Securing the WAF

  • Resolved yass45

    (@yass45)


    6 years, 4 months ago

    Hello,

    I have read your post Securing WordPress with a Web Application Firewall and I have questions :

    1. If I won’t to connect to my site using its IP address : Is it recommended to disable HTTP requests with an IP in HTTP_POST header ?

    About HSTS :
    2. Do you recommend to add my site in https://hstspreload.appspot.com/ ?
    3. Do you recommend to set the value to 1 month and if there is not problem to set this value to 6 month (and 1 year) ?
    4. What is the difference between max-age=”0″ and “No” in the field (in the plugin) ?
    5. If my web hosting provider implemented HSTS in my website, there will be a conflict if I enable HSTS from NinjaFirewall?

    6. Why I can force HTTPS for admin and login ? (the button locked on “No”)

    7. I didn’t understand why, by default, scan HTTP_REFERER is disabled. If someone clicked on a link redirecting to my site from a page whose name can be considered as a threat, it’s more safe to block that no ?

    8. FileGuard alert me only if someone access to a file created/modified less X hour(s) ago but can you confirm me that it doesn’t alert me when this file was created or if this file is called (if it’s an executable file) from a clean file ?

    9. Do you recommend to install a malware/virus/… scanner (without uninstall NinjaFirewall) or the FileScan is enough ?

    10. Finally, why I didn’t found the rule 531 in the rules editor ?

    Thank you

    • This topic was modified 6 years, 4 months ago by yass45.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    6 years, 4 months ago

    1. If don’t connect to your site using its IP address, it is better to enable the policy because it will block many bots.
    2. I never heard of this site, I can’t tell.
    3. One month is fine for a start.
    4. max-age=0 will tell the browser to reset the settings. “No” will disable the header.
    5. No need to enable it on NinjaFirewall if is it already enabled elsewhere.
    6. Oddly, WordPress will enable the FORCE_SSL_ADMIN automatically if you connect over HTTPS.
    7. Even it “looks like a threat”, it isn’t one. I prefer to sanitise it instead, that won’t block visitors.
    8. It has to be called by someone or an external script, i.e., it must be an HTTP request.
    9. File Check will monitor any changes, I don’t see the need of another scanner.
    10. Rules 5xx are some firewall policies. 531 is “Firewall Policies > Intermediate Policies > Block suspicious bots/scanners”.

    Thread Starter yass45

    (@yass45)

    6 years, 4 months ago

    8. Ah ok it’s necessary an HTTP request ? The “hacker” can’t call the file like he is in the file system ?

    9. Not even NinjaScanner ?

    Thank you very for your answers

    Plugin Author nintechnet

    (@nintechnet)

    6 years, 4 months ago

    8. Only an HTTP request, because it must go through the PHP interpreter which will load NinjaFirewall.
    9. An antivirus isn’t really needed unless you were hacked and need to check all files. If your site is clean, File Guard and File Check will monitor it.

    Thread Starter yass45

    (@yass45)

    6 years, 4 months ago

    Ok thank you for your answers

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Securing the WAF’ is closed to new replies.