Skip to contentSkip to main navigation Skip to footer

Security Feature

How To Implementing Website Security Headers

What are Security Headers?

Security headers are directives included in the HTTP responses from web servers that instruct the web browser on how to handle the content of a web page.

These headers help protect web applications from various security threats by mitigating risks associated with cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, and other common vulnerabilities.

By setting security policies at the browser level, these headers provide an additional layer of defense against potential attacks.

How to add security headers using Hide My WP Ghost plugin.


Strict-Transport-Security (HSTS)

The Strict-Transport-Security (HSTS) header ensures that a web application is accessed only over HTTPS, preventing man-in-the-middle attacks and cookie hijacking.

Implementation

To implement HSTS, add the following header to your HTTP response:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Details

  • max-age=31536000: Specifies the duration (in seconds) that the browser should remember to only access the site via HTTPS.
  • includeSubDomains: Applies the rule to all subdomains.
  • preload: Requests inclusion in the HSTS preload list, a list of sites hardcoded into browsers as HTTPS-only.

Content-Security-Policy (CSP)

The Content-Security-Policy (CSP) header helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which sources of content are allowed to be loaded on the site.

Implementation

A typical CSP header might look like this:

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com

Details

  • default-src 'self': Only allows resources from the site’s own origin.
  • script-src 'self' https://apis.google.com: Allows scripts from the site’s own origin and Google’s APIs.

X-Frame-Options

The X-Frame-Options header prevents clickjacking attacks by controlling whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.

Implementation

To implement, add one of the following headers:

X-Frame-Options: DENY

or

X-Frame-Options: SAMEORIGIN

Details

  • DENY: Prevents the page from being framed.
  • SAMEORIGIN: Allows framing only by the same origin.

X-XSS-Protection

The X-XSS-Protection header enables the cross-site scripting (XSS) filter built into most modern web browsers, providing a basic level of protection against XSS attacks.

Implementation

Add the following header:

X-XSS-Protection: 1; mode=block

Details

  • 1: Enables the XSS filter.
  • mode=block: Instructs the browser to block the page if an XSS attack is detected.

X-Content-Type-Options

The X-Content-Type-Options header prevents browsers from interpreting files as a different MIME type than what is specified, which can help mitigate drive-by download attacks.

Implementation

Add the following header:

X-Content-Type-Options: nosniff

Details

  • nosniff: Ensures the browser adheres to the MIME types specified in the Content-Type headers.

Cross-Origin-Embedder-Policy (COEP)

The Cross-Origin-Embedder-Policy header ensures that a document can only load resources that explicitly grant permission, enhancing the security of embedded content.

Implementation

Add the following header:

Cross-Origin-Embedder-Policy: require-corp

Details

  • require-corp: Requires cross-origin resources to explicitly grant permission using the Cross-Origin-Resource-Policy header.

Cross-Origin-Opener-Policy (COOP)

The Cross-Origin-Opener-Policy header helps protect against cross-origin attacks, such as cross-origin information leaks, by ensuring that a top-level document does not share a browsing context group with cross-origin documents.

Implementation

Add the following header:

Cross-Origin-Opener-Policy: same-origin

Details

  • same-origin: Ensures the document is isolated from other origins, reducing the risk of cross-origin attacks.

Regularly reviewing and updating these headers in response to new security threats is also crucial in maintaining robust security.

Geo Security & Country Blocking

As it is essential these days to have higher and higher security, we included the new Geo Security (Country Blocking) feature in the Hide My WP Ghost plugin.


What is Geo Security?

Geo Security, specifically the Country Blocking feature, allows website administrators to restrict access to their websites based on geographic locations.

This means that visitors from certain countries can be blocked from accessing the site, thereby reducing the risk of malicious activities originating from those regions.

The Hide My WP Ghost plugin integrates this feature to provide an additional layer of security for WordPress sites.


How does Country Blocking it work?

The Country Blocking feature is user-friendly and can be easily configured within the Hide My WP Ghost plugin settings. Administrators can select the countries and paths they wish to block from a list.

Entire website country blocking

This feature allows admins to block entire countries or specific IP addresses within those countries. This flexibility ensures that you can tailor your security measures to your specific needs.

Path-based country blocking

With path-based blocking, the admins can specify the paths and subpath they want to restrict on specific countries. This is useful to prevent any registration or login process on specific countries. It can also be used to restrict shopping on specific countries.


Benefits of Country Blocking

By blocking access from countries known for high levels of cybercrime, you can significantly reduce the risk of hacking attempts, DDoS attacks, and other malicious activities. This proactive approach enhances the overall security posture of your website.

