May 9, 2017

How to Secure Your Website Using WPBruiser

WPBruiser - Feature Image -

Everyone knows that when you’re using the Internet, your information is vulnerable. There’s really no way around it. Software is made by men and as such, men can always find a way to exploit it. The best we can do is try to block known vulnerabilities whenever they appear. In this tutorial I’m going to show you how to secure your website using WPBruiser, a free plugin. Don’t let the fact that it’s free deter you, this is a very effective tool for preventing attackers. First, let’s talk about why you would want to use WPBruiser instead of CAPTCHA.

WPBruiser Vs. CAPTCHA – I like to think of this topic as a court case. With CAPTCHA, your users are considered GUILTY until they prove themselves INNOCENT by correctly completing the CAPTCHA requirements. WPBruiser, on the other hand, considers your users INNOCENT until they prove themselves GUILTY by trying to attack your site. I think we can agree that most people find the CAPTCHA system tiresome, at best. People don’t want to have to prove themselves every time they write a comment or fill out a contact form. WPBruiser is my favorite way to protect my website without annoying my users.



Install WPBruiser Plugin

  1. When you’re logged in to your WordPress dashboard, hover over the “Plugins” menu then click on “Add New” in the sub-menu that pops up.
  2. On the “Add Plugins” page, type “wpbruiser” in the search bar.
    WPBruiser - Example 1 -
  3. Click “Install Now” on the option “WPBruiser {no-Captcha anti-Spam}”.
    WPBruiser - Example 2 -
  4. Once installed, click on “Activate”. After activating, the page will redirect to the main “Plugins” page.
    WPBruiser - Example 3 -



Configure the WPBruiser Plugin

Now that the plugin has been installed and activated, you’ll see a new ‘WPBruiser’ option in the WordPress admin menu.

