WordPress Firewall
The Dealers Site uses WP Simple Firewall (plugins/wp-simple-firewall/) as its WordPress application firewall.
Key Security Layers
Login Protection
- Brute force lockout (configurable threshold, e.g., 5 failed attempts → 1-hour lockout)
- CAPTCHA on login page
- Username enumeration prevention (
?author=1requests blocked) - Password strength enforcement
Firewall Rules
Automatic blocking of:
- SQL injection attempts in query parameters
- Common XSS attack patterns
- Directory traversal attempts
- PHP file inclusion attacks
- WordPress-specific vulnerability exploits
File Change Detection
- Monitors WordPress core, plugin, and theme files for unexpected changes
- Sends admin email alerts when file changes are detected
Vulnerability Scanner
- Periodically checks installed plugins and themes against the WPVulnDB database
- Reports vulnerable components in the admin dashboard
Audit Trail
- Logs all security events: logins, failed logins, settings changes, user creation, option updates
- Exportable for compliance review
Configuration
WP Admin → Shield Security:
- Adjust lockout thresholds and durations
- Review the audit trail
- Manage blocked IPs (whitelist your own IP before testing lockout settings)
- Set up email alerts for critical security events
WP Engine Platform Security
In addition to the Shield Security plugin, WP Engine provides platform-level security:
- DDoS mitigation at the network edge
- Malware scanning with automated alerts and quarantine
- Proprietary WAF (Web Application Firewall) blocking known attack patterns before requests reach WordPress