1 March 2020|IP Reputation, plugin, Threat, WordPress
WordPress has a good installation base and for good reasons. Ease of installation, ease of management and great support from a large community of users, to name a few.
Like any solution that is popular, it attracts interest from those wishing to find flaws, abuse and act maliciously against it.
WordPress has had a bad track record when it comes to security, largely down to issues with the framework allowing for poor security practices be that through plugins, authentication or just poor site management.
One of the obvious targets for attack in any WordPress site is the wp-admin page. This is the main access point for the WordPress administrator. It goes without saying that such a powerful access point should be protected as much as possible, allowing real administrators access while preventing and detecting malicious activity.
Here at ThreatPoint we are often asked for advice on utilising our API’s in the best way. Practical usage that solves problems – the reasons we created our API ecosystem in the first place.
Once such use case introduces IP reputation protection in the form of a WordPress plugin.
WordPress plugins allow developers to extend the WordPress installation for a large number of reasons, mainly around web development. However, we can also make use of this plugin framework to call our IP reputation restAPI and protect the “most at risk” pages by adding IP reputation intelligence to the solution.
By adding the ThreatPoint-API plugin to WordPress, the WordPress solution is immediately able to call the ThreatPoint IP intelligence restAPI.
Having this functionality available means that the WordPress solution can start to detect the following interactions:
- IP addresses from the Tor Network
- IP addresses shown as Proxy (Paid)
- IP addresses shown as Proxy (Free)
- IP addresses shown as VPN (Paid)
- IP addresses shown as VPN (Free)
- IP addresses that have shown malicious behaviour in the past
- IP addresses that are known to have been used by Nation State Actors
- IP addresses that are known to have been involved in Hacktivism
- Geo Location activity
- IP reputation across the IP consortium as reported by ThreatPoints customers
By adding this information into the WordPress solution, a valuable layer of information is made available to the solution. The ThreatPoint IP reputation API provides back a response with associated scores and risk indicators to the ThreatPoint plugin. Using this information a decision can be made:
- Allow the request (continue as normal)
- Deny the traffic (stop the access)
- Redirect (provide information to the user)
- Step Up (ask the user for 2fA or similar)
The example below illustrates the point using WP-Admin as the protected URL.
- User requests URL access to wp-admin from a public ip address
- They are presented with the standard admin login page
All good, no change to the user experience.
In the background the ThreatPoint IP reputation API has responded with the risk score and action points. The ThreatPoint WordPress plugin has allowed the request to continue as the risk is low.
However, what if the risk is high?
- User requests access to the wp-admin from an anonymous address
- The user is redirected to an information page
Now the WordPress site can react to the access request using the logic built into the ThreatPoint plugin and the information received from the ThreatPoint IP reputation restAPI.
The decisions taken are configurable items to allow flexibility around what works for that site.
Blocking by country is an especially popular decision point – as an example. All of the intelligence listed above is available to create the correct decision for the context of the site and user.
Please contact firstname.lastname@example.org for more information about the ThreatPoint IP reputation WordPress plugin.