  1. After clicking on “WPBruiser” in the admin menu, you’ll be in the “Settings” tab.WPBruiser - Example 5 -
    • The first section is labeled “WPBruiser General Settings.”
      • Minimum Form Submission Time: forces a user to use a form for no less than a specified amount of time. I chose 10 seconds. Typically, spam bots don’t take long to create a phony submission.
      • Keep Blocked Submitted Content For: You don’t necessarily need to keep records of the blocked submissions, but if you are curious about what attacks are being made to your site you can decide how long you’d like to keep that information. 30 days is the maximum length.
      • Automatically Purge Logs Older Than: Logs track events which happen in the background (such as blocking spam bots, failed login attempts, site down occurrences, etc). These logs can be useful when trying to figure out complex site problems. Typically, only advanced users look at logs. Even though you may never need to look at them, keeping them for at least 30 days is a good idea, just in case your site host needs them for troubleshooting.
      • Disable Protection For Logged In Users: Sometimes, having protections enabled while you’re making changes to the site could cause errors to occur. But, unless you are sure that you need protections disabled while you’re logged in, I don’t recommend selecting this box.
      • Switch WPBruiser to Test Mode: Test mode is good for making changes without negatively affecting your site. In test mode, if you make changes that “break” your site, you can always revert back to previous settings without actually harming your site. Just remember to deselect this box when you’re done.
    • The second section is labeled “Trusted Proxy Headers”.
      • In this section you’ll notice WPBruiser detects whether or not you have a Proxy Header on your site. Most likely, you do not. If it does show a proxy header though, be sure to register it by clicking on the “Register Header” button.
      • You’ll also notice that WPBruiser has detected and is displaying your current IP address. Most people have dynamic IP addresses, which means they eventually change. As long as the IP address shown is accurate, you’re all good. There is a link provided for checking that the IP address is accurate.
  2. After saving the changes you made on the “Settings” tab, you’ll click on the “Security” tab.WPBruiser - Example 6 -
    • The first section offers protections against a brute force attack (see tooltip for definition).
      • Automatically Block IP Addresses: A brute force attack is persistent by definition. One way to put a stop to an attack is to block the ip address of the attacker as soon as an attack is acknowledged. By having this box selected, the attacker will not be able to attack again until they change their ip address. This is recommended.
      • Prevent User Enumeration: By submitting simple lines of code, an attacker could access certain information to use while attacking your site. By selecting this box, you’re ensuring these codes will not give the attacker what they want. This is recommended.
      • Block Web Attackers IPs: This blocks all known spamming IP addresses from coming to your site – before they even try. This is recommended.
      • Block Anonymous Proxy IPs: This option will block any anonymous IP address associated with a proxy. To be fair, not everyone who uses a proxy is necessarily participating in illegal activities. Sometimes, people just want privacy. I do not personally have this box selected because I don’t want to prevent good people from being able to view my content.
    • The second section is labeled “White Listed Ips.” If there are particular IP addresses that you know are safe and would like to be sure are NEVER blocked from your site, this is the place to list them. It’s pretty rare for a small blogger to need to use this function.
    • The third section is labeled “Black Listed Ips.” On the other hand, if there are particular IP address that you know are dangerous and you want them to NEVER be able to access your site, this is the place to list them. Again, it’s pretty rare for a small blogger to use this function.
  3. After saving the changes you made on the “Security” tab, you’ll click on the “WordPress” tab.WPBruiser - Example 7 -
    • The first section is labeled “Standard Forms Settings.”
      • Protect Login Form, Protect Lost Password Form, Protect Registration Form: I honestly can’t think of a single reason why you WOULDN’T want these forms protected. I recommend selecting each of these checkboxes.
      • Protect Comments Form: Again, why would you not want your comments to be protected from spam? If you don’t select this box, the remaining options will have no effect.
        • Comment Field Maximum Length: This limit is completely up to you. Try to imagine what your users might say in their comments and set the limit accordingly. For example, this sentence is 49 characters long. Try not to limit your users too much or they may begin to resent you and stop using your site.
        • Comment Name Field Maximum Length: While names certainly vary in length, I think it’s safe to say that most people are not going to use more than 50 characters.
        • Comment Email Field Maximum Length: Email addresses also vary greatly in length but it’s extremely unlikely that a valid email address will have more than 100 characters.
        • Comment Website Field Maximum Length: While it’s possible that a user might copy and paste a long URL into this field, it’s not very likely. Most people who want to list their website will use the “pretty” version (which isn’t usually very long). Limiting this to 200 characters is a safe bet.
    • The second section is labeled “Tweaking WordPress.”
      • Hide WordPress Version, Remove RSD Header, Remove WLW Header, Completely Disable XML-RPC, Disable XML-RPC Pingbacks, Hide Comments Website Field, Hide Comments Form Notes Fields: Wether or not you select these boxes is completely determined by what programs and plugins you use. The description text under each option can help you decide.
  4. After saving the changes you made on the “WordPress” tab, you’ll click on the “Contact Forms” tab. There’s only one section listed under this tab, “Popular Contact Forms Settings.” If you’re using the Jetpack plugin, select the box next to the “Jetpack Contact Form” option.WPBruiser - Example 8 -
  5. After saving the changes you made on the “Contact Forms” tab, you’ll click on the “Membership” tab. If your website has a members section, you’ll want to make sure these access points are protected. If you have premium subscriptions for either UltraCommunity or WordPress Ultimate, you’ll want to enable protections specific to those forms. If you only have a free membership to WordPress but you have a members-only section on your website, be sure to enable protection for those forms listed under the “WP Member General Settings” section.WPBruiser - Example 9 -
  6. After saving the changes you made on the “Membership” tab, you’ll click on the “Others” tab.WPBruiser - Example 10 -
    • The first section is labeled “Popular Subscriptions Plugins Settings.” WPBruiser offers protection for the MailChip for WordPress plugin. If you use this plugin, I recommend selecting this box.
    • The second section is labeled “Other Popular Plugins.” If you use ZM Ajax, PlanSo Forms, or Seamless Donations plugins, select the applicable checkboxes to make sure they are protected.

      Note: If you’ve never heard of them, you probably don’t use them.
  7. After saving the changes you made on the “Others” tab, you’ll click on the “Notifications” tab.WPBruiser - Example 11 -
    • Brute Force Attack Detected, An Administrator Signs In: Both of these options will email you every time either of these events happens. If you’re supposed to be the only user with administrator capabilities, you might want to know if someone else with administrator access suddenly logs in. Both are up to you.
    • Administrator Email Address: This is the email address to which the notifications will be sent.
  8. After saving the changes you made on the “Notifications” tab, you’ll click on the “Extensions” tab. Here you will find a list of all the premium extensions compatible with WPBruiser. If you’re looking for useful forms plugins, this is a good place to start since you know any of the listed plugins can be protected using WPBruiser.
  9. After saving the changes you made on the “Extensions” tab, you’ll click on the “Reports” tab. This is where you’ll see all of the latest blocked attempts. You can even see what they did to be blocked by clicking on the “View Blocked Content” button in the “Latest Attempts” section. For more detailed reports you’ll need to be a WPBruiser Pro subscriber.WPBruiser - Example 13 -

That’s it! You’re done! Your website is now protected from attackers and spammers!

Now that you’ve protected yourself and your users from attackers and spammers, it’s time to protect yourself from those who might want to plagiarize your content. To learn how to prevent content selecting and right-clicking see my post How to Protect Your Blog Content.

Do you have any questions or comments? Let me know, I’d be happy to help!



Leave a Reply

Enjoying my blog? Please spread the word :)

error: Content is protected!!