Need some help with WordFence on OpenLiteSpeed: Page 2 - Enhance Control Panel

Need some help with WordFence on OpenLiteSpeed

Andreas

Now something I have been curious for a bit, how would one test all these firewalls?
Has anyone ran tests against these security/firewall plugins?
How does one know, how well these plugins are really working?
All it takes is one outdated plugin with a known exploit, and your security plugin is useless.
I would love to find a solution to that issue.

And any other feedback or insight on security I'm interested.
And sorry to OP for hijacking the thread here. Not my intention.

Rich

Andreas Yeah there are some resources, nothing with completeness I've seen with a quick look which opens the space for a good pen tester to make something. (Hopefully decent and fair)

Here's WordFence getting pwnd

Edge WAF comparisons

This project looks close to what you wanted

This paper bashes on WP plugins in favour of their edge WAF (feels a little cherry picked) They also allow you to scan your own site: here

Any competent hacker will bypass all these WAFs, like in that first link. (if you first don't succeed, try, try again) Heuristic scans or even logical pattern matching will always fail as the stakes go up. We're trying to keep bots and script kiddies out, not state actors or bad ass keyboard warriors. As I said none of these solutions are 100% secure or infallible.

Just pick what works for you and you're happiest with.

twest

Rich a lot of times the enemy comes from within too, like last months disclosure of a major vuln in Really Simple Security plugin:
https://www.ionix.io/blog/cve-2024-10924-explained-security-plugin-flaw-in-millions-of-wordpress-sites/

There's hardly any stopping a vuln plugin, in that case the best defense is being knowledgeable and attentive - running updates regularly and replacing defunct plugins. Probably not scalable for mass shared hosting, but for our managed wordpress hosting we will go out of our way to address vulnerable plugins on a per-site basis. On rare occasions we'll remove plugins to secure a clients site.

Rich

FYI I've been using these guys for years for security scanning and config checking: immuniweb

Rich

twest Vendor attacks are the worst. That's another reason I like WordFence they give vulnerability report emails, both from site scans but as a collective state of the plugin ecosphere allows us to keep an eye on things when away from the server.

Andreas

@Rich @twest Thank you guys. I appreciate the share very much. I will look into these later.
I haven't done much digging into this for a while. It's probably time I did it again.

Rich

Andreas Here's another in a tab I have open to check out: Zap

« Previous Page