Rant about WordPress

FTL said:
It can be added to the zero trust authentication step though and anyway, there's always a way through any defence, no matter how hard, so I maintain that it can still be useful at the end server level.
Click to expand...
Ya no doubt... but if someone has your credentials you are using for Cloudflare Zero Trust Network Access, you have much bigger problems to deal with, and a 2 second delay isn't going to help too much. ;)

One thing I would recommend is setting up your server firewall to only respond to Cloudflare IPs when traffic is coming in on port 80 or 443. At least then someone can't just bypass Cloudflare by hitting your server IPs directly. Kind of defeats the purpose of security if you can just sidestep it. Like I have a daily cron task that grabs Cloudflare IPs from here: https://www.cloudflare.com/ips-v4

...with that, it builds firewall rules so the firewall only allows traffic on port 80 or 443 from those blocks.

Then it's much more difficult for an attacker to bypass things... because they would also need to originating inside Cloudflare's network.
 
digitalpoint said:
You definitely can change the subdomain (but it's still for your Cloudflare account as a whole). If it's named after a XenForo installation, it's probably just the name you gave it when it first asked you the subdomain. Either way, the Team Domain can be changed at any time...
Click to expand...
That is one complaint I have about CF--so many settings seem to be scattered in various places and for someone like me who does not spend much time there, I have to spend a lot of time trying to find where they've hidden something. I tend to set things up, test them, tweak until it works properly, then I'm done with it.

I've never seen that Team Domain setting or if I did at some point, it was probably a while ago and located in a different place.

I'll see what I can find for Team Domain on my account tomorrow...
 
It's under your Cloudflare account (account-level, before you pick a zone/domain) -> Zero Trust -> Settings -> Custom Pages

But ya... Cloudflare does a LOT of things. Easy to get lost sometimes.
 
I have to thank you for stuff like this...

digitalpoint said:
One thing I would recommend is setting up your server firewall to only respond to Cloudflare IPs when traffic is coming in on port 80 or 443.
Click to expand...

I learned more about how CF works from your posts, than by slogging through their documentation and forums. It just makes more sense the way you describe it. And I wish I'd known that link to their IPv4 addresses months ago when I needed it.

I keep my own servers tightened down quite a bit--SSH is limited to three IP addresses, for instance (my home Internet, and two others server with fixed IP addresses I have access to in case my home IP ever changes). Since Cloudflare has gotten so robust since I first started using it several years ago, I have a lot of work ahead of me to further secure everything with the tools they have available.
 
digitalpoint said:
Ya no doubt... but if someone has your credentials you are using for Cloudflare Zero Trust Network Access, you have much bigger problems to deal with, and a 2 second delay isn't going to help too much. ;)
Click to expand...
Well yeah, that's true for any system. I'm talking about when they're trying to brute force it. Remember, I'm suggesting an escalating delay starting at 2 seconds, which is very effective at killing off brute force attacks.

digitalpoint said:
One thing I would recommend is setting up your server firewall to only respond to Cloudflare IPs when traffic is coming in on port 80 or 443. At least then someone can't just bypass Cloudflare by hitting your server IPs directly. Kind of defeats the purpose of security if you can just sidestep it. Like I have a daily cron task that grabs Cloudflare IPs from here: https://www.cloudflare.com/ips-v4

...with that, it builds firewall rules so the firewall only allows traffic on port 80 or 443 from those blocks.

Then it's much more difficult for an attacker to bypass things... because they would also need to originating inside Cloudflare's network.
Click to expand...
When I was running my server on AWS, I did just that: ports 80 and 443 only. On top of that, when the server was brand new and hadn't been patched or configured yet, I set the firewall to only allow requests from my home IP, thereby insulating it from the outside world until it was ready for prime time.

Note that I've never used Cloudflare, so I don't know the specifics of its operation.
 
FTL said:
Well yeah, that's true for any system. I'm talking about when they're trying to brute force it. Remember, I'm suggesting an escalating delay starting at 2 seconds, which is very effective at killing off brute force attacks.
Click to expand...
Right, but they can’t brute force anything without first getting access to your Google account (or whatever method you use for Zero Trust). As in the network packet never makes it to your server. I still don’t see the point of adding a 2 second delay if you are using Zero Trust.

