Everyone is always trying to stop hackers, with WordPress plugins, or 3rd party services – and the hacks still get in (and plugins are a hassle to maintain).
Have you ever noticed your WordPress only got hacked when you weren’t watching ? How did they get in anyway ? And how did they write all those hacked files into my web folders ?
Have you ever thought – why does the hosting company, the web server, and WordPress all allow the hackers to write hacking files to your website folders ?
Wouldn’t it be a boat load easier if they were never allowed to write anything to the filesystem/disk.
That’s what this plugin does. Locks up all the web requests in a ‘read only jail’.
It’s like you lock your house before you leave. But if you dead-lock the doors – even if theives break in – it’s hard for them to steal stuff. This plugin is kind of like a dead bolt – it doesn’t necessarily stop the hacks – but it does stop them defacing the WordPress files and filesystem.
You need write access for things like :
But when you’re not updating your WordPress you don’t need all that stuff, so how about we make it a readonly jail.
The idea behind it is that anonymous web request might be hackers – and we should restrict what they can do (hence the ‘jailed’ term). We put hackers in a jail, before they even start hacking.
Instead – this plugin denies ALL writes to the filesystem (disk) if a web user is not logged in. So if you’re a hacker, and not logged in, your edits to files will be denied by the linux kernel.
The instant you login, you get the standard read/write access to the filesystem.
The plugin isn’t guaranteed to block all hacks, but it’s likely to stop almost all hacks.
It has zero impact on performance – it doesn’t even check if each request is a hack. It assumes everything is bad, and puts them in a ‘read only jail’. The jail will just deny all writes to the filesystem. If you login, you get out of that jail.
This is immediately available to all our customers free of charge, and it deploys instantly, and is immediately effective.
If you want to know what writes were made to your filesystem recently, try this : find www/ -mtime -1 (that will show a list of files in your www folder that are newer(or newly edited) in the last 1 day. If you see a bunch of stuff, perhaps you need some changes before enabling the plugin.
It seems compatible with woo commerce, and most common plugins.
I am going to develop it to a ‘total lock out’ solution. So even the WordPress admin is locked out from writes – unless they log into cpanel and disable the lock out. This will be perfect for WordPress websites that rarely get updates – just put the WordPress website on total lock out for months – until you need to make changes.
This edition is our first cut, and support a ‘lite’ feature of detecting the WordPress login. A sophisticated hacker could fake that. Most hacks are automated, and this will stop those automated hacks in their tracks. We can easily add stronger measures later, like 2 factor authentication – via a password, or a key we SMS you, or by storing a cookie on trusted PCs.By Scott Farrell on April 21st, 2016