- 8 min read
Introducing: Lock My Site for Ultimate WordPress Protection
Today, I’m excited to announce yet another exciting feature for Rocket.net customers.
In the last few months, Rocket.net has observed more and more 0-Day exploits against WordPress plugins that are leveraging privilege escalation vulnerabilities that are undetectable by Web Application Firewalls.
How are they undetectable? They look like normal requests, so the WAF doesn’t see it as a threat, but rather it looks like business as usual.
As a result, we asked ourselves: “How can we innovate in new ways so that we can protect our clients from these 0-Day vulnerabilities?”
Today, there are very limited ways to protect your WordPress sites from privilege escalation. They all rely on either the plugin/theme vendor to patch their exploit or a third party paid service to provide a virtual patch. But 0-Day vulnerabilities are by definition unknown, so the incumbent solutions just don’t work as well as they should.
Examples of how you may be able to protect your WordPress install today:
- Update the vulnerable plugin to the latest version if one exists.
- Remove the offending plugin and replace it with another one.
- In some rare cases, Web Application Firewalls can write rules that take a very specific request path, similar to what we did with Imunify360 to solve this vulnerability.
- Virtual Patch the vulnerability using a paid third party service.
If none of the above are done, your WordPress sites can be wide open and extremely vulnerable, even on a platform like Rocket.net that has not only one, but two Web Application Firewalls protecting your WordPress sites.
Today, that problem just became easier to solve. Rocket.net now has a solution that not only prevents your site from being hacked, but also continues to deliver your site business as usual without adding more bloat to your sites.
Introducing Rocket.net’s Lock My Site.
After launching our new WordPress Disaster Recovery network update a couple of weeks ago, Lock My Site is a feature that can be turned on any time for any site at Rocket.net. In fact it’s running as we speak on our very own website, Rocket.net.
When Lock My Site is enabled, absolutely no files can be changed in your WordPress website folder. To take it a step further, your WordPress MySQL Database user is also stripped down to select privileges only.
What does this mean?
To simplify it, your site is in read-only mode. This prevents any changes from being made to your site, preventing any plugin or hacker from changing anything on your site whatsoever. The result? Peace of mind, and the time you need to find a long-term solution that fits your needs.
While Lock My Site is intended for emergency use only, you can also use this to keep your site in read-only mode similar to what we’re doing for Rocket.net, if you’re not running a dynamic website. This means you can sleep better at night, knowing that those sites that might not get as much attention or might be using older themes- the small brochure type sites for example- are locked down and secure.
Will Lock My Site break the functionality of your site?
The easiest way to think about this is to consider what you’d need to do if you were using purely static hosting. When using static hosting for WordPress, you have to leverage third party systems for comments, contact forms, etc.
In our case, Rocket.net uses contact forms that do not store submissions in the database, so we don’t write anything to disk or database when visitors interact with our website.
Here are some examples of things that could break with Lock My Site mode enabled:
- LMS Systems
- Contact Forms that require writing to the database or filesystem
- Backup plugins
- Any function that requires writing to disk or database
- This includes logging into wp-admin
This may seem super scary at first, but in reality it is not scary at all. Lock My Site enforces maximum protection for your website all while continuing to deliver your website, completely protecting it from even the nastiest exploits and break-ins.
For example, imagine that there is a critical exploit taking WooCommerce offline all around the world, but there is no patch yet. While you will not be able to take new orders for a bit, you can safely turn Lock My site on to protect your data until a solution is found.
That’s right, your website will load without any issue whatsoever, visitors just may not be able to fully interact with it. This is definitely not ideal, but neither is having a defaced website or malware redirecting your website to bad URLs- both of which are common on compromised WordPress sites.
Did you know most agencies don’t change plugins once a site build is completed?
When an agency builds a new site, how often do they do plugin audits, and identify and replace old plugins that are no longer updated? As it turns out, almost never!
Yes, they most certainly do plugin updates, but once a project is completed for a common SMB website, it’s usually not edited quite often. Rocket.net’s Lock My Site brings a lot of peace of mind knowing it’s safe and secure, even though it’s mostly untouched.
Does that mean that the site can no longer be edited or maintained?
Not at all! When you’re ready to make some changes to your site, simply turn Lock My Site off, and you can immediately start working on your site, then re-enable Lock My Site when you’re done. It’s that easy.
How to manage Lock My Site
Lock My site is fully available in our API today and can be enabled/disabled at any time. You can also contact our support team for assistance, they’ll be glad to enable or disable it for you.
In just a few days, you’ll have the ability to enable/disable Lock My Site directly from the Rocket.net portal.
How much does Lock My Site cost?
Lock My Site is immediately available to all Rocket.net customers at no additional cost.
More blog resources
- 2 min read
- 3 min read