WordPress powers more than a third of all websites and is a popular target for hackers. Hackers begin scanning and probing for vulnerabilities within minutes of a new website going online. It is essential that your websites be protected. WebARX is the first plugin I install after installing WordPress. With a good security plugin in place, I feel comfortable taking time to setup and configure the new site.
I used iThemes Security for years and it has a large number of lock-down settings and has generally been reliable. However, the plugin is time consuming to configure, the settings are confusing, malware scans have been reporting false positives or not completing and, most troubling, it does not include a firewall. Is a firewall a requirement for WordPress sites? These days I think it is. A firewall that receives just-in-time rule updates can protect your site from newly discovered exploits.
Is a firewall a requirement for WordPress sites? These days I think it is.
I wrote a previous article, “The Site Builder Guide to Website Security,” where I identify and list the tasks that I think make up WordPress security best practices. This article is for people who are serious about WordPress security and interested in the WebARX security solution. I cover all of the WebARX features and conclude by summarizing what WebARX does and doesn’t cover. At the end of this article there is a special offer for those who are interested in using WebARX.
WebARX Features Overview
In the walkthrough we setup and configure WebARX and look at these features in more depth, but as a quick overview, we can see that the features fall into three categories.
WebARX Firewall and Site Hardening
At its heart, WebARX is a web application firewall. A web application firewall (WAF) applies a set of filtering rules to the exchange of requests and responses that make up the conversation between the web client and server. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. WebARX includes rules to block common attacks and also has just-in-time patches to protect against new WordPress vulnerabilities.
In addition to the list above, WebARX offers some site hardening options such as Two Factor Authentication (2FA), brute force login form protection, the option to disable XML-RPC, disable directory browsing, or even hide that WordPress is being used.
Security and Vulnerability Monitoring
In addition to the firewall, WebARX also include some different types of monitoring: plugin vulnerability, checking if you site is on a blacklist, watching for site errors, up-time monitoring, and domain and SSL certificate expiration monitoring.
Alerts and Reports
You can receive alerts via email or Slack, generate reports, customize reports and create reports for your clients.
I know of WebARX as a WordPress security solution, but it can be used on any PHP website and is compatible with Magento, which is used for ecommerce, as well as Drupal and Joomla, which are two other content management systems like WordPress, but not a popular.
Adding WebARX to a Site
After you signup and when you login for the first time, you are presented with a dialog to add a site. Enter the full URL to your site and click the “Add Websites” button.
After you click the Add Websites button, you go to another screen where you are prompted for you website’s username and password. Here WebARX is going to try to automatically install the plugin for you.
I usually install it manually, which is the link under the Install Plugin button. When you click that button a copy of the plugin customized for your site downloads and you see a popup with information on how t install it.
It installs just like any other plugin, so go ahead and install and activate it. When you activate it, you go to the WebARX settings screen. The WebARX settings are found in the admin dashboard menu under Settings/Security.
The first thing I do is check the license page, which is the bottom tab.
You want to check that the firewall shows as active. If the Client ID or Client Security Key is blank then you can get those from the WebARX online dashboard, and I’ll show where that is later when we tour the dashboard. The is a button at the bottom to test that the website and dashboard are connected.
I consider some lockdown steps as optional and others required. My policy on optional hardening steps is if it is easy and isn’t going to disrupt work then I do it, but I don’t go out of my way. If I think it is a required set then I am willing to do what it takes to get a solution. So, in the tour, I will turn things on even if I consider them as optional.
Go to the top tab “Hardening” and lets look at the settings. These are lockdown options that you can apply.
Disable plugin/theme editor (optional): By default WordPress has a file editor under the Plugins menu. This will disable it. The thought is that this keeps an intruder from modifying source files, but I think if an intruder has gotten in the you are already in trouble.
Move logs folder: This option moves the logs folder to make it harder for someone unauthorized to access them.
Disable WPScan: WPScan is a vulnerability scanner that is popular among hackers (and security researchers). This setting will block it.
Disable user enumeration: WordPress has what and many others consider a hole in that it is easy to get user information about anyone who has published an article. The WordPress core team doesn’t consider this an issue, but in my mind there are two parts of the login equation, username and password, and there is no reason to give part of it away. This setting disables user enumeration, but WordPress added the RestAPI and it is possible to get user information that way as well. My understanding is that WebARX may block user enumeration via the RestAPI also in a future update.
Hide that you are using WordPress (optional): I personally don’t see much value in this, but some people think that by hiding what CMS you are using you make it harder for hackers.
Enable activity logs: This is a very important feature to enable. Activity logs will help you in the event of a break in to diagnose and figure out how the hacker got in.
Disable XML-RPC: RPC stand for Remote Procedure Call. This is an API added to WordPress a long time ago that is rarely used. The only use of it that I know if is for JetPack. You might need to leave it on if you are using JetPack, but otherwise it is good to turn off, because hackers can brute force a login through XML-RPC.
