|Last Updated||Ratings||Unique User Downloads||Download Rankings|
|2017-09-01 (20 days ago)||58%||Total: 590 This week: 1||All time: 5,075 This week: 624|
|pareto_security 1.7.8||GNU Free Document...||5.2.0||PHP 5, Security|
This class can filter requests to recognise malicious values and either call a 403 access denied ( default ), or optionally add the offending IP address to the banned list in the root htaccess file of a website.
=== Pareto Security === Contributors: te_taipo Tags: wordpress security, hack, database security, xss, WAF, CRLF, CSRF, command injection, cross-site scripting, exploit, firewall security, hack, hacked, hacker, injection, authentication bypass, local file inclusion, malware, phishing, rfi, remote file inclusion, scrapers, secure, secure login, security, SQL Injection, vulnerability, WAF, website security, wordpress, security Requires at least: 4.0.1 Tested up to: 4.8.0 Stable tag: 1.7.5 Donate link: https://hokioisecurity.com License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html
WordPress Core Security: Secure your website with real security.
== Description ==
= Pareto Security Features =
Had enough of the security theatre presented by the raft of Wordpress security plugins? Time to put a stop to the attacks!
Firstly Wordpress and most other CMS's are built using PHP. PHP is a very insecure programming language, even worse in the hands of amateurs.
Wordpress has been plagued by plugins authored by amateurs that bring with them security vulnerabilities.
Wordpress users depend on the security skills of these 3rd party developers to check all user inputs and to escape all outputs from their plugin code.
However in many many cases this is not done correctly leading to vulnerabilities and often websites being attacked, malware code installed, and in worst cases, entire servers taken over.
Pareto Security class acts as a central security hub checking all inputs from users.
Using the principle of "Artificial Ignorance" with blacklists rather than arbitrary blacklists, Pareto Security method ignores requests it knows aren't interesting and processes the remaining requests that must then be of interest.
Any remaining user inputs/requests are most likely attempts to break rules and are tested against a list of rules, bad requests are prevented from completing their action.
This acts as a "temporary" shield during that period of time between when a vulnerability is discovered in Wordpress or 3rd party plugins, and when they are patched, and, when you update your Wordpress website.
A Word on Security: Keeping any CMS as secure as possible is not easy. The very best thing you can do to prevent attacks is to always keep your website code, themes and plugins up to date, and remove any plugins and themes you are not using.
What Pareto Security cannot do ( as with any Web Application Firewall ) is save your website from really really badly written site, theme and/or plugin code, or save your site from attacks that result from when administrators do not follow basic security practices.
Pareto Security does not claim to prevent all PHP related attack vectors either. It does however attempt to do it better than most addons/plugins that do claim to be the end all of PHP security.
Pareto Security is written by an ex-attacker who intimately knows the mindset of attackers and therefore how to prevent them launching most attacks on Wordpress code.
Footnote 1: Wordfence file scanner may flag pareto_security.php as possibly malicious. You can safely add pareto_security.php to the Wordfence ignore list to prevent future messages.
== Installation ==
== Frequently Asked Questions ==
= Where can I get more information? =
Visit https://hokioisecurity.com/?p=17 or using the Tor Browser, visit http://hokioisec7agisc4.onion/?p=17 for more information, including support requests
= How can I contribute to the cause =
Donations via Bitcoin to 1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
= Do you have an email contact? =
Email me at firstname.lastname@example.org
Other contacts: https://taipo.github.io/contact/
== Changelog ==
= 1.7.5 = * Changed Cookie severity levels to High
= 1.7.4 = * Fix to bug in log display
= 1.7.3 = * Do not display Low severity in standard mode
= 1.7.2 = * Fixed bug with logging when first installing Pareto Security
= 1.7.1 = * Update blacklist * Speed up of filtering * Update to URL redirection * New layout to logging
= 1.7.0 = * Update to Bots list * Now filters login attempts. If in advanced mode will ban incorrect usernames
|Version Control||Unique User Downloads||Download Rankings|
|User Ratings||User Comments (1)|