Defender’s back in the ring for round 2.2.2. And he’s coming in hot with three brand new security features – all specifically designed to lay the smackdown on cowardly hackers and bots.
Your website’s safety is at stake, so let’s not delay.
Defender 2.2.2 recently entered the ring complete with a brand new set of knockout security features.
And in this article we’re shining the spotlight on three of the standouts:
- HTTP Security Headers
- Prevent User Enumeration
- Block WordPress Rest API
I’ll also be showing you how easy it is to instantly arm your website with these new weapons.
Because the truth of the matter is, if you’re not constantly updating your site’s security, you’re playing with fire.
Every day hackers and criminals are finding new ways to exploit even the most ‘secure’ of websites.
And if you’re not up with the latest website security measures, you’re leaving your site vulnerable.
That’s Where This Large Wrestler Dude Steps In…
New Round Here?
Meet Defender, our premiere security plugin and your personal [internet] crime fighting machine (he’s not as scary as he looks, unless you’re an evil hacker).
Hackers… Brute force attacks… Malicious bots…
They’re all no match for Defender’s mighty WordPress security shields and cloaking technology.
Tag-team with this plugin for instant access to: user security scans, vulnerability reports, two-factor authentication, safety recommendations, and tons more!
The point is…
Defender Has The Scariest Web Villains Squirming
And in it’s latest update, this robust plugin adds even more notches to it’s heavyweight security belt.
The best part?
Enforcing most of them takes no more than a click of a button.
But before we press on, PSA:
All of the features covered in this article are only available with Defender Pro (as opposed to the free version of Defender).
A WPMU DEV membership gives you full access to this, and all of our other award-winning premium WordPress plugins. There’s also a 100% risk-free 30-day trial – so you’re welcome to try before you buy.
But as I said earlier, the safety of your website depends on this – so on to the barnstorming features!
Hit Hackers Where It Hurts: HTTP Security Headers
Much like relationships, communication is one of the keys to a safer and more secure website.
And effective communication is what HTTP security headers do best.
In simple terms, these head-butting headers talk to web browsers and tell them how to act during interactions with your website. Helping to double down on your security and prevent malicious attacks.
HTTP security headers come in various shapes and sizes (I cover each below) – all safeguarding you against different types of attacks.
They’re also super easy to add on your website. And like most Defender features – they’re literally a click away from being instantly weaponized.
*This security feature was originally requested by our WPMU DEV community member Gary. Thanks again for your input Gary!
How To Activate Defender’s HTTP Security Headers
From the Defender dashboard, find the “Security Tweaks” section (you can’t miss it!). You’ll see a preview list of the security tweaks Defender recommends for your website.
Either click one of these, or click “view all.”
Alternatively, you can navigate to Security Tweaks directly via the side menu:
Once you’re through to the Security Tweaks page, you’ll see Defender points out the current security issues with your website.
Since security headers are a new feature, they’ll automatically appear on this list.
To activate a security header, start by clicking on one.
When you’ve clicked through you’ll then be given more info about each header.
Here’s an example of what you see when you click the “X-Content-Type-Options” header:
Like I said earlier, one click is all it takes.
Hit that “enforce” button and KAPOW! You’ve just beefed your security up a level.
Once you’ve enabled any header it’ll automatically be moved to the “Resolved” section of Security Tweaks.
You can also disable a security header here too if needed.
Alrighty, now that you know how to enforce security headers, let’s dive deeper into the headers themselves and what they do.
Meet Defender’s New ‘Heads’ Of Security:
1. X-Content-Type-Options Header
The X-Content-Type-Options header is quite the warrior, defending you against nasty MIME sniffing and XSS attacks.
An example of this is when a website allows users to upload content, but then, *PLOT TWIST, the user disguises a specific file type as something else. Sneaky sneak!
This gives them a dangerous opportunity to perform cross-site scripting and compromise your website. You’ll definitely want to activate this puppy if your website allows users to upload content.
2. Feature-Policy Header
The Feature-Policy response header helps control which browser features can be used when web pages are embedded in iframes (HTML documents embedded inside other HTML documents on a website).
Examples of this include: Embedding an iframe where you don’t want the embedded site to have access to the visitors camera, or when unoptimized images are output to your website from a CMS.
This security header also gives you more options to prevent unwanted actions when your webpages are embedded elsewhere:
3. Referrer-Policy Header
The Referrer-Policy HTTP header tells web-browsers how to handle referrer information when a user clicks a link that leads to another page.
Referrer headers let website owners know where inbound visitors came from, but sometimes you might want to control or restrict the amount of information shown.
You can also choose what referrer information is sent, along with requests:
4. Strict-Transport-Security Header
The HTTP Strict-Transport-Security header (HSTS) lets your website tell browsers they should only be accessed by HTTPS (rather than HTTP).
This is especially important for sites that store and process sensitive information (e.g. eCommerce stores) and it helps to prevent “protocol downgrade” and “clickjacking” attacks.
You can also set your Transport-Security Header requirements (see below). This will convert all non-HTTPS links, and will block insecure connections coming into your website.
5. X-Frame-Options Header
The X-Frame-Options HTTP header controls whether or not a browser can render a webpage inside a ,