Adds several layers of security to restrict access to common hacking attack vectors. By filtering requests in a more specific and intelligent way, ForceField allows permitted actions to continue unaltered, but blocks actions that are disallowed or not explicitly unauthorized.
ForceField is not a “firewall” – nor a replacement for a comprehensive security plugin, but rather is intended to complement and enhance your existing security measures, by adding some unique and innovative protection features not easily found elsewhere. These include:
- tokenizing and recording login/registration behaviour
- protecting whitelisted administrator and user roles
- restricting WordPress API access and endpoints
- tracking bot behavior and blocking repeat transgessors
- periodically checking for known vulnerabilities
Login Role Protection
A last line of defense against hackers who have managed to “somehow” create their own administrator account or escalate their user privelages! Automatically block, notify by email, revoke role and/or demote to subscriber any “administrator” account that logs in who is not in an explicitly allowed list of verified administrator usernames. Goodbye escalated privelage attack!
Adds several ways to restrict access to XML RPC and REST API features. While these can be disabled, there are several other options provided to severely limit bot and other unauthorized access while still being able to use these features as intended! Part of the aim of this plugin is to make these options available for everyone without needing to code them: Multiple request slowdown, disable XML RPC logins, logged in access only, restrict access to specified user roles, and require secure connection.
ForceField also records access to user actions missing referer headers, missing or bad tokens, and other bad behaviours in a custom table. Reaching transgression limits for any specific action results in an IP ban. Transgression occurences are reduced via cooldown over time, with old records expired and later deleted (with intervals adjustable.) This process keeps protection high for fresh attacks while keeping the database free of old record bloat. Also gives the option to output a form to banned IPs so users can unblock themselves manually in case of false positives (and so you don’t lock yourself out of your site!)
Checks your installed core, plugins and themes for known vulnerabilities, according to the frequency you set for each. Then sends email alerts and provides an Admin Notice for any new vulnerabilities when they found, giving you a heads up on updates that require action. (Note: This feature is complete but currently being retested more extensively before being included in the plugin in an upcoming version. If you wish to test it out yourself beforehand, you can download the plugin from Github repository.)
ForceField Home Support Forum ForceField Home
Like this plugin? Check out more of our free plugins here: WordQuest
Looking for an awesome theme? Check out my child theme framework: BioShip Child Theme Framework
For support or if you have an idea to improve this plugin: ForceField Support Quests
Help support improvements and log priority feature requests by a gift of appreciation: Contribute to ForceField
To aid directly in development, please fork on Github and do a pull request: ForceField on Github