Plugin Author
AITpro
(@aitpro)
Well it depends on how you use other security plugins that also use htaccess code rules/security filters/etc. I believe BPS covers all the bases as far as security rules go in the root and wp-admin htaccess files so I would say just to not use any redundant or conflicting htaccess code/security rules in other security plugin’s.
1. Yep you can go that route or go this route and use this IP based protection: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
2. I believe that when you start focusing on “individuals” doing bad actions vs focusing on bad actions themselves you are going to run into website performance problems or excessive server resource usage. Here is the logic:
In general, BulletProof Security takes an “Action Approach” to website security. Hacker X, Spammer X, Bad Bot X does bad Action Y = Forbidden/Blocked. An “Action Approach” is a much more effective and performance optimized approach to website security since the bad action itself is being blocked/forbidden instead of attempting to block an individual hacker/spammer that performed a bad action. Example: BulletProof Security blocks all SQL Injection hacking attempts/attacks no matter who performed that SQL Injection hacking attempt/attack.
3. I don’t understand what you mean?
4. I think that is going to fall into the category of unnecessarily wasting website and server resources. Or in other words, I believe it is unnecessary to do something like that. Automated hacker and spammer probes and recons go on 24x7x365. If your website/server is trying to handle/manage this stuff then you are using up resources that in my opinion do not need to be wasted on this stuff.
5. As long as you are avoiding trying to block anything that is an “individual” vs blocking by bad action then you are using htaccess code efficiently. If you try to block 5,000 individual bad bots or 5,000 individual IP addresses then your website and server are going to be significantly negatively impacted by that.
In summary, you can see that sticking to an “Action Approach” is the best way to go. It is efficient and ensures that your website and server are performing at their optimum best. Stay away from blocking anything that falls into the category of “individual”.
I rarely get any spare time to look at what other security plugins are doing these days, but I am very confident that BPS is covering all of the bases in the root and wp-admin htaccess files as far as htaccess security goes. I think trial and error is the only way to find out what does and does not work between BPS and other security plugins that use htaccess code/files.
Thanks,I understand that. I guess 2 and 5 are pretty much the same, trying to come up with an endless list of bad IPs.
So BPS does actually block IPs performing bad actions, separate to it’s login security blocking?
In 3) I was referring to how one ithemes option is to disable php in uploads, but acknowledged it was a simple piece of htaccess code.
Thanks for your comprehensive reply as always. I’m certain I’ll be a BPS pro customer in the future.
Plugin Author
AITpro
(@aitpro)
Yes, the root and wp-admin htaccess files block over 100,000 different bad actions / attacks (100,000 is a very low estimate – it is probably more like 1,000,000).
BPS does not look at “individual” things like IP addresses and blocks by the bad action itself. ie IP addresses: 100.99.88.77, 99.88.77.66 and 88.77.66.55 try to hack your website using the same hacking method. The hacking method (bad action) is blocked which means that there is no need to block these IP addresses or any other IP addresses since the bad action itself is what is blocked.
3. BPS Pro has the Uploads Anti-Exploit Guard (UAEG) security feature, which sounds like it may be in the same general security feature category.
