[Defender] Add default blacklist option, defense network, and security headers.

One of the primary reasons I cannot bring myself to switch to Defender from iThemes Security Pro or Wordfence is that they include some default protection that Defender doesn't, and I think it'd be cool if Defender did.

For example, iThemes gives you the option of adding the blacklist developed by Jim Walker (HackRepair.com), which installs an awesome list of known malicious user agents in the .htaccess (among other things - http://pastebin.com/u/hackrepair).

Both also connect to their "action networks," where IPs that are blocked for suspicious activity on a certain number of sites are automatically blocked for the entire network, to help pre-protect everyone from those agents.

Lastly, neither of them add the normal security headers, such as XSS protection, etc. I assume there's a reason (likely that they aren't appropriate for every setup) but it seems like if there was an option to turn them on or off, then we could adjust if necessary.

I'd love to see these things worked into the Defender roadmap.

  • Kasia Swiderska
    • Support nomad

    Hello Greg,

    Thank for those ideas for the Defender - I have passed this to our product manager and developers for further discussions.

    Both also connect to their "action networks," where IPs that are blocked for suspicious activity on a certain number of sites are automatically blocked for the entire network, to help pre-protect everyone from those agents.

    As for this - Defender already is blocking IP's for the entire network. Or do you have something else in mind? Let me know

    kind regards,
    Kasia

  • Kasia Swiderska
    • Support nomad

    Hello Greg,

    Defender can be only Network Activated on Multisite - but blocking IPs works on every subsite even the settings are only on the network level.
    If blocking is activated and then when IP is blocked on one subsite (from failed login attempts on this on subsite) then after that it is blocked for the whole network.
    There is no blacklist "per subsite" - it is all global.

    kind regards,
    Kasia

  • Greg
    • Design Lord, Child of Thor

    Ah, sorry, I didn't mean for a multisite network. I meant if the same IP gets blocked on enough sites within a certain timeframe, then that IP would automatically be blocked or throttled for every site that has Defender installed.

  • Greg
    • Design Lord, Child of Thor

    No, I mean all sites in the world that have Defender installed. Wordfence, for example, does something like this with their Security Network:

    Participate in the Real-Time Wordfence Security Network

    Enabling this feature causes your site to anonymously share data with Wordfence on hack attempts. In return, your WordPress site receives the IP address information of hackers that are currently engaged in brute force hacking activity so that your site can immediately block those hackers before they are able to engage in a brute force attack on your site.

    When enabled, Wordfence also reports page-not-found errors, attempts by blocked IP addresses to access your site, attempts by hackers to access known malicious URLs that do not exist on your site but are clearly a hack attempt, and login failure attempts. No personally identifiable data is sent, and we also don’t associate any of the data we do receive with your specific website. We aggregate the data on a real-time platform to determine which IP addresses are currently engaged in the most malicious activity and need to be blocked by our community. That data is then used by your site and other Wordfence protected sites to block those malicious IP addresses.

    So if an IP exhibits malicious behavior on a lot of sites, eventually it's automatically blocked for all sites that have Wordfence installed.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.