I did the “hardening” per your documentation and all is well except the plugin still has the “recommendations” on the right of the dashboard saying I still need to do all the hardening.
The plugin stores the results of the scan for several hours in a cache.
Does that mean I didn’t do it right, or does the plugin need to do a check again?
You can check if your website has the correct security headers using this tool [1]. If you can see the HTTP headers recommended by Sucuri and other security experts, then you’ll just need to wait a few hours for the automatic refresh of the scan.
How would one force the plugin to check again?
- Go to the plugin settings page,
- Locate the “Data Storage” panel,
- Select a file called “sucuri-sitecheck”,
- Click the delete button at the end of the table.
- Go to the plugin dashboard once again.
- Done
The plugin will basically delete this file [2] which you can also delete by yourself using the file manager available in your hosting panel. The plugin will detect that the file doesn’t exists (which is where it stores the scans results) and request a new scan from Sucuri Sitecheck.
Let me know if you need more information.
[1] https://securityheaders.com/
[2] /wp-content/uploads/sucuri/sucuri-sitecheck.php
Absolutely fantastic answers yorman! Thank you for the quick and very detailed reply! That security headers site sure helps a lot and lets me know that yes, I did set things up right. However, I got a “C” as a rating for my site. Then it suggested the following in order to get an A:
Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value “strict-transport-security: max-age=31536000; includeSubDomains”.
Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Referrer-Policy Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Feature-Policy Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.
Guess my final questions are, are you guys looking to add these into your plugin (for checking/how to’s) like you did with the others?
Last question, I know some plugins mess with the .htaccess file, but yours we have to do it manually. This is a problem for me as a web designer with quite a few sites that I now have to manually alter the .htaccess file on all of them to tighten up security. Will your plugin even have a button that can inject the code automatically? That would be VERY nice.
Thank you again!!
Guess my final questions are, are you guys looking to add these into your plugin (for checking/how to’s) like you did with the others?
I will have to talk with the rest of the engineering team at Sucuri before I can start working on the addition of the other security headers. Some of them are quite tricky to use without having a good understanding of their individual purpose.
Content-Security-Policy, for example, requires the implementation of a table to allow the webmaster to whitelist the domains that are required to render external assets like CSS, JavaScript, Images, Videos, etc.
Feature-Policy is quite new [1] and as of today only Google Chrome and Safari support it. The specification shows that it uses the same mechanism as CSP to whitelist domains to allow the execution of browser features, so we would need to implement another table to allow the webmaster to configure this setting as well.
I will prepare a document with a justification for each HTTP header and hope that the proposal gets approved to start working on the code. Thank you for the suggestion.
[1] https://wicg.github.io/feature-policy/
[2] https://caniuse.com/#search=feature%20policy
No problem. The way I see it as a man that is trying to keep his sanity with a lot of sites, it’s all about tightening security across the board in any way. Hopefully those new policies will do the trick. Thanks again for your help!