Reducing unwanted traffic from certain regions can improve your website’s performance. With fewer malicious requests, your server can allocate more resources to legitimate users, resulting in faster load times and a better user experience.

The intuitive interface of the Hide My WP Ghost plugin simplifies the management of blocked countries. Administrators can easily add or remove countries from the block list, ensuring that security policies remain up-to-date and effective.


How to Enable Country Blocking in Hide My WP Ghost

country blocking in hide my wp ghost
  • Install and Activate the Plugin: Ensure you have the Hide My WP Ghost plugin installed and activated on your WordPress site.
  • Access Geo Security: Go to Hide My WP > Firewall > Geo Security and activate Country Blocking feature.
  • Select Countries: Choose the countries you wish to block from the provided list. For path-based blocking, add the list of paths you want to block for the specific countries.
  • Save Changes: Save your settings to activate the Country Blocking feature.

Conclusion

The new Geo Security feature in the Hide My WP Ghost plugin represents a significant advancement in website security.

With its easy configuration and powerful functionality, the Country Blocking feature is a must-have for any WordPress site looking to strengthen its security measures.

Embrace this new level of security and enjoy peace of mind knowing your site and business is protected against global hacker bots’ attacks.

8g firewall

The New 8G Firewall Protection Is Here

Hide My WP Ghost has just introduced its latest game-changer layer of security: the 8G Firewall. Buckle up as we delve into what this feature brings to the table and how it can revolutionize your WordPress site’s security.


What Is the 8G Firewall?

The 8G Firewall is a formidable shield designed to fend off an array of threats targeting your WordPress site. Crafted by security guru Jeff Starr, this firewall packs a punch without compromising performance.


Key Features of the 8G Firewall:

  1. Robust Defense:
    • Say goodbye to malicious requests, bad bots, and automated attacks.
    • The 8G Firewall stands guard, preventing unauthorized access and suspicious activities.
  2. Rewrite Rules Magic:
    • Unlike traditional firewalls, the 8G Firewall operates through server rewrite rules.
    • No file or directory changes—your SEO and loading speed remain untouched.
  3. Compatibility and Performance:
    • Worried about clashes with existing security plugins? Fear not!
    • The 8G Firewall plays nice with plugins like Wordfence, iThemes Security, and Sucuri.
  4. Vulnerability Concealment:
    • By blocking common WordPress attacks (think wp-admin, wp-login.php, and wp-content), the 8G Firewall throws hackers off their game.
    • Themes, plugins, and core files? Stealth mode activated!

How to Activate the 8G Firewall:

Install Hide My WP Ghost:

  • If you haven’t already, install the Hide My WP Ghost plugin from the WordPress repository.

Navigate to Firewall Settings:

  • Go to your WordPress dashboard and find Hide My WP > Change Paths in the plugins section.
  • Activate a Level of Security like Safe mode or Ghost Mode

Enable the 8G Firewall:

  • Go to Hide My WP > Firewall and activate Firewall Against Script Injection.
  • Select 8G Firewall option from the list of firewalls.
  • If you have Apache server, select if you want to add the firewall on htaccess or load the firewall on WordPress initialization.
  • Activate it to start benefiting from its enhanced security features.

Test and Monitor:

  • Verify that your site is functioning correctly after enabling the firewall.
  • Regularly monitor your site’s security logs to stay informed about blocked threats.

Conclusion:

The 8G Firewall is your silent sentinel, tirelessly guarding your WordPress fortress.

Whether you’re a blogger, business owner, or code wizard, this feature ensures your site stays secure and resilient.

7G Firewall for WordPress

WordPress is the most widely used content management system (CMS) on the web, powering more than 40% of all websites. However, its popularity makes it a prime target for hackers and cybercriminals. As a website owner, it’s your responsibility to secure your site and protect it from malicious attacks. One way to do that is by using a firewall.

Firewalls are security programs that protect your website from unauthorized access and malicious traffic. They can help block suspicious traffic, prevent brute-force attacks, and protect against SQL injections and other types of attacks.

The 7G Firewall is an advanced firewall created by Jeff Starr, a well-known WordPress security expert. It offers lightweight, server-level protection against a wide range of threats, including malicious requests, bad bots, automated attacks, spam, and other types of nonsense. The firewall works by analyzing incoming traffic and blocking any suspicious requests before they reach your website.

One of the benefits of using the 7G Firewall is that it’s highly customizable. You can choose from several levels of protection, including minimal, medium, and maximum. The minimal level is suitable for most websites and provides basic protection against common threats. The medium level offers additional protection against more advanced threats, while the maximum level is recommended for high-traffic websites that are frequent targets of attacks.

