Enhance the security of your WordPress Admin portal with Cloudflare page rules

Cloudflare security levels

Cloudflare has a number of features that allow it to fend off attacks against the plague of bot nets crawling the internet.  These bots look for security vulnerabilities or attempt to deny service by simply overloading web hosts and servers, either knocking them off the internet completely or degrading their performance enough to slow them down and make them essentially unusable.

Brute force password hacking attempts are one such common attack and Cloudflare provide differing security levels in it’s options for your website.  Those security levels are essentially off, low, medium, high, and the ‘i’m under attack!’ mode.  In a recent attack observation I found that on free plans this ‘i’m under attack!’ mode is not engaged automatically (at least in one case) and requires someone to manually enable it for this to be effective.

So what does the ‘i’m under attack!’ mode do? Well, like the name suggests it is most appropriate for use when your website is under a DDoS or other attack.  Essentially it weeds out automated malicious bot traffic by testing to see if a visitor is a human or a machine.  One of the key ways it checks for this is by showing an interstitial page to all visitors and delays entry for around five seconds and checks the visitor for Javascript and cookie capabilities.  If the visitor has these disabled then the connecting machine is considered to be a bot and immediately blocked.  Exceptions are in place for search engines so they don’t get blocked due to this enhanced security.  In my limited testing with this mode enabled I have found it to be completely effective against brute force attempts on my login pages.  My usual server side logs that would show a multitude of login attempts are virtually empty with the blocking being performed at the edge prior to hitting my web server.

Page rules for the WordPress admin portal login pages 

The ‘i’m under attack!’ mode is highly effective and you can leave it on permanently across the board to protect an entire website.  However, this is going to delay visitor entry and will turn away a proportion of visitors that are simply not prepared to wait that five seconds for all security checks to be completed.  One train of thought would be to provide this protection only on the WordPress admin login pages.  These pages are a common target and could do with an extra layer of protection.  Cloudflare has the answer and it’s called Page Rules.  Cloudflare page rules let you manipulate incoming traffic to do a number of things such as enforce SSL, modify caching, or as we are looking at in this case change the security level.

Continue Reading


Brute force attack on NZTECHIE.COM

When looking through the logs for nztechie.com it is quite common for me to see 50 to 100 entires per day showing attempts to crack the administrator account password on my WordPress Admin panel.  These are typically compromised systems that are part of automated Botnets crawling the interwebs for vulnerable systems.  Everything seemed perfectly normal with my security plugins detecting and reporting on those attempts, that is until in January when an email from my web host arrived advising me that nztechie.com was churning through too much CPU and overloading the host server.

It was my WordPress admin logon page being hit 27,400 times in a row that started all this.  It wasn’t network bandwidth that was being exhausted but CPU.  After some additional investigation and discussions with my web host we actually found that it was my Wordfence Security plugin throttling the CPU!  Wordfence is a great security plugin with an excellent spread of features to assist with hardening a WordPress Blog and I continue to thoroughly recommend it. One of those features is a ‘live traffic’ display showing in real-time a plethora of information about your visitors.  Unfortunately this uses CPU cycles (even if you are not actively using/viewing it) and with lots of hack attempts it ramped up CPU utilisation to what my host claimed was exhaustion.

At the time I was using the free tier of CloudFlare which reported the traffic (but did not report as an attack) and did not automatically take any action either. Once aware of the attack I manually used the ‘i’m under attack’ option in the services settings as recommended by CloudFlare.  This option if set broadly across a website will scrutinise all visitors and seems to be very proficient at weeding out and blocking automated Bots from connecting.  With this enabled visitors receive an interstitial page when they initially browse to a protected website whilst CloudFlare performs some automated magic to determine if you’re a human, a crawler, or part of an attacking botnet.  If you don’t have JavaScript enabled then you are not human.

CloudFlare Interstitial Page

CloudFlare Interstitial Page

After some additional research I found that I could apply this additional protection to specific pages through the use of page rules.  My WordPress login pages are now protected with this and it seems to be doing a great job!  Wordfence is no longer showing the usual daily list of attempts as they are generally being blocked at the edge via CloudFlare and I can safely turn Wordfence Live Traffic back on.


