How To Deploy An Intrusion Prevention System On WordPress

Intrusion Prevention Systems (IPS) stop attacks before they infiltrate your systems. WordPress is under persistent attack and so you need and IPS to stand between your sites and the hackers.

In this article we break down what an Intrusion Prevention System (IPS) is, why WordPress needs an IPS, and how Shield Security meets this WordPress security requirement.

What Is An Intrustion Prevention System?

Just as it sounds, an IPS is a service, either hardware or software, that puts a stop to attempts to invade a system and gain unauthorized access.

A “system” can be anything, but typically refers to a network, a server, a laptop, or a website (such as WordPress), to name a few examples.

Some key characteristics of an IPS include:

• Threat Intelligence – be aware and up-to-date on latest security threats and vulnerabilities.
• Analysis Engine – track and monitor traffic in and out, and analyse this traffic for threats.
• Incident Response & Automation – wherever possible the IPS should respond to threats automatically
• Logging and Auditing – the IPS should detail the incidents and its response to the events.
• Continuous Monitoring – the IPS should never stop, and should remain current and uptodate with the latest threats.
• Integration with other Security Measures – ensure seamless integration with other security measures.

Each of these components is critical, but we’ve found that in the context of WordPress, automation is lacking in many WordPress security plugins. We discuss this in more details a little later.

Before an IPS can block malicious activity, it must first be able to detect it – if it can’t see it, it can’t block it.

To detect bad actors you need an IDS – Intrusion Detection System.

Intrusion Detection System (IDS) vs Intrusion Prevention System (IPS)?

The purpose of an IDS is to monitor the traffic and, using a set of rules, identify attempts at intrusion, and distinguish these from legitimate activity.

An IPS can’t run without an IDS. You can, however, run an IDS without an IPS.

The reason to run an IDS in isolation is mainly for logging and sending alerts to administrators when an intrusion is detected.

The IDS methodology is how many plugins approach the challenge of WordPress security. They’ll monitor the site and send copious alerts to the admin. That’s fine if you have only 1 or 2 sites and you’re comfortable with how to respond the alerts.

But let’s be completely honest, most WordPress admins aren’t versed in WordPress security to the level that the security developers are.

If you’re serious about protecting your WordPress sites, you should demand that your WordPress security adopts the role of IPS, not just IDS.

Does WordPress Need An Intrusion Prevention System?

Absolutely, yes. A WordPress site needs an Intrusion Prevention System.

With the WordPress CMS being the most popular (~40% of all websites), you can be certain that it’s a target for attack. This is for the simple reason that if you were a hacker and looking to maximise the results of your efforts, you’d naturally choose the biggest available target.

Most WordPress hack attempts are automated, and so the response to these threats must also be automated (if it is to be effective).

Your WordPress security plugin should be an IPS – fully automated, always on, and with full authority to take actions to protect you.

What Benefits Does a WordPress IPS Give You?

Stopping malicious traffic from infiltrating your WordPress sites before they can do any damage is the goal. Here are a few immediate benefits when using a powerful IPS for your WordPress websites:

1) Reduced Risk From Automated Hacks

Most hack attempts are automated. Bots are constantly hitting your site, probing, digging, and attacking.

If hacking is automated, then you need an automated response to fight back – you need an IPS.

2) Improved Resource Allocation

Each attempt to probe or hack your site consumes WordPress hosting resources. And resources aren’t cheap!

A good WordPress IPS will identify sources of malicious activity, then block all requests from those sources as quickly as possible. The sooner the requests are blocked, the sooner your server resources can be allocated to important traffic.

3) Protection For Your Data, Your Customers’ Data, and Your Brand

As a business, “your data” refers to “your data and your customers’ data”. So protecting your WordPress-based business means protecting your customers, too.

As businesses, we have an obligation to implement best-efforts to protect your customers’ private data. Of course, there’s no such thing as 100% protection, but we need to be doing our best.

You should also take a moment to consider the consequences if you fail to protect your customers. The fallout for your business reputation will likely cost much more than the breach itself.

How Does Shield Security Serve As An Intrusion Prevention System For WordPress?

Before Shield can prevent attacks, it must be, first and foremost, a smart IDS – i.e. accurately distinguish attackers from “good” visitors.

We’ve made visitor profiling and early identification of malicious traffic a top priority. We see this as 1 of the most critical components of any security strategy.

Shield combines 2 metrics to build a profile for every WordPress visitor:

• Bot Signals
• Offenses, and

Shield doesn’t simply just “limit login attempts”, it watches every visitor and attaches a score to them based on their behaviour. We watch numerous areas of a WordPress site to catch bots doing enough things so that we can then confidently say “this visitor isn’t normal and isn’t here for anything good“.