Recaptcha: Recaptcha is good for blocking bots. It is a free service offered by Google. You can signup and get your keys and enter them here.
The next tab down is the firewall settings tab.
Enable firewall: You definitely want to enable the firewall. If it is just me using the site then I usually bump up the amount of time a block stays in place for.
Firewall user role white list: You can exclude different roles from being checked by the firewall. If you trust the people in those roles then this is a way to make sure they are accidentally blocked.
IP Address Header Override: This is a feature that most people won’t need and I’d leave it blank unless support instructs you to use it. It could be useful in situations where there is a proxy and the IP address needs to be retrieved by other means.
.htaccess Features: It is common to write to the .htaccess file. This is a file read by the web server and you can include instructions for web server here that are processed before a WordPress page is loaded. It is a tad faster to include these rules in the .htaccess file than in a plugin (when that is a possibility). WebARX does a good job managing the additions to the file.
Disable .htaccess features: I personally wouldn’t disable using the .htaccess file, but you can do so here if for some reason you need to.
Add security headers: This option tells WebARX to include security headers in the response sent to web browsers.
Prevent default WordPress file access: You definitely want to enable this. It prevents visitors from reading the wp-config.php file, which as your database login information in it.
Block access to debug.log file: The debug file could contain sensitive information so it is a good idea to block outside access to it.
Disable index views: By default, if you browse to a directory under your website PHP will list the files in the that directory. You can keep this from happening by placing an empty index.php file in the directory, which will return a blank page, or using a web server directive in the .htaccess file, which is what WebARX does.
Forbid proxy comment posting: Normally when you submit a comment form the page referrer where the form was located is included in the submission. When bots try to hijack forms they sometime submit the form remotely and there is no referrer, which is what this blocks.
Prevent image hotlinking (optional): Sometimes a bad actor will link to images on your site and show them on their own. This uses up your bandwidth and you get no value.
Add custom .htaccess rules here: Occasionally you will have an .htaccess rule that you’d like to add. This is a convenience utility that gives you a GUI for doing so. You can place the rule before or after the WebARX rules.
IP Whitelist & Blacklist: Finally, there is the option to whitelist or blacklist an IP address or IP address range. This is another convenience GUI.
Move and rename login page (optional): By default the address of the WordPress login page is wp-login.php. This gives you the option to rename the link. Some bots are programmed to just hit that page, and so renaming it will fail. This is a case of “security through obscurity,” which is an attempt at security through hiding. I did this for a while but then stopped. It was a hassle and some 3rd party plugins may not handle the change correctly. If you have multiple users on the site then you are making it harder for them as well. The only reason I can see for doing this is to cut down on the churn.
Automatic brute-force IP ban: This is an important feature to enable. After a set number of failed login attempts the user will be blocked from logging in. If it is only me using the site I usually bump up the lockout time and lower the number of failed attempts to trigger the lockout. If you have lots of users then you might leave the numbers as they are.
Logon hours (optional): If you know that you won’t be visiting your site in the middle of the night then you can set hours here.
Two Factor Authentication: This is another important one. My feeling is that if you have an ecommerce store, are the administrator of a membership site, or have sensitive information on the site then 2FA is a requirement. This setting turns on the option of 2FA. Users will need to go into their account to set it up. I’ll show that process below.
Blocked and Whitelisted IP Addresses: In this section you can see IP addresses that are blacklisted or that you whitelisted on the Firewall settings page. This list is helpful if you, for instance, have a user who cannot log in. You can manually remove them from the blacklist if they happened to have forgotten their password and got locked out.
Here you can turn on and configure a cookie notice banner. This is especially useful for users in the EU. This is a convenience feature that saves you the need to install another plugin.
Here you can see recent log file entries. You can see more entries on the WebARX site dashboard.
Here you can backup the .htaccess file. If you are unsure of changes or have another plugin also writing to the .htaccess file then you can back it up there.
WebARX provides the ability to backup your site to Google Drive. When you click the Backup tab you first need to connect WebARX for your site to your Google drive account. Then you can configure the settings here.
Setting Up Two Factor Authentication
When you enable 2FA on the settings screen then a section is added to the user account screen.
You will need an app on your smart phone. I use Authy, but Google Authenticator is another popular one. Create an account in the app and then take a picture of the the QR code. That will complete the setup process. It is easy. To test it, log out of the site and then when you log in you will be prompted for a six digit code from you authentication app. If you have a problem with the setup you can disable 2FA from the WebARX dashboard.
That concludes the WordPress side of the walkthough. Now we will take a tour of the WebARX dashboard so you know where to find things.
I’ve numbered the different sections of the dashboard.
