Smart Security Tools is a powerful plugin for improving security of your WordPress powered website. Plugin contains collection of tweaks and tools for extra security protection along with Security Advisor that can help you determine what needs to be done.
Plugin includes integration of VirusTotal and Sucuri Free Security Scanners (shows malware on the website and blacklisting status on major security related websites). Plugin includes database based Security Log that can log different event types you can use to detemerime problems, potential attacks and exploits, IP’s used for access, referers, user agents… You can ban IP’s from Security Log.
Security Advisor will help you get started
Plugin offers tips on what you need to improve on your website. Based on the status of tips on this panel, plugin will calculate security percentage. It is important to follow all recommended tips and as much as you need optional tips.
Collection of easy to use security tweaks
General tweaks are easy to set up, and you can solve many security issues directly with these. Some of these tweaks, if active will also log security events into database.
List of general tweaks
Add X-Content-Type-Options header (v3.5)
Add X-Frame-Options header (v3.5)
Add X-XSS-Protection header (v3.5)
Add Strict-Transport-Security header (v3.5)
Remove X-Powered-By header (v3.5)
Remove XML-RPC Multicall methods (v3.2)
Remove X-Pingback Header (v2.7)
Remove XML-RPC Pingback methods (v2.7)
Remove script and styles versions (v2.0)
Prevent access to banned IP’s (v1.5)
Prevent SQL injections
Prevent too long URL’s
Simple registration honeypot
Remove errors from login screen
Restrict username length
Remove username from comments CSS classes
Remove WordPress version
Remove RSD link
Remove WLW manifest link
Disable XML-RPC
Collection of powerful .htaccess enhancements
Most important security features are implemented using .htaccess file in the WordPress root directory. This is available only for Apache (and LiteSpeed) based web servers.
List of .htaccess tweaks
Add Strict-Transport-Security header (v3.5)
Remove X-Powered-By header (v3.3)
Add X-Content-Type-Options header (v3.3)
Add X-Frame-Options header (v3.3)
Add X-XSS-Protection header (v3.3)
Set proper 403 handler file (v3.0)
Prevent scans for some common files (v3.0)
Deny POST requests using HTTP 0.9 or 1.0 (v2.2)
Prevent WordPress installation directory browsing
Disable the Server Signature on server error pages
Deny all comments requests with no valid referer
Prevent access to WordPress root system files
Ban access to IP’s banned in Security Log
Ban access to additional listed IP’s
Limit body size of a single request and file upload size
Prevent access to XML-RPC due to Pingback Vulnerability
Disable Trace and Track request methods
Blacklist Query Strings using listed rules
Blacklist Request Strings using listed rules
Blacklist User Agents using listed rules
Security Logs to track security related events
Security Log adds two database tables to log all sorts of security related events. For each event you will get information about user (or visitor), IP, user agent, referer and other information depending on event that can help you track sources of new security probes or attacks. You can ban IP addresses through the security log panel.
Analyze security logs for IP’s thread level
Since version 1.5 of the plugin, new panel is added where you can see aggregated log results for individual IP’s with estimated threat level based on number of logged events and events type. This will help you decide if the IP should be banned. Some of the actions logged are potentially malicious and they are marked in the plugin settings.
List of events types logged by plugin
Login / Logout / Login Errors / Login Failed
User Profile / Password Changed
Registration / Registration Honeypot
SQL Injection URL / Too Long URL
Error 404 – PHP, Query, Web File, Media, Script
Plugin Activated / Deactivated
Plugin / Theme / Core Upgrade Completed
Access Robots.txt File
Additional log options to identify event source
IP Geolocation
IP WhoIS
Security emails notification system
Plugin can send daily and weekly digest emails with overview of logged events and IP’s. Also, some events can generate email notifications. Most important notification is malicious alert email sent when number of logged malicious events reaches set number in specified time period (200 events in the past 30 minutes is default).
Other Plugin Features Included
User accounts registration control
Registration control filters for User Agent and Email
Save user last activity time and page
WordPress toolbar Security Menu
Change ‘admin’ username if exists
Change any username
Export and Import settings
Support for Multisite WordPress mode
System and WordPress Requirements
WordPress 4.0 or newer
PHP 5.3 or newer
Apache Web Server (for .htaccess based tweaks and tools)
Access to .htaccess file (if not, you need to manually add changes to it)
Addons for Smart Security Tools
These addons are not included with the plugin, they need to be purchased separately.
Add Include additional URL and user agents filters and scanners to detect and stop various malicious attempts and potential vulnerabilities exploits.
Add reCAPTCHA protection to various WordPress forms and third party popular plugins. You can also log failed attempts and ban users that fail the test repeatedly.
Take control over login attempts, and limit number of attempts or use of restricted usernames from same IP. This can help preventing malicious brute force login attacks.
Monitor live all security events logged by the Smart Security Tools using LIVE Events Monitor panel or by getting browser/desktop or website based notifications.
Documentation
Plugin contains PDF user and developers guide in the plugin package, inside the ‘docs’ directory. Check out this documents to get information on plugin options, usage and more.
Disclaimers
Support for Apache 2.4 .htaccess format is still experimental, so make sure you backup .htaccess and test everything to make sure all is OK.
For .htaccess based tweaks and tools plugin supports only Apache (and LiteSpeed) web servers. If you use some other web server, you can only use other plugin features.
Make sure you read plugin documentation and all the information provided by the plugin for each tweak and tool.
Make sure you backup .htaccess file every time you make changes to plugin settings for .htaccess tweaks and test changes you make!
If you make changes to blacklist .htaccess tweaks, or list of IP’s to ban, be careful with those changes, or you can even lock yourself out of the website.
You are using Smart Security Tools for WordPress at your own risk.
Changelog
Version 3.5 / 2016.05.16.
Added: Integration with Project Honeypot
Added: Ban IP’s based on Project Honeypot threat level
Added: Events log shows Project Honeypot threat level for each IP
Added: Banned IP’s log shows Project Honeypot threat level for each IP
Added: New .htaccess tweak to set Strict-Transport-Security header
Added: New tweak to set X-Content-Type-Options header
Added: New tweak to set X-Frame-Options header
Added: New tweak to set X-XSS-Protection header
Added: New tweak to set Strict-Transport-Security header
Added: New tweak to remove X-Powered-By header
Added: GeoPlugin service to replace FreeGeoIP
Added: Action run after event is added to the events log
Deleted: WordPress versions prior to 4.0 are no longer supported
Fixed: Use of invalid constant for som of the tweaks
Version 3.3 / 2016.03.08.
Added: New .htaccess tweak to set X-Content-Type-Options header
Added: New .htaccess tweak to set X-Frame-Options header
Added: New .htaccess tweak to set X-XSS-Protection header
Added: New .htaccess tweak to remove X-Powered-By header
Added: Event for banned IP access attempt
Improved: Changed order of adding some of the .htaccess tweaks
Improved: Rewritten function to get current url to rely on WordPress
Improved: Minor changes to the plugin initialization process
Improved: Minor update for username changing tool function
Improved: Loading of the translation file if available
Fixed: Minor issue with events log attempt to log missing event
Fixed: Minor issue registration filter check of missing user agent
Fixed: In Multisite mode sends duplicated notifications
Fixed: Some minor styling issues on the admin side
]]>