However, it’s worth noting that the 7G Firewall may not work with all server configurations. If you’re not sure whether it’s compatible with your server, you can select minimal or medium protection to ensure compatibility.


If you’re using Hide My WP Ghost to secure your WordPress website, you can easily activate the 7G Firewall by following the tutorial provided by the plugin. Once activated, the firewall will run silently in the background, protecting your website from a wide range of threats without impacting its performance.

In conclusion, if you’re looking to secure your WordPress website, a firewall is an essential tool to have in your security arsenal. Hide My WP Ghost’s 7G Firewall protection for Apache-based servers is a powerful and customizable solution that can help keep your site safe from malicious attacks.

By following the plugin’s tutorial, you can easily activate the firewall and enjoy the peace of mind that comes with knowing your website is protected.

Disable Hide My WP Ghost for User Roles

Our plugin is designed to provide users with the highest level of security and customization. One unique feature of our plugin is the ability to whitelist specific IP addresses, which allows users to grant access to certain users while blocking others.

This can be particularly useful for businesses or organizations that want to grant access to employees or trusted partners while blocking access to unauthorized users.

If you want to disable the plugin for logged users with specific roles, you can add this code in the functions.php file of the theme:

add_action('template_redirect','hidePathsByUserRole');

function hidePathsByUserRole(){

    if (function_exists('wp_get_current_user')) {
        $user = wp_get_current_user();
        $allowed_roles = array(
            'administrator',
            'editor', 
            'author'
        );

        if( isset($user->roles) && is_array($user->roles) && array_intersect($allowed_roles, $user->roles ) ) {
            add_filter('hmwp_process_paths', '__return_false');
            add_filter('hmwp_process_buffer', '__return_false');
            add_filter('hmwp_process_hide_disable', '__return_false');
            add_filter('hmwp_process_find_replace', '__return_false');
        }
    }
}

The code will disable Hide My WP Ghost for administrators, editors and authors. You can add new roles or remove roles from the code.

Most Popular WordPress Theme Detectors

If you’re a WordPress user, you may be familiar with the concept of theme detection. A WordPress theme detector is a tool that allows you to see which theme a WordPress site is using.

This can be useful for a variety of reasons, including allowing you to see which theme a competitor is using, or simply to find out more about a particular theme you like the look of.

Here are the top WordPress theme detectors, based on their popularity and user reviews:


What WordPress Theme Is That?

This popular theme detector allows you to easily identify the theme and plugins used on any WordPress site. Simply enter the URL of the site you want to inspect and the tool will provide a detailed report on the theme and plugins used.


WP Theme Detector

WP Theme Detector is a free online tool that allows you to quickly and easily identify the theme and plugins used on any WordPress site. Simply enter the URL of the site you want to inspect and the tool will provide a detailed report on the theme and plugins used.


WordPress Theme Detector

WordPress Theme Detector is a free online tool that allows you to easily identify the theme and plugins used on any WordPress site. Simply enter the URL of the site you want to inspect and the tool will provide a detailed report on the theme and plugins used.

However, some WordPress users may not want others to be able to detect the theme they are using on their site. This is where the Hide My WP Ghost plugin comes in. This plugin adds an extra layer of protection to your WordPress site by hiding the fact that you are using WordPress.

Hide My WP Ghost complements other security plugins and tools by adding a different kind of security layer that the others don’t offer. It helps protect your site against common attacks such as script and SQL injection and brute force by camouflaging vulnerabilities without physically changing any files or directories. This makes it difficult for hackers and other malicious actors to detect and exploit vulnerabilities on your WordPress site.

In addition to its camouflage feature, Hide My WP Ghost also includes a security check feature that scans your entire site to indicate its current security level and uncover urgent threats that leave your site exposed to different types of attacks. It provides clear guidance on how to fix each issue, and many can be fixed with just one click.

Overall, Hide My WP Ghost is a valuable addition to any WordPress user’s security toolkit. By hiding the fact that you are using WordPress and providing extra protection against common attacks, it can help keep your site safe and secure.

Hiding plugins like WooCommerce and Elementor

We do not recommend using Hide My WP Ghost to hide classes such as woocommerce and elementor (you can scroll down to the end of this article to see why).

However, since many people requested this feature, we’ve made it available starting with Hide My WP Ghost version 5, as part of our ongoing commitment to deliver solutions that best cater to our customers’ needs.

Note! Please read Hide WordPress from Theme Detectors or from Hackers Bots?

Some plugins like WooCommerce and Elementor are exclusively built for WordPress.

When their class names are detected in the site’s source-code by theme detectors, you will receive the information that your website is using WordPress – even if all the WordPress-specific common paths are changed and hidden.