The account area (#1 on the image) hosts the place to change your profile, WebARX dashboard login, WebARX dashboard two factor authentication, and notification settings. In the notification area you can setup notifications to your Slack channel and select the alerts for notification. Here you can also enter a 2nd email address for alerts, if desired.
#2 on the image is where you see site up-time. To see this you need select the site (#6) so we’ll see that further down.
#3 shows blocked attacks. If you have multiple sites then this is site specific.
#4 has links to general dashboard areas. Dashboard is the current view. The firewall management screen is where you can manually enter firewall rules. The Reports area is where you can generate site reports. An addon allows you to white label them. There there is the area for Billing information and Team management. You get 5 users or can add more via an paid addon. Change log shows the dashboard and plugin changes and Support is a link to the knowledge base. There is a chat bubble in the lower right corner for online chat during working hours.
Site Management From the Dashboard
When you click on a website name (#5), the information for that website, as well as options for that site, are shown. At the top, the “Attacks Blocked” and “Uptime” graphs populate with information relevant for the site.
Below the charts are nine tabs for detailed site information.
In the Monitoring tab you can see the current state of all of the monitor functions. Note that the top several items are related to security headers that are added to the .htaccess file. Usually these are installed automatically, but about 20% of the time I’ve had to add them manually. If you a warning showing on these then you can go to the Support link on the left and find the article in the knowledge base that gives you the snippet. You can use the Custom .htaccess utility on your site to add them.
On the Firewall tab you can see information about the requests blocked by the firewall.
On the Uptime Logs tab you can run a report based on a time frame.
On the activity logs tab you can see the successful and failed login info. Updates info will be shown here as well. In the screenshot you can see the bottom entry is where I enabled 2FA and the rest are subsequent logins. It is worth noting that these logs cannot be deleted, which is good. If a bad guy gets access to your site, they cannot delete the logs to try to hide their tracks.
There are 4 tabs under the Hardening tab. These are the same settings that are found on the plugin setting screens on the website. I won’t review them all again here, but one good feature here is that if for some reason you cannot use 2FA and get locked out of your site, you can temporarily disable it here until it can be fixed.
On the Software tab you can see core, theme, and plugin updates, if any, and you can update them directly from this screen.
The Users tab lists the site users. You can reset the user password from this screen if you need to.
On the Firewall Rules tab you can see the rule sets that are active.
Below these tabs there is another panel. Here there is a place where you can download the plugin, should you need to. There is also a screen with the Firewall ID and Key in the even you need to manually enter them on your Website. The Manage Website area is a repeat of the contact options and the Notifications area are a repeat of the alert settings found in your account area. The settings here override your general settings should you want to customize them for a particular site.
How Does WebARX Measure UP?
In the “Site Builder Guide to WordPress Security” I have a long security-related checklist. Many of those items don’t relate to features that can be covered by a plugin. So what I’ve done below is remove those items and just leave the plugin related functions. All of the items in the list have a mention in the Site Builder Guide.
The items in blue are ones where WebARX provides full coverage, the lines in yellow are partial, and the lines in pink are ones that WebARX does not cover. I assume that the blue and pink ones are fairly straightforward, WebARX does or does not take care of those issues. So, let me explain the items in yellow.
Check that links are using HTTPS: WebARX does check that the site automatically forwards traffic to HTTPS should a user enter an HTTP URL, but it does not scan the page to make sure all links are HTTPS. There are free 3rd party scanners you can use if you are getting a “mixed content errors” where some resources are HTTP and others HTTPS .
Prevent user enumeration: WebARX stops hackers from trying to list user information through the author archive links, but it does not stop user listing via the RestAPI. I understand they might include that in a future version.
Block bot scanners: There are a lot of bot scanners. WebARX blocks scans from the popular WPScan scanner, but not from some of the others.
Disable obscure features: Sadly, WordPress has more than a few rarely used features. WebARX can disable the XML-RPC interface and remove some unused publishing headers, but there are others it does not cover.
When managing multiple sites, use platform for efficient updating: It is faster to update multiple sites from the WebARX dashboard than it is to log into each site and update one-by-one. However, WebARX does not have a unified update page where you can update all sites at the same time.
From a high level perspective, you can see that WebARX provides coverage in a wide range of areas and is very full featured. I’ve been using WebARX for over a year and I’ve never been locked out, gotten a false positive, or experienced any instability. It has been very solid. As I mentioned in the beginning of the article, iThemes Security used to be at the center of my security stack, but WebARX is now the first plugin I install when a site goes online.
Website security is one of those areas where it takes a lot of talent to provide a good solution that is easy to use and configure, is full featured, and doesn’t slow down your site. I’ve been impressed with the WebARX team. They have been responsive to questions and suggestions and the solution gets regular features and updates. They have already found and reported plugin vulnerabilities and are starting a new program where they will rewards for security researchers. The product and team are moving in the right direction.