BBQ

How does the security compare?
1. No addon to a website can offer bullet proof security, website addons/plugins are a layer in the chain of security. What addons/plugins do allow for is *specific* protections which are custom designed to the application platform, in this case WordPress. What addons cannot do is protect a website from being exploited where the server itself has been compromised and the attacker is acting as web server administration level.

2. No addon can completely protect a website from really bad coding errors made by other plugin/addon developers. Those level of errors have been able to circumvent all WP security plugins.

That said, the attack pattern detection in Pareto Security is up there with the best there is. Pareto Security not only detects and blocks known bad requests which almost all other security plugins also do, including BBQ, but also Pareto Security is designed to detect many unknown or yet to be used attack types which may become an attack vector in the future.

The principal method of Pareto Security is install and forget. No need to do any complicated configurations, but also the full function of the plugin is unlocked and installed by default, with only some of the more experimental features set in advanced modes.

Pareto Security also does flood control that protects your search fields, registration and login, xml fields from being hammered by password cracking attempts or denial of service attacks on the input scripts.

Pareto Security also attempts ban an attackers IP address using htaccess, therefore preventing, slowing or inhibiting repeat requests consuming resources, but even if htaccess is not allowed on a website, the request is always at the very least soft blocked preventing the page execution the way that BBQ blocks requests.

Finally, as always, feel free to try other plugins and let me know how I can improve this addon, but Pareto Security will always be free.

Let user add own variable to block any file request

Can you give me an example of a file request that is not blocked by this plugin?

wp-*
*
Login
Cron
Sign-up

Possible to disallow direct request to all PHP files but work fine ?

One of the reasons this vector has not been added into Pareto Security, but may be in other security plugins, is that there are legitimate calls to some of the wp-* files that should be allowed by guests, authors, editors and administrators, secondly, accessing them in of itself is not malicious. However if an attacker intends to exploit a flaw in that files coding then this plugin does about as well as the best of them in banning that request.

The drawback with allowing users to add their own black list items is just this, it often leads to lots of false positive blocks, which is fine if all the script is doing is exiting page execution, but PS bans IP addresses, so has to be a lot more accurate in banning requests, which it does well.

Sometimes plugin from other will expose security flaw which manual could help temporary

Mostly people are using htaccess for temporary redirect or block if needed

Most of the ones I have observed in the past were either well protected by the methods deployed in this plugin already, or were of the genre that a plugin could not honestly protect you from (i.e they were just *that* bad). But I do understand where you are coming from.

The problem I have with the custom entry system is that while there are a few users out there that a) understand what Pareto Security actually achieves, and b) know of more advanced pattern blocking not already achieved by this plugin, the rest don’t and the end result is inevitably lots of false positive blocks, to worst case scenarios, breaking their site.

And again, the main point of separation in doctrine with Pareto Security is the basic, install and forget, and at the same time, high accuracy in detecting and banning.