Smart Security Tools is a powerful plugin for improving security of your WordPress powered website. Plugin contains collection of tweaks and tools for extra security protection along with Security Advisor that can help you determine what needs to be done.
Plugin includes integration of VirusTotal and Sucuri Free Security Scanners (shows malware on the website and blacklisting status on major security related websites). Plugin includes database based Security Log that can log different event types you can use to detemerime problems, potential attacks and exploits, IP’s used for access, referers, user agents… You can ban IP’s from Security Log.
Security Advisor will help you get startedPlugin offers tips on what you need to improve on your website. Based on the status of tips on this panel, plugin will calculate security percentage. It is important to follow all recommended tips and as much as you need optional tips.
Collection of easy to use security tweaksGeneral tweaks are easy to set up, and you can solve many security issues directly with these. Some of these tweaks, if active will also log security events into database.
List of general tweaks
- Remove script and styles versions (v2.0)
- Prevent access to banned IP’s (v1.5)
- Prevent SQL injections
- Prevent too long URL’s
- Simple registration honeypot
- Remove errors from login screen
- Restrict username length
- Remove username from comments CSS classes
- Remove WordPress version
- Remove RSD link
- Remove WLW manifest link
- Disable XML-RPC
Collection of powerful .htaccess enhancementsMost important security features are implemented using .htaccess file in the WordPress root directory. This is available only for Apache (and LiteSpeed) based web servers.
List of .htaccess tweaks
- Deny POST requests using HTTP 0.9 or 1.0 (v2.2)
- Prevent WordPress installation directory browsing
- Disable the Server Signature on server error pages
- Deny all comments requests with no valid referer
- Prevent access to WordPress root system files
- Ban access to IP’s banned in Security Log
- Ban access to additional listed IP’s
- Limit body size of a single request and file upload size
- Prevent access to XML-RPC due to Pingback Vulnerability
- Disable Trace and Track request methods
- Blacklist Query Strings using listed rules
- Blacklist Request Strings using listed rules
- Blacklist User Agents using listed rules
Security Logs to track security related eventsSecurity Log adds two database tables to log all sorts of security related events. For each event you will get information about user (or visitor), IP, user agent, referer and other information depending on event that can help you track sources of new security probes or attacks. You can ban IP addresses through the security log panel.
Analyze security logs for IP’s thread levelSince version 1.5 of the plugin, new panel is added where you can see aggregated log results for individual IP’s with estimated threat level based on number of logged events and events type. This will help you decide if the IP should be banned. Some of the actions logged are potentially malicious and they are marked in the plugin settings.
List of events types logged by plugin
- Login / Logout / Login Error
- User Profile / Password Changed
- Registration / Registration Honeypot
- SQL Injection URL / Too Long URL
- Error 404 – PHP, Query, Web File, Media, Script
- Plugin Activated / Deactivated
- Access Robots.txt File
Additional log options to identify event source
- IP Geolocation
- IP WhoIS
Security emails notification systemPlugin can send daily and weekly digest emails with overview of logged events and IP’s. Also, some events can generate email notifications. Most important notification is malicious alert email sent when number of logged malicious events reaches set number in specified time period (200 events in the past 30 minutes is default).
Other Plugin Features Included
- WordPress toolbar Security Menu
- Change ‘admin’ username if exists
- Change any username
- Export and Import settings
- Support for Multisite WordPress mode
System and WordPress Requirements
- WordPress 3.3 or newer
- PHP 5.2.4 or newer
- Apache Web Server (for .htaccess based tweaks and tools)
- Access to .htaccess file (if not, you need to manually add changes to it)
- For .htaccess based tweaks and tools plugin supports only Apache (and LiteSpeed) web servers. If you use some other web server, you can only use other plugin features.
- Make sure you read plugin documentation and all the information provided by the plugin for each tweak and tool.
- If you make changes to blacklist .htaccess tweaks, or list of IP’s to ban, be careful with those changes, or you can even lock yourself out of the website.
- You are using Smart Security Tools for WordPress at your own risk.
Addons for Smart Security ToolsTake control over login attempts, and limit number of attempts or use of restricted usernames from same IP. This can help preventing malicious brute force login attacks.
Monitor live all security events logged by the Smart Security Tools using LIVE Events Monitor panel or by getting browser/desktop or website based notifications.
DocumentationPlugin contains PDF user and developers guide in the plugin package, inside the ‘docs’ directory. Check out this documents to get information on plugin options, usage and more.
Version 2.2.1 / 2014.09.17.
- Fixed: Several admin side styling issues with WordPress 4.0
- Fixed: Invalid user check for loading of toolbar menu object
Version 2.2 / 2014.09.04.
- Added: Htaccess tweak to deny POST requsts with HTTP 0.9/1.0 protocol
- Added: IP geoloaction popup on the logs panels
- Added: IP geolocation library for expanded IP information
- Added: Datetime in database stored as GMT to avoid timezones issues
- Added: Show country flag for geolocated IP’s in logs
- Added: WordPress Toolbar menu for quick Security access
- Added: For each event log request method, protocol and host
- Updated: Many improvements for plugin addons integration
- Updated: Improved detection of Country and City for IP location
- Updated: SQL queries now use WordPress own esc_sql function
Version 2.1 / 2014.08.31.
- Added: Settings for creating IP whitelist
- Added: Log Event: User profile edited
- Added: Log Event: User password changed
- Added: Tool to remove rules added to .htaccess
- Updated: Many improvements for handling of plugin addons
- Updated: Few more admin UI visual updates and improvements
- Updated: Removed some obsolete core object code
- Fixed: SQL Injection tweak not logging full URL, only URI
Version 2.0 / 2014.08.20.
- Added: VirusTotal website URL and IP scanner
- Added: System for security related email notifications
- Added: Security log email notifications daily and weekly digests
- Added: Security log email alert for increased malicious activity
- Added: Tweak to remove scripts and styles versions
- Added: Htaccess tweak to prevent humans.txt query string scans
- Added: Htaccess tweak for additional 5G WordPress request strings
- Added: Background jobs for maintenance and notifications
- Added: Support for addons registration and handling
- Added: Events log detect country from logged IP
- Added: Events log display WhoIS information about logged IP
- Added: Events log shows current server IP in the sidebar
- Added: Log Event: Access to virtual Robots.txt file
- Added: Log Event: 404 Error with HTML or similar web files request
- Added: Log Event: 404 Error with media files request
- Added: Log Event: 404 Error with JS/CSS files request
- Added: Log Events: Plugin activated / deactivated
- Added: Log Events: Plugin network wide activated / deactivated
- Added: Registration honeypot tweak has option for IP ban action
- Updated: Improvements to the security log filtering
- Updated: Changes to some core code for addon usability
- Updated: Changes to available advisor optional options
- Updated: More code refactoring: actions and filters
- Fixed: Issue with some events log filtering values
- Fixed: Many admin side related small UI issues
- Fixed: Saving password used for failed login attempt
- Fixed: Registration honeypot tweak display issues