Perhaps, for example, they:

• trigger multiple 404 errors (probing),
• fish for usernames
• follow tempting link cheese
• stumble onto the wrong login URL
• don’t register with our AntiBot system
• post comment SPAM

These are some of the signals that Shield uses to spot bad actors who are trying to hide their true intent. If they can convince your IPS that they’re “normal”, they’ll slip past your defenses, and Shield never wants that.

Sometimes the bots are more direct, and persistent. They may try to login using common usernames and passwords. Each time they commit an offense, we’ll catch it (and combine it with our signals system). If they offend often enough, their IP will be blocked completely from accessing the site.

But that’s not the end of the story.

Our goal is rapid detection of bad bots. We achieve this by having WordPress site share their local knowledge of bad bots with other WordPress sites.

Since our partnership with CrowdSec, this is already happening. If bad bots attack a number of WordPress sites, then all other sites will know about it. When those bad bots pay a visit to anyone else, they’ll be blocked immediately.

Shield is clearly fully equipped as both an IDS and an IPS when it comes to malicious traffic, but let’s see where else it’s operating as a powerful IPS.

Shield’s WordPress File Scanning As An IPS

File infections happen. The possible routes to this are many and varied, but regardless of how it happens, we need to know about it, as soon as possible.

Shield’s file scanning system is one of the most comprehensive available. This is what it can do:

• detect changes in any WordPress Core file and display a line-by-line diff of any modifications
• detect unidentified files in any WordPress Core directory
• detect malware using machine learning and artificial intelligence, that’s never been seen before.
• detect and display diffs for changes in WordPress‘ wp-config.php, .htaccess and index.php files.
• detect changes in nearly all WordPress.org plugins and themes and display a line-by-line diff
• detect changes in many premium plugins and themes (using crowd-sourced checksum data)

Detecting the changes is the IDS part of the equation. What can Shield Security do to remove these infections?

Shield is equipped with technology to automatically repair modified files. It can’t do it for all files (yet) since we don’t have access to original, clean versions of files for premium plugins. But we can automatically clean files for plugins and themes that are hosted on WordPress.org, for example, as well as for the WordPress Core itself.

You can configure Shield to do this for your automatically, or you can opt to be alerted of the file scan results so that you can take remedial action as and when you desire.

Special Note: Integration With Other Security Measures

As outlined above, a key component of a good IPS is integration with other security measures.

Shield Security biggest integration by-far is that with CrowdSec. This technology allows us to share intelligence of bad bots across all WordPress sites running on Shield Security.

The reason we’re dedicating a section of this article to integration is to emphasise the fact that the Shield Security plugin for WordPress can’t operate in complete isolation. We never profess to be a one-stop, all-in-one solution for WordPress security… we would be grossly disingenuous to state this. Any WordPress security plugin making that claim should be viewed with a healthy dose of skepticism.

We want to reiterate that you need to take a holistic approach to your WordPress security. After installing a WordPress security plugin, such as Shield, you should then take a critical view of your webhosting and infrastructure, then perhaps deploy a reverse proxy WAF service like CloudFlare, to augment security throughout your entire hosting stack.

We’re not saying you need multiple security plugins alongside Shield, not at all. But that your entire WordPress hosting should be hardened against threats.

Conclusion: What You Should Look For In A WordPress Intrusion Prevention System

There is no doubt that Intrusion Detection is a critical component to any WordPress security posture. You must know when your site is at-risk so that you can take action to mitigate it.

However, your security apparatus must be, wherever possible, smart enough to mitigate these risks to protect your WordPress site. Most attacks are automated using scripts & bots and so you shouldn’t be expected wait for alerts to tell you “something bad is happening, do something quick!”.

Not only is it probably too late to act after you receive an alert, you may not be fully equiped to respond. The response should be sufficient to stall or stop the attack and it should happen immediately.

Can we be expected to achieve this ourselves?

You shouldn’t be expected to.

If you’re relying solely on logging and auditing, followed up with email/slack/<insert-something-that-wastes-your-time-here> alerts, then you’re not protecting your site effectively.

Where the required action is complex, ensure that your IPS is making it easy for you to take the next steps. You shouldn’t need a rocket science degree.

All this talk about automation might make you think that installing Shield Security on your WordPress site is a 1-stop solution.

It’s isn’t. There’s no such thing as a set-it-and-forget-it security policy.

Shield does a lot, and with each release it gets smarter and does a bit more. But you’ll always need to be pro-active with your WordPress security and take steps to mitigate attacks for which responses can’t reliably be automated.

Our goal with Shield is to automate as much as possible for you and to simplify your security incident responses where automation isn’t available.

If you haven’t tried Shield Security yet, give the ShieldPRO free trial a go and see for yourself how powerful WordPress security can be.