These plugins not only add their names in the source code but they also add scripts in JS and CSS files based on those class names.

If you want to hide classes like woocommerce and elementor in the text mapping, make sure you follow the steps below to avoid JS and Theme Style errors.


Text Mapping

To activate this option, go to Hide My WP > Mapping > Text Mapping

Add the class names: woocommerce and elementor to then assign them different names such as: ecommerce and landingpage.

As you can see in the example below:

woocommerce becomes ecommerce

elementor becomes landingpage


Text Mapping in CSS and JS files

To activate this option, go to Hide My WP > Mapping > Experimental

NOTE! Enabling this option will create dynamic CSS and JS files, which will significantly slow down a site’s loading time. This is why we recommend that you use a cache plugin to optimize loading speed for your website. In Hide My WP > Plugins, we suggest a few cache plugins for you to choose from.

What can go wrong?

The website’s loading speed is affected – which is NOT good for SEO.

Even if you change the class names and load the CSS and JS dynamically, there are still browser caches, server caches, probably CDN which also caches the files – and it will take some time to refresh all the caches and see the changed classes.

Because of file caching, the class name can appear changed in some files and unchanged in others. This will lead to style and script errors in WordPress.

Protect My WordPress Website

This is the question we asked ourselves as a software company many years ago when we switched our business to WordPress CMS. It’s hard to trust an open-source CMS where our websites will probably end up being hacked.

As a developer, I wanted to know how to protect my WordPress website and how to protect my clients’ websites. I started studying WordPress CMS, its weak points and strong points and I found out that not the WordPress core itself is the main issue but the installed plugins and themes.

Many free plugins and themes were built by beginner programmers without any security knowledge and frankly, they probably didn’t even care about their users. As WordPress CMS can’t work without a plugin or a theme, most probably each production website had installed, at one point, a vulnerable plugin or a theme.

How To Protect My WordPress Website

Luckily, there are many security plugins now that verify the plugin integrity and vulnerability but they can’t keep up with all the last updates and the new plugins on the market.

About 4 years ago our company came up with the idea of creating a security plugin that will protect all the vulnerable plugins and themes by blocking the attacks on the common WordPress URLs and Paths.

This idea led us to create the Hide My WP Ghost plugin. A plugin that allows you to change all the common paths with hidden paths and block the hacker’s bots access to the known vulnerable paths.

We successfully reduced the number of SQL and Script injection attacks up to 99% with the Hide My WP Ghost plugin. We significantly reduced the number of Brute Force and XSS Attacks.

The best part is that Hide My WP Ghost works together with all other security plugins on the market by adding a layer of security for each business.

Some of the popular security plugins are Wordfence, iThemes Security, Shield Security, etc.

We look forward on keeping WordPress the safest open-source CMS and reducing the bot attacks as low as possible.

Secure Hosting Companies

Choosing a safe hosting is also important when you create a website for your business. There are many WordPress dedicated hosting companies who offer security and management.

Some of the great WordPress hosting companies are WpEngine, InMotion, CloudWays, etc.

Note! Keep in mind to choose a plan that will keep a daily backup on your website’s data.

Once you have a secure hosting plan and security plugins installed on your server, you don’t have to worry about getting hacked and you can focus on getting the best out of your online business.

If you have any question, please contact us

Prevent Hack Attacks on WordPress

Using an Open Source CMS with open-source plugins and themes it’s giving a hard time preventing all the hack attacks to your WordPress site.

Many plugins are created by authors who don’t know how to completely secure them. The same with the themes’ authors.

Prevent Hack Attacks

Fortunately, there are security plugins that are built to help you protect your website and prevent hack attacks. Some of them are popular on WordPress: Wordfence, iThemes, Shield Security, etc.

Most of these plugins are working to identify if your website was already hacked but what’s also important is to add a layer on your WordPress site to proactively stop a virus.

The best and simplest way to do this is to change all the known vulnerable paths for all plugins and themes. To do this, you can install Hide My WP Ghost plugin.

Hide My WP Ghost works together with other security plugins and hides the paths from hackers’ bots, stopping all Script and SQL injections. You can also include Brute Force protection to your login page if you want to use only one security plugin for your website.

The Difference Between Safe Mode and Ghost Mode in Hide My WP

Hide My WP Ghost brings a complex level of security through obscurity and protection against hacker bots.

A reason to change the common paths in WordPress is to be able to hide these paths and prevent script injections into your vulnerable plugins and themes.

Is your website secure? Run a free Website Security Check for your website now.

Note! The paths will not be physically changed by the plugin, which means all the previous settings will go back to normal in case you decide to deactivate Hide My WP Ghost.

(more…)