The problem with NZ Post ParcelPod

For some people, getting stuff delivered can be a bit of a pain if you don’t have a good reliable delivery location.  If you have a work or business address then typically someone is available to take receipt and sign for packages and items that are being carried by a courier company.   I see that a lot of New Zealand online stores do advise customers to use a business address for deliveries in order to avoid the dreaded “card-to-call” when a delivery is attempted to a residential address and nobody is home.

How about another option? Over the Christmas period last year I had a look at and signed-up for New Zealand Post’s ParcelPod trial.  In a nutshell NZ Post have a number of secure locations nationwide where you can have parcels delivered.  The pods work similarly to lockers in gyms and recreation centres in that they are shared between users and accessed using a code.  Customers receive a text message and/or email notification that a delivery has arrived along with the code required to open a Pod. The whole process is automated from the users point of view and you have a couple of days to pick up the package anytime 24/7.

I was travelling around the country at Christmas time and was due back in my hometown in a few days.  On my time off I noticed that JB Hi-Fi were running a clearance deal on the original Microsoft Surface RT tablet.  I’ve used both Apple and Android tablets extensively and thought this would be a great opportunity to have a look what Microsoft is doing in tablets in a cost effective way.  For under $300 it looked like a plan.

Within minutes of opening up the JB Hi-Fi website I had dropped this tablet in to my shopping cart and was ready to proceed to payment.  I thought this was great, a new tablet and I will be able to try this nifty new ParcelPod service!  Boy was I in for a disappointment.

The primary courier company that JB Hi-Fi uses is Poste Haste Couriers.  Post Haste are a direct competitor to NZ Post that are running the ParcelPod system.  On that note Poste Haste simply refuses to deliver to a NZ Post ParcelPod.  I’m not an expert on the delivery system but I didn’t see any logistical reason why Poste Haste Couriers could not deliver to the ParcelPod.  The address is a physical address like any other.

My enquiries started with NZ Post and the response from the staff member I spoke with on the phone was “we can’t make them deliver to us”.  My next port of call was to speak with Poste Haste Couriers.  The response from them was a flat out “no, we don’t deliver to NZ Post ParcelPods”.  My package had been sitting in one of their distribution centres for 3 days in their “problem” pile.

Fortunately for me I was back home by then and Poste Haste redirected the package to my home where I had waited for a day to receive the re-delivered package.  In hindsight I could have probably asked to pick it up but their system showed the package bouncing around their mail system so much I thought it best not to interfere further.

So that’s briefly what happened, but what am I actually ranting about?

The problem I see here is that if you order something from an online store or otherwise and that company uses Poste Haste or another competitor which refuses to deliver to a ParcelPod.  Some online stores tell you which courier company they use but many do not. Some may use a variety of companies so it could be a real hit or miss if you order something and the company concerned has not formed an agreement with NZ Post to deliver to the Pods.

I had a look in depth on the ParcelPod site and they do not provide any list of couriers who will not deliver to them (Update: list of compatible couriers now found on website).  To NZ Post’s credit they do clearly indicate that this is a trial only and I’m a guinea pig in their test.  The trial is currently open and anyone can sign-up for it on the NZ Post website.  It’s a very reasonable $5 for 3 months or $10 for 6 months.  NZ Post says that this is a nominal charge simply to test the payment system.  I would expect if they went beyond trial status on this that they would probably bump up the fee.

On a side note I gave JB Hi-Fi a call just to let them know that the primary courier company they use simply won’t deliver to these Pods.  The person I spoke with indicated to me that they would look at adding a note on their website about ParcelPods.  That was in December.  It appears to me that they haven’t added anything to their already quite extensive shipping and delivery web page.

Who is at fault here?  NZ Post, Poste Haste, or JB Hi-Fi?  To be honest this seems to fit in to that nice little box of it being nobody’s fault.  Without a lot of motivation to improve the system its quite likely nothing will be done to rectify the situation.  I plan to reach out to some of New Zealand’s courier companies to find out who will and who won’t deliver to a ParcelPod.