Some features and notes about Defender for enhancements

1) Enhancement: Would like to be able to do immediate ban of an IP with a specific login name. Like anyone who tries to login as ‘admin’ gets immediate ban.

2) Enhancement: Shared IP ban list. Would like to have my list augmented with the auto-generated IP list of other Defender users. I don’t want to have to filter through login ban logs with IPs that everyone else is seeing too. To ensure that the IPs are good, the shared list should only include IPs that have been added to at least 5 other independent ban lists.

3) Enhancement: IP lockout list: Allow filtering out failed attempts for specific user names. I have pages of failed attempts for a specific name which appear to be coming though spoofed/proxy servers. I want to build a list of names and continue to remove them from my view. So, eliminate all admin. Then I see admin1, eliminate those. Then I see manager, eliminate those…

4) Enhancement: Detection of proxies. I know this is tough but I have page of results from failed attempts to login with a specific user name like ‘bob’, all from different IP addresses. Rather than detecting all of the individual IP addresses, let’s try to block out specific proxy servers. We might lose some legitimate traffic but for some sites that’s a small price.

5) Enhancement: IP lockout list: When sorted by IP, going to page 2 returns unsorted data. Each page should progress through the same sorted list.

6) Enhancement: Auto ban of page requests for plugins that aren’t installed. These are obviously hack attempts. Example: “Request for file amrusersfront.css?ver=3.1 which doesn't exist”. Since I don’t have the AMR-Users plugin installed this is obviously a probe.

7) Enhancement: IP lockout list: Ability to copy the full path referenced by a description. The path is available in a tooltip which displays on mouseover, but I want to copy/paste this data for other handling.

8) Enhancement: Auto-lockout of requests for ?author=N. On my blog there is only one author and requests for another ID are obviously probes. Maybe the best way to approach this is a user-configurable whitelist/blacklist of requests matching specific regex patterns.

9) Enhancement: IP lockout list: Sort by detail

10) Enhancement: IP lockout list: Export to CSV

11) Enhancement: Compatibility checking with other plugins. This is a procedural request. Rather than asking for Defender to get enhanced with a lot of features found in other plugins, I don’t mind using other plugins. I just don’t want conflicts. Please pro-actively check with other developers and run other plugins to ensure there aren’t conflicts with Defender. Specifically, I just activated UP Geo Block, which seems to be a perfect companion to Defender.

12) Enhancement: Please add ability to batch email notifications into a readable bundle where we can get one email at the end of the day for all sites in our Hub. Defender is very chatty.

1) Bug: IP lockout list: Sometimes clicking the up/down column sort on IP returns the JSON dump of data rather refreshing the list. Example of a URL that gets returned with JSON:

2) Bug? Refinement? : I get a lot of warnings for page requests like “/blog/category/tech/page/16”. This is apparently a bot that’s scanning through incrementing pages, where page 15 was the last valid page. I don’t think we care about “defending” against this common site scraping, so it probably shouldn’t be reported. So I suggest not taking action against invalid “/page/Z” requests unless they are repeated/excessive.

  • Tony G

    Revision for #12 and a few more...

    Over time Many people have expressed frustration with Defender emails. But there is nothing in the Roadmap about this topic. I’m recommending enhancements to the Notification section to address some of the concerns.

    13) An email schedule so that notices are not sent out immediately, but at timed intervals (radio for 2, 3, 4, or 8 hours), or at specific times during the day (multi-select 6am, 12pm, 12am, 6pm).

    14) The dashboard option to change the email template seems to be missing. There should be an option for a simple text-only email rather than HTML. The HTML template is too bold for individual notices. For a bulk update it would be fine. For individual updates the email should be very simple with a link for detail near the top. Whatever the solution here, use HTML and structured messaging with reservation. This is an admin notice, not a marketing announcement.

    15) Add and document hooks where plugins can become aware of Defender events. We might want to disable email and replace it with some other notification mechanism. All of the features in this plugin are oriented toward gathering information, not about what to do with that information, which is going to be different for different sites.

    Hooks for this product will encourage development of plugins which handle the hooks, and that will get more people to install the plugin, see WPMUDEV, and perhaps get a membership. This is as much a marketing initiative as it is technical.

    Rather than just adding these notification features into Defender, create a separate plugin for notifications which can be used by hooks by any other plugin. Publish it to get field enhancements (another Marketing initiative) and roll those enhancements back into the core so that Defender and other WPMU DEV plugins can benefit. This implies that Defender needs abstract from handling its own notifications, and function as a client to this other plugin. This same abstraction can be adapted to other WPMU DEV plugins that provide notifications, and users should be able to tune notifications differently for different plugins.

    I haven't looked too closely but there's probably already a plugin out there that does something like this. Consider plugins that schedule site notifications for new content with specific tags, and which provide digests. That's all we're talking about here. So rather than writing individual and (sorry) poor notification systems yourselves, try to make use of what's already available.

    Combining the above, consider if Defender just executed an action when something of interest occurred. A custom plugin could get that data and post it to the current site (or another via the WP API) as an admin-role post. With a common subscriber plugin we can easily get those posts in whatever format we want, including RSS to be consumed by some other process.

    The bottom line here is that by integrating notifications so closely into your plugins you've made it a huge chore to respond to complaints about those notifications. Use the tools better and you'll make it a lot easier on yourselves.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.