It would be like only allowing your IP to get through your firewall and worrying about them brute forcing whatever it was they had to be on your IP to reach. But I guess whatever works… just seems like overkill to me. I suppose an attacker could break into your house to try and brute force your servers from your IP somehow… 🤷🏻‍♂️

Zero Trust makes it so network traffic (as in the underlying HTTP request) never even get routed to your server unless it’s first authenticated.

www.cloudflare.com

Zero Trust Network Access (ZTNA) | Zero Trust

Implement a software-defined perimeter with Zero Trust principles. Learn how to give your users faster, safer, contextual access to corporate resources.
www.cloudflare.com www.cloudflare.com
 
Alpha1 said:
I've also installed the WordPress plugin. Looks good so far. :)

I'd love a function to block login from endless brute force attempts. 2 tries per on admin accounts, before it switches IP and tries again. I already added turnstile to wp-login but somehow that doesn't stop them.
BTW I used a plugin to add CloudFlare turnstile to all login forms, including Elementor and gravity forms: It would make sense to have your plugin add it.
wordpress.org

Simple Cloudflare Turnstile – CAPTCHA Alternative

Add Cloudflare Turnstile to WordPress, WooCommerce, Contact Forms & more. The user-friendly, privacy-preserving reCAPTCHA alternative. 100% free!
wordpress.org wordpress.org
Click to expand...

Using a different login URL stops this dead in its tracks.
 
digitalpoint said:
Ya no doubt... but if someone has your credentials you are using for Cloudflare Zero Trust Network Access, you have much bigger problems to deal with, and a 2 second delay isn't going to help too much. ;)

One thing I would recommend is setting up your server firewall to only respond to Cloudflare IPs when traffic is coming in on port 80 or 443. At least then someone can't just bypass Cloudflare by hitting your server IPs directly. Kind of defeats the purpose of security if you can just sidestep it. Like I have a daily cron task that grabs Cloudflare IPs from here: https://www.cloudflare.com/ips-v4

...with that, it builds firewall rules so the firewall only allows traffic on port 80 or 443 from those blocks.

Then it's much more difficult for an attacker to bypass things... because they would also need to originating inside Cloudflare's network.
Click to expand...
Good posts - I enjoyed reading them.
Apparently, if someone knows your server's IP address, this is a way to (ab)use Cloudflare to make a DDoS attack, even if you block non-Cloudflare IPs on your hosting server:

www.bleepingcomputer.com

Cloudflare DDoS protections ironically bypassed using Cloudflare

Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.
www.bleepingcomputer.com www.bleepingcomputer.com

Of course, this is extra hassle, and the security you describe is pretty damn good.

Relja - a WP site owner thinking to start with XenForo and move comments/discussions to a forum since WP sucks for that. :)
 
FTL said:
I agree, it probably is overkill and hence why not implemented. I'm just talking about in principle where perhaps the highest stakes secrets must be protected, like government military information for example.
Click to expand...
The highest government secrets are definitely not on a public web server that script kiddies can try to brute force. In fact the biggest secrets are on computers without network capability at all (can’t even connect to a local network inside their own building). 😀
 
digitalpoint said:
The highest government secrets are definitely not on a public web server that script kiddies can try to brute force. In fact the biggest secrets are on computers without network capability at all (can’t even connect to a local network inside their own building). 😀
Click to expand...
Air gapped computers, indeed.
 
I cleaned up my firewall. In doing so, I realized I could get rid of the fail2ban rules I had for ports 80 and 443. Getting rid of complexity is a good thing. With 80 and 443 open only to Cloudflare, I verified by trying to visit one of the sites on this server with the IP address, and as expected it timed out.
 
MQK8 said:
I want to add a blog to my forum, so what is the best way to go about doing that? Thanks
Click to expand...
If WordPress works for you, then it’s fine. I was just saying that I wouldn’t use it, but I also don’t have a need for a blog. If I did, I’d write something muself from scratch.
 
xenaddons.com

User Blogs System

UBS is a User Blogs System addon designed for forum owners to provide an interface for their members to add their own Blogs and draft/publish Blog Entries within those blogs. Supported XenForo Branch: XF 2.2 Available Unsupported XenForo Branches: XF...
xenaddons.com xenaddons.com
 

Similar threads

ELiTEx
  • Question Question
Inquiry about XFtoWP Plugin Support Status
Replies
5
Views
828
Opus X
Opus X
Anomandaris
  • Suggestion Suggestion
Subdirectory Slugs For Threads Like Wordpress
Replies
2
Views
100
Arantor
Arantor
Alpha1
  • Suggestion Suggestion
Embed XenForo widgets on WordPress or other software
Replies
3
Views
453
btmgreg
btmgreg
X
  • Question Question
XF 2.2 Embed XenForo between Wordpress Header/Footer
Replies
1
Views
406
Mr Lucky
Mr Lucky
DarkGizmo
  • Question Question
XF 2.2 Combining Wordpress & XF
Replies
1
Views
302
Paul B
Paul B
Top Bottom