Apocalypse Meow
Apocalypse Meow’s main focus is addressing WordPress security issues related to user accounts and logins. This includes things like: Brute-force login-in protection; Customizable password strength requirements; XML-RPC access controls; Account access alerts; Searchable access logs (including failed login attempts and temporary bans); User enumeration prevention; Registration SPAM protection; Miscellaneous Core and template options to make targeted hacks more difficult; Anonymize/scrub leaky remote request headers; Security is an admittedly technical subject, but Apocalypse Meow strives to help educate “normal” users about the nature of common web attacks, mitigation techniques, etc. Every option contains detailed explanations and links to external resources with additional information. Knowledge is power! Requirements Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires: WordPress 4.4+. PHP 7.4 or later. PHP extensions: (bcmath or gmp), date, filter, json, pcre. CREATE and DROP MySQL grants. Single-site Installs (i.e. Multi-Site is not supported). Please note: it is not safe to run WordPress atop a version of PHP that has reached its End of Life. Future releases of this plugin might, out of necessity, drop support for old, unmaintained versions of PHP. To ensure you continue to receive plugin updates, bug fixes, and new features, just make sure PHP is kept up-to-date. 🙂 Log Monitoring Some robots are so dumb they’ll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall. Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses to catch those fools. If you have enabled user enumeration protection with the die() option, requests for ?author=X will produce a 400 response code which can be similarly tracked. Privacy Policy When active, this plugin retains security logs of every sign-in attempt made to the CMS backend. This information — including the end user’s public IP address, username, and the status of his or her attempt — is used to help prevent unauthorized system access and maintain Quality of Service for all site visitors. This information resides fully on the hosting web site and is not shared with any third parties. Data retention is entirely up to the site operator, but by default old records are automatically removed after 90 days. Please note: Apocalypse Meow DOES NOT integrate with any WordPress GDPR “Personal Data” features. (Selective erasure of audit logs would undermine the security mechanisms provided by this plugin. Haha.)
Top keywords
- php6×1.27%
- user5×1.06%
- wordpress5×1.06%
- access4×0.85%
- apocalypse4×0.85%
- apocalypse meow4×0.85%
- login4×0.85%
- meow4×0.85%
- security4×0.85%
- form3×0.64%
- information3×0.64%
- login form3×0.64%
WP fail2ban – Advanced Security
fail2ban is one of the simplest and most effective security measures you can implement to protect your WordPress site. WP fail2ban provides the link between WordPress and fail2ban: Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1 Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1 WPf2b comes with three fail2ban filters: wordpress-hard.conf, wordpress-soft.conf, and wordpress-extra.conf. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations. Features Failed Login Attempts The very first feature of WPf2b: logging failed login attempts so the IP can be banned. Just as useful today as it was then. Block User Enumeration One of the most common precursors to a password-guessing brute force attack is user enumeration. WPf2b can block it, stopping the attack before it starts. Block username logins Sometimes it’s not possible to block user enumeration (for example, if your theme provides Author profiles). WPf2b can require users to login with their email address instead of their username. Blocking Users Anther of the older WPf2b features: the login process can be aborted for specified usernames. Say a bot collected your site’s usernames before you blocked user enumeration. Once you’ve changed all the usernames, add the old ones to the list; anything using them will trigger a “hard” fail. Empty Username Login Attempts Some bots will try to login without a username; harmless, but annoying. These attempts are logged as a “soft” fail so the more persistent bots will be banned. Spam WPf2b will log a spammer’s IP address as a “hard” fail when their comment is marked as spam; the Premium version will also log the IP when Akismet discards “obvious” spam. Attempted Comments Some spam bots try to comment on everything, even things that aren’t there. WPf2b detects these and logs them as a “hard” fail. Pingbacks Pingbacks are a great feature, but they can be abused to attack the rest of the WWW. Rather than disable them completely, WPf2b effectively rate-limits potential attackers by logging the IP address as a “soft” fail. Block XML‑RPC Requests [Premium] The only reason most sites need XML‑RPC (other than Pingbacks) is for Jetpack; WPf2b Premium can block XML‑RPC while allowing Jetpack and/or Pingbacks. Block Countries [Premium] Sometimes you just need a bigger hammer – if you’re seeing nothing but attacks from some countries, block them! Cloudflare and Proxy Servers WPf2b will work with Cloudflare, and the Premium version will automatically update the list of Cloudflare IP addresses. You can also configure your own list of trusted proxies. syslog Dashboard Widget Ever wondered what’s being logged? The dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks. Site Health Check WPf2b will (try to) check that your fail2ban configuration is sane and that the filters are up to date; out-of-date filters are the primary cause of WPf2b not working as well as it can. When did you last run the Site Health tool? mu-plugins Support WPf2b can easily be configured as a “must-use plugin” – see Configuration. API to Extend WPf2b If your plugin can detect behaviour which should be blocked, why reinvent the wheel? Event Hooks [Premium] Need to do something special when WPf2b detects a particular event? There’s a hook for that. Premium Web Application Firewall (WAF) Akismet support. Block XML‑RPC while allowing Jetpack and/or Pingbacks. Block Countries. Auto-update Cloudflare IPs. Event log. Event hooks.