AIO WP Security Firewall Log Hacks
Ever since my WP site was hacked and defaced back in 2012 by who claimed to be the “Kuwait Hackers” group, I became especially paranoid of using WP plugins wildly on my site and in fact started installing plugins that would aid in hardening and scanning the site for security issues. I started a routine of checking for plugin updates, backing up my DB and, at first, used .htaccess to blacklist IP addresses that showed up with significant numbers of failed logins or 404 errors. It became a taunting endeavor and I spent countless hours trying to stay ahead of the bad guys on my site and the three other sites I was managing as sub-domains for customers.
So, when the All-In-One WordPress Security & Firewall plugin became available to the WP community two years ago, I installed it and was amazed at the plethora of security features it offered. The plugin was easy to set up, with clear instructions. I get an email when someone suspicious tries to login to my site or generates too many 404 errors, so I can counter threats fairly proactively. The options I implemented negatively affect any of my performance or other plugins (some of which are additional security plugins). Check out the link or see the video below for details on all the features.
Blacklisting Nefarious Addresses
One of the great uses of the AIO is the ability to log all excessive 404 events from the same IP on your site. In most cases, when you see many repeated 404 errors occurring in a relatively short period of time from the same IP address hackers are attempting to access a variety of non-existent page URLs using a scanner tool, in hopes of finding vulnerable pages or plugins. For this activity, within AIO WP Security under the “Firewall/404 Detection” section, you can choose to automatically block IP addresses that are hitting too many 404s. The only issue I have with this is there is no automatic “reputation” scoring and in some cases the 404 errors are legitimate (i.e. broken links on your site). In most cases I would then open another tab in Google Chrome and go to a IP lookup or Threat Reputation site and manually enter the IP. Alternatively, you can also use AIO WP Security “WHOIS Lookup” feature but it provides you with only the reverse domain information and no country (geo) or threat scoring.
Once you are satisfied that the IP address is nefarious (either a country of concern or excessive 404 events) you can permanently block the IP address or a range of addresses (using * wildcards) in the AIO WP Security Blacklist Manager (shown below) which actually utilizes .htaccess rules and directives, which blocks the IP/Range at the HTTP server level.
Custom IP Reputation Search Menu
So, to augment the 404 Firewall Logs and give me threat and reputation information at my finger tips, I use Google Chrome with the Context Menu Search extension which allows me to leverage the HTTP API to list a number of sites I can use to further investigate and IP I’ve highlight in the log files. As you can see below, I have a number of lookup services in my context menu and when I highlight an IP in the logs I then select the service I want to use and another tab open in Chrome with the output information.
The Context menu is easy to add to Chrome extensions but it was originally intended for Search Engines so you have to edit it and then to pass the selected IP as a variable to the menu, you have to use “TESTSEARCH” in your lookup URLs as shown below:
While the All-in-One WP Security & Firewall plugin is very powerful, there are some additional tools that are needed client side to help determine whether the IP addresses in question are actually attackers. The Google Chrome extension “Context Menu Search” helps you gather more information on IP addresses before making taking action and adding them to the blacklist.