Premium Security: The Best Protection on the Web

An attack can happen in microseconds, and in the blink of an eye, your site is toast, but with Wordfence Premium’s Enhanced Endpoint Protection Technology, the bad guys don’t have a prayer of attacking your site. We highly recommend Wordfence Premium for all sites. To beef up security even further, we’ve added Defender Pro (5 star rated) for our Premium Security service (see below). With these two “best of the web” services working in tandem on your site, the bad guys can’t get in. Truly, SuperPage gives you the best protection on the web.

Wordfence Premium offers:

• Enhanced Real-Time Threat Defense Feed. Protection from the latest threats, delivered as they emerge. Wordfence is constantly adding updates as they discover new threats. Premium sites receive the real-time version of the Threat Defense Feed. Free users receive the community version, which is delayed by 30 days.
• More Protection From Brute Force Attacks. Hackers are locked out after a set number of failed attempts at usernames and passwords. In addition, they are prevented from gaining information about which usernames may exist on your system.
• Country Blocking. Wordfence Premium blocks countries that are clearly engaging in malicious activity.
• Check if Site IP is Generating Spam. Feeling ignored? Your emails might be trapped. Your legitimate customer emails can be caught in spam filters if another site on your shared IP address is generating a lot of spam. We will use this feature to confirm that your site is running on a clean IP address, and that the shared IP you are using to host your website is not listed as a known source of spam email.
• Check if Site is Spamvertised. More than a pain, spam is destructive. When your website URL is being used for spamvertising, it can severely impact your SEO rankings and email deliverability. Worst case: Your site will be deleted altogether from the web. Wordfence Premium checks if your website URL has been flagged for spamvertising, indicating that your site may have been compromised or that you are emailing too aggressively. If spamvertising is found on your site, SuperPage will dig in and destroy the offending pages, which are invisible to most designers, but not us.
• Advanced Manual Blocking. We quickly and efficiently dispatch site security threats by blocking entire malicious networks and any human or robot activity that indicates suspicious intentions based on pattern matching and IP ranges. You can:
  • Block ranges of IP addresses (Think of these as networks)
  • Block specific web browsers and web browser patterns
  • Block referring websites
  • Or any combination of the above
  • Require cell phone sign-in, i.e., two-factor authentication (optional)
• And much more … Wordfence Premium offers comment spam filtering for your blog, frequent and scheduled scans, password auditing; great support for your site.

In Addition to Wordfence Premium, Defender Pro offers:

• Masked Login. The login URL for all WordPress sites is the same, e.g, mydomain.com/wp-login.php. Hackers use this URL as a starting point for a brute force attack. Of course, you’ll need https and a hacker-resistant password, but as an option to the standard login URL, we’ll create any mask for you, for example, mydomain.com/toughbeans. A masked login halts the bad guys in their tracks. Yeah, tough beans, bad guys!
• Two Factor Authentication (2FA). 2FA is considered the best possible internet security, used by major financial institutions and government, and it is used widely on high security sites. In addition to HTTPS, 2FA requires the Admin to enter a randomly generated continually changing six digit code. If you go with 2FA and you’re listed as an admin, you’ll need the Google Authenticator App, available on iPhones and Androids. Although logging in with the extra step of 2FA is somewhat inconvenient, the lockout protection against the bad guys is so worth it. Highly recommend.
• File Editor Protection. WordPress comes with a file editor built into the system. This means that anyone with access to your login information can further edit your plugin and theme files and inject malicious code. Defender Pro disables the file editor.
• Trackbacks and Pingbacks Protection. Pingbacks notify a website when it has been mentioned by another website, like a form of courtesy communication. Ostensibly, a good thing, however, these notifications can be sent to any website willing to receive them, opening you up to DDoS attacks, which can take your website down in seconds and fill your posts with spam comments. Trackbacks and pingbacks are disabled.
• XML RPC Protection. XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.
• User Enumeration Protection. One of the more common methods for bots and hackers to gain access to your website is to find out login usernames and brute force the login area with tons of dummy passwords. The hope is that one the username and password combos will match, and viola – they have access (you’d be surprised how common weak passwords are!). There are two sides to this hacking method – the username and the password. The passwords are random guesses, but (unfortunately) the username is easy to get. Simply typing the query string ?author=1, ?author=2 and so on, will redirect the page to /author/username/ – bam, the bot now has your usernames to begin brute force attacks with. This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames.
• PHP Execution Prevention. By default, a plugin/theme vulnerability could allow a PHP file to get uploaded into your site’s directories and in turn execute harmful scripts that can wreak havoc on your website. Defender Pro prevents this altogether by disabling direct PHP execution in directories that don’t require it.
• X-Content-Type-Options Security Header Enforced. The X-Content-Type-Options header is used to protect against MIME sniffing attacks. The most common example of this is when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website. Defender Pro enforces the “nosniff” X-Content-Type-Options to prevent MIME type sniffing attacks. Defender Pro also provides several Security Header options to prevent attempted attacks.

.htaccess For Your Business – Super Special Protection

.htaccess is one of the best ways to lock out hackers, bots, and the rest of the bad guys. We can take .htaccess one step further by making it totally impossible for them to get in. Here’s how: If you have a business account with your ISP (e.g., Comcast, Verizon, AT&T, etc.), chances are you also have a static IP address. We will insert your static IP in the .htaccess file along with code that prevents all other IPs from getting in, or shutting you down. The good news: Anyone or anything attempting a brute force attack will be locked out before they even get to the front door of your site. Now the caveat: If your IP isn’t listed in the .htaccess file, you’ll be locked out too. In short, this solution isn’t for everyone. But, if you know that you’ll be using specific computers linked to your static IP to update your site, or if you want us to update your site for you exclusively, talk to us about it, and we’ll set up .htaccess for your business.