WordPress locally on a system and using the default theme. The site is named Defender Plugin Test, and it looks like the image below.

  

• Created Database named "Defender"
• Users created: Infosec (Admin), Test-Infosec(Normal user with no role).

Install

As stated above this plugin is available on plugin store. Follow below steps to install the plugin on the website.

• Click on Dashboard > Plugins > Add New
• Type "wpmu defender" in the search box and below entries will be presented.

• Click "Install Now" option or Defender Security, Monitoring and Hack Protection plugin.
• Click on" More Details" to see the product version and any recent fixes or additions.

  

• After it is installed, Click the Activate button to activate the plugin.

• Please note that to install the Pro version directly, copy the wp-defender in the wp-content/plugins folder.

  

• After that activate the plugin from WordPress dashboard plugin. In the below screenshot, both free and Pro version of Defender are available. As soon as you Activate one of them, the other one gets deactivated automatically.

  

• As soon as the plugin is activated, Defender comes into action ask for user nod to perform initial file scanning and IP lockouts. Please note that though this is an optional and highly recommended step. We will also discuss these features in more detail later in this document.
• Click on Get started to start Defender do the initial scanning. Please note that below screenshot shows the plugins gets activated for the free version. In the pro, other features like Audit Logging will be enabled as well.

• Once the plugin is installed, all its features can be viewed in the site dashboard.

• Defender plugin also has its own Dashboard, which will be presented after the initial scanning like below.
• After the initial scanning, we can see that Defender plugin found out 11 security issues in the default site.

Defender Dashboard

Below is a high the combined view of Defender in a dashboard with all the features default setting s and initial findings. We will discuss all these in much detail in the next section.

Features

Let's now look into all the features of this plugin.

Security Tweaks

This feature provides the general hardening guidelines as part of initial scanning. Currently, there are 11 security tweaks which are as below.

It should be noted that security tweaks which are already fulfilled by the website will come under "Resolved" tabs and other will come under "Issues" tab. Following are the list of security tweaks which are embedded into the plugin.

Disable trackbacks and pingbacks

Update WordPress to latest version

This feature checks for whether the underlying WordPress is on the latest version or not to make sure whether the WordPress has any security vulnerabilities or not. Test website has the latest WordPress on it, so this was not flagged.

Update PHP to the latest version

This version checks for PHP latest version. Underlying PHP during testing was latest one, so this was not flagged.

Change default admin user account

This checks for the presence of username 'admin.' It is advised not to use admin username on the WordPress sites. Since I have not used default admin account, this was not flagged.

Change default database prefix

It is recommended to remove the default wp_ prefix from the database and this tweak checks for that. As can be seen below I have changed that to inf_prefix, and changes can be seen in the DB as well.

Disable the file editor

WordPress comes with a default file editor and can be used by attackers to modify core files and themes. This tweak disables the file editor completely so that unauthorized users can not modify important files.

Hide Error Reporting

This feature is useful to prevent the default errors at the front end which gives hints to attackers about the backend.

Update Old Security keys

This tweak will not change the password but only will change the password salt. With this tweak plugin also gives the option to set up a reminder for regeneration of security keys. On Clicking regenerate security keys, existing session is logged out, and user needs to log in again. Please note that password is not changed after this step but only salt.

Prevent Information Disclosure

This tweak provides the resistance to any information disclosure by adding an .htaccess file to the website.

Following is the default restriction imposed by Defender which can be tweaked further by the administrator.

Prevent PHP execution

This tweak prevents direct PHP execution to prevent stealing of data from the website. It does so by placing HTAACCESS file inside the root folder of the underlying website.

After clicking Add .HTACCESS, an .htaccess file will be created or updated with the following content. Admin can also add an exception to this file where they want to permit PHP execution.

Manage Login Duration

This tweak manages the login duration of a particular user. By default, it is 14 days buy the login duration can be configured (in days only).

File Scanning

Scanning

This feature of Defender plugin will scan the core files to look out for irregularities. In the pro version, it can also check for suspicious code as well as irregularities in other plugins and themes as well. Below we can see that the Defender plugin found 4 issues in the core files. These can be ignored since the server is not in a default location and Defender is flagging it. Admin will have the privilege to ignore the issues as well.

Ignored

This section will contain the ignored findings of Defender. For example. If we ignore the first finding from the above, then it will reflect here.

Settings

In settings section, Admin can enable/disable any file scanning plugin and can customize the Email format like a template, subject, etc.

Reporting

In the reporting section, Admin can schedule the file scanning activity completely.

Audit Logging

This feature enables audit logging and provides ease for admin to find out irregularities.

Event Logs

In this, events logs can be generated and exported to CSV. Also, filter for a particular username is also provided.

Settings

This section gives the admin the provision to deactivate the auditing.

Reports

This section gives Admin to schedule the logging reporting.

IP LockOut

This is one of the highlight features of Defender plugin as it gives the Admin the control to stop various attacks such brute force etc. Below are the main features of IP LockOut

Login Protection

Login Protection gives protection against brute force attempts against the site. Admin can configure the following options

Lockout Threshold: How many failed logins within a time will trigger a lockout. Combining the same username with time is important to remove false positives, for example, a legit user typing wrong password. However still false positives will arise so this setting should be configured properly.

To avoid productivity loss if a legit user if locked out, configure the lockout time for after which the account will be freed to be used again.

IP lockout also gives provision to configure the usernames which should be completely banned. For example. It is advisable to disable the default account ad we can add 'Admin' account here as well to prevent any login attempts.

404 Detection

This helps to lockout an account if there are consistent 404 requests from that account within a specified amount of time

There is also a provision to provide whitelist for files (which are common but are missing from the website).

Admin can also configure to ignore error types for certain file types.

Even logged in users' activity can be monitored as well for any 404 requests.

IP Banning

This is a very good feature where known lists of bots, blacklisted IPs can be imported directly into the account to avoid attacks such as brute force, etc. It should be noted that currently only IP4 addresses are supported.

Logs

This section will provide the account lockout logs and further details.

Notifications

• Under notifications, admin can enable/disable notifications for Login Protection Lockout and 404 Detection Lockout
• Admin can also configure notification settings like maximum number of lockout emails and their cool off period.

Settings

This section allows configuration for logs retention.

Reporting

Under the reporting Section, Admin can configure the schedule for lockout reports.

Advanced Tools

In the advanced tools, Defender plugin provides additional layer of security with @ factor authentication. Admin will activate this feature.

Below we can see that the roles for which 2 factor Authentication can be enabled. For testing purpose, let's enable the 2FA for Admin role like below.

After that the Admin needs to enable the two-factor authentication in User profile as below.

Below are the steps listed to download the install the 2FA app from either Play Store or App Store. User needs to download the app, scan the barcode and verify the code.

• After successful verification, below success message will appear. It is very important to update the fallback email address to receive passcode in event of loss of phone.

• Let's try to login ack to site. After providing username and password, Site now presents with 2FA managed by Defender plugin.