Managing cookies in Firefox

Firefox, by default, allows cookies to be set by all websites. We advise installing the “Cookie AutoDelete” extension so that you can control which websites can save their cookies on your system. You only really need to allow cookies from sites that you want to interact with, such as sites that you need to log in to for shopping, banking, webmail, for example.

Installing Cookie Whitelist
  •  Open Firefox
  • Tools > Add-ons.  Then choose Extensions from the left hand side.
  • In the Search box on the top, right of page – type “cookie autodelete”.
  • Find “Cookie AutoDelete” (by the CAD Team) and click it Then click the “Add to Firefox”.
  • You need to allow the permissions it asks for;  click the Install button when it’s ready.
  • It will open an info page/tab in the browser (which you can close or ignore).
How to use Cookie AutoDelete

Once this extension is installed, a button is added to the top-right of your browser to allow easy control over cookies.

Click it to open a drop down panel of the controls.

All you have to do here is click the red button on the left which says “Auto-clean disabled”.  When you click it, it will turn green and say “Auto-clean enabled”. You can now close the box (for the moment!) by clicking the top-right button (which will now be red, indicating that cookies are not being stored for the page you’re on).

TO SET YOUR COOKIE OPTIONS ACCORDING TO THE WEBSITE

For each website you visit, the cookies will now automatically be off (red cookie button) so no action needed until you want to whitelist or blacklist a website:

  • In that case, click the cookie button in the top-right of your browser From the dropdown, you can click the appropriate whitelist/greylist button(s).  The button will change colour according to your choice, allowing to to see at a glance your chosen cookie choice for that site.

RED – means that cookies have not been allowed

BLUE – means that you’ve whitelisted the site

YELLOW – means you’ve greylisted the site.  This allows the site to be used for a session, but the cookies will be cleared when you close the tab/page.

It’s also very easy to remove the whitelisted/greylisted sites from the same place so don’t worry if you change your mind about a website!

Securing WordPress website from brute force attacks

Part One – Protect your wp-login.php file and wp-admin area, following this simple set of instructions:


Three basic steps:

1. Create a hidden password file.
2. Generate a login and password and add it to the hidden password file.
3. Modify your site’s .htaccess file to require your hidden password when logging into WordPress.

 

Step 1 – Create a hidden password file

Using cPanel File Manager or FTP, login to your hosting account and, in the root of your site, create a file called .htpasswd.  (make sure that you put a period at the beginning of the filename, so that it’s hidden by default).

 

Step 2 – Generate a login and password and add it to the hidden password file

  1. Go to https://www.htaccesstools.com/htpasswd-generator/
  2. Enter a username and password that you’ll use to protect the WordPress login.
  3. Click Create .htpasswd file to encrypt your password.
  4. .htaccesstools.com will return a string of text that looks something like this: wandreata:$prt2$vqg/gY..$Yold9aipE63lrcSpr1CDf0
  5. Open the .htpasswd file that you created in Step 1 above and paste in the .htpasswd entry you just created.

Step 3 – Modify your site’s .htaccess file to require your hidden password when logging into WordPress

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder:  Add the following to the top of the file:

# Protect wp-login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized User Only"
AuthType Basic
AuthUserFile /home/yourserverdirectoryname/.htpasswd
require valid-user
</FilesMatch>

(Change yourserverdirectoryname to match your server’s root directory name – you should see it in cPanel in the top left section when you’re in your root directory. Alternatively, check with your web host)

There’s some useful help with cPanel on this website: https://www.hostinger.com/tutorials/htaccess/how-to-locate-htaccess-file-on-cpanel-file-manager

 

Check attack logs (optional)

Add WordPress plugin “WPS Limit Login”
In the configuration, set up “Email to admin after 1 lockout”
Whitelist your own IP address (get it from whatismyipaddress.org)
Add blacklist IP addresses from any previous attacks
The log on this plugin is a quick way to check for attacks. Apart from displaying IP addresses used, it also displays whether an attack was using the WordPress Login page or a xmlrpc post script in attempting to hack into the website.

 

Part 2 – Disable your xmlrpc.php file

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder: Add the following

# BEGIN Disable XML-RPC.PHP
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# END Disable XML-RPC.PHP

(see https://www.youtube.com/watch/?v=WiIaz-Ik3tE for more info and background)