ForceField

Adds several layers of security to restrict access to common hacking attack vectors. By filtering requests in a more specific and intelligent way, ForceField allows permitted actions to continue unaltered, but blocks actions that are disallowed or not explicitly unauthorized.

ForceField is not a “firewall” – nor a replacement for a comprehensive security plugin, but rather is intended to complement and enhance your existing security measures, by adding some unique and innovative protection features not easily found elsewhere. These include:

• tokenizing and recording login/registration behaviour
• protecting whitelisted administrator and user roles
• restricting WordPress API access and endpoints
• tracking bot behavior and blocking repeat transgressors
• periodically checking for known vulnerabilities

Tokenized Protection

Easily reduce Brute Force Password attacks, SPAM Comments, Fake User Registrations and Sploggers! Adds a dynamic Javascript Token field to all common user action forms: Login, Registration (and optionally BuddyPress Registration), Blog Signup (Multisite only), Lost Password and Commenting. You can adjust the settings to apply to any or all of these, giving you more fine-grained control as needed.

Since the majority of bots do not have the capacity or time to recognize and process javascript fields, their attempts at access via these actions are instantly blocked – with repeat offender getting IP banned from further attempts. This gives seamless and invisible protection (without needing an annoying ReCaptcha field.)

Login Role Protection

A last line of defense against hackers who have managed to “somehow” create their own administrator account or escalate their user priveleges! Automatically block, notify by email, revoke role and/or demote to subscriber any “administrator” account that logs in who is not in an explicitly allowed list of verified administrator usernames. Goodbye escalated privelege attack!

API Protection

Adds several ways to restrict access to XML RPC and REST API features. While these can be disabled, there are several other options provided to severely limit bot and other unauthorized access while still being able to use these features as intended! Part of the aim of this plugin is to make these options available for everyone without needing to code them: Multiple request slowdown, disable XML RPC logins, logged in access only, restrict access to specified user roles, and require secure connection.

Behavioural Protection

ForceField also records access to user actions missing referer headers, missing or bad tokens, and other bad behaviours in a custom table. Reaching transgression limits for any specific action results in an IP ban. Transgression occurrences are reduced via cooldown over time, with old records expired and later deleted (with intervals adjustable.) This process keeps protection high for fresh attacks while keeping the database free of old record bloat. Also gives the option to output a form to banned IPs so users can unblock themselves manually in case of false positives (and so you don’t lock yourself out of your site!)

Vulnerability Check

Checks your installed core, plugins and themes for known vulnerabilities, according to the frequency you set for each. Then sends email alerts and provides an Admin Notice for any new vulnerabilities when they found, giving you a heads up on updates that require action. (Note: This feature is complete but currently being retested more extensively before being included in the plugin in an upcoming version. If you wish to test it out yourself beforehand, you can download the plugin from Github repository.)

ForceField Home
Support Forum
ForceField Home

Like this plugin? Check out more of our free plugins here:
WordQuest

Looking for an awesome theme? Check out my child theme framework:
BioShip Child Theme Framework

Support

For support or if you have an idea to improve this plugin:
ForceField Support Quests

Contribute

Help support improvements and log priority feature requests by a gift of appreciation:
Contribute to ForceField

Development

To aid directly in development, please fork on Github and do a pull request:
ForceField on Github