In this article, you will learn:
- How WEDOS Protection secures WordPress
- How to set up Protection via WordPress plugin
- Troubleshooting common issues
- Frequently asked questions
WordPress Security
The WordPress content management system is very popular, as are various kinds of attacks against webs that run it. Even if these attacks fail to breach the web or admin interface, they significatnly increase server load and slow your website down. That’s why WEDOS Protection aims to stop this unwanted traffic before it even reaches the web server.
WEDOS Global Protection uses the following methods to protect WordPress websites:
- Blocking requests accessing the following files:
xmlrpc.php, unless the request comes from WordPresswp-config.php.htaccesswpad.dat- PHP in the
wp-content/uploadsfolder - PHP in the
wp-includesfolder wp-admin/admin-ajax.php,unless the request comes from WordPress or Google
- Using captcha:
- for
wp-login.php(admin, wp-admin) - for requests from IPs with bad reputation scores (according to UDGER ⧉)
- for
The system also monitors traffic from various IP addresses. If an address makes too many requests over a time period, the system temporarily denies it further access.
All static content (return codes 200, 301, 302) also remains cached for 10 minutes by default.
WordPress Plugin
You can now download and install the WEDOS Protection WordPress plugin ⧉ directly. This has the following advantages:
- Free Start plan and extended Advanced trial (see WEDOS Protection pricelist ⧉)
- Management via WordPress admin panel instead of WEDOS Global admin panel ⧉ (the latter is still available).
Installation Guide
You can install the WEDOS Protection plugin as any other WordPress plugin. The easiest way is via the WordPress admin panel:
- Log into your WordPress administration panel.
- In the left menu, select Plugins Add New Plugin.
- Search for the WEDOS Global keywords.
- On the WEDOS Global (CDN Cache & Security) card, click the Install button, followed by the Activate button.
Once the plugin is active, you can immediately activate the Local WordPress cache. This cache runs on the same server as the web hosting, and doesn’t utilize the protection and CDN features yet.
Plugin Activation
To unlock WEDOS Protection features, you will need a (free) WEDOS customer account, which you can create during setup.
Activate the plugin by following these steps:
- Log into your WordPress administration panel.
- In the left menu, select WEDOS Global.
- Click one of the Activate buttons.
- On the following page, click the Register or Login button.
The last step will open a new window at login.wedos.com. Create a new customer account (if you don’t have one yet) or log in. Once the registration/login is complete, the remote application authorization page will appear. On this page:
- Confirm the domain location and click the Authorize button.
- Enter the verification code sent to your WordPress admin email.
Once you successfully authorize WordPress to access your WEDOS account, proceed with adding the domain or subdomain to the system. This process includes:
- Domain verification: Under some circumstances, the plugin will instruct you on how to verify ownership using DNS.
- Generating a TLS certificate for encrypted data transfer: This process is fully automatic and should take less than 30 minutes.
- DNS Setup: If you’re using WEDOS DNS, you may automate the process. Otherwise, update DNS with your provider as instructed by the plugin. For more information on DNS setup, read the Protection – Third-party DNS Provider article.
- Setting targets IP in the Protection service: This process is fully automatic, but a check is strongly advised. To learn more, read the Protection – DNS and target IPs article.
If you’re using WEDOS DNS, the plugin may request your consent to set DNS records. Click on the link Use this link to give consent with automatic DNS setting of your domain domain.tld, or set the corresponding DNS records manually according to the instructions DNS – Domain Records ⧉.
Once the system detects the correct settings, it will complete the domain addition process.
Troubleshooting
Common issues with the WEDOS Protection WordPress plugin include:
- Cannot set DNS automatically
- Don’t know which DNS to set where
- Activation process is stuck
- Remote app authorization ends in error
Missing Automatic DNS Link
Issue: The DNS setting screen doesn’t have the link Use this link to give consent with automatic DNS setting of your domain domain.tld.
Cause: Consent has previously been granted, but the DNS or domain settings in WEDOS Global have changed (including removing the domain from the system).
Solution: Set up the necessary DNS records manually or direct them to the WEDOS Global service according to this guide ⧉.
DNS Settings
Issue: There is too much information on the DNS settings page, I have no idea what to do with it.
Cause: The WEDOS Global system adds one extra node to the regular DNS scheme – a proxy server. You direct the domain to it instead of a web server, and only this server knows where (on which target IP address) to find the actual web server.
You can find more detailed information about how DNS works within the WEDOS Global system in the article Protection – DNS and Target IPs.
Solution: In the DNS setting step, enable automatic setting by the Global service, or direct it automatically according to this guide ⧉.
If you are setting DNS manually, make sure that you have DNS records set for the domain from the table to direct the domain to our proxy servers:
The other table containing the domain’s DNS records from before the WEDOS Global service was set up represents the data detected by the domain’s DNS scan. The system sets the IP addresses found in the records of the main domain and unspecified subdomains (*.domain.tld) as target IP addresses.
In this table, check whether the data is correct. If you find an error, correct it as soon as possible after completing the domain activation according to the article Protection – DNS and Target IPs.
Stuck Activation Process
Issue: The automatic setup part (certificate generation, domain verification, etc.) takes a suspiciously long time (more than a few minutes).
Cause: Mostly it is a non-specific error of the system or part of it.
Solution: Contact support ⧉. Include the domain name and a description of the error, or attach a screenshot ⧉.
Remote App Authorization Error
Issue: There is an error after logging into WEDOS: Failed to start verification of your WordPress site. Return to WordPress admin panel and authorize again.
Cause: The error may be caused by problematic code in the WordPress .htaccess file, or the unavailability of the WordPress REST API.
Solution: If the error persists even after another attempt to register the plugin, connect to FTP ⧉ (via WebFTP ⧉ for example), go to the folder containing WordPress files (index.php, wp-config.php and others) and open (edit) the .htaccess file. Find all occurrences of the code: RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
and add the # character to the beginning of the line. This will disable the problematic code without deleting it.
If disabling the code doesn’t solve the issue, delete the # characters again (some configurations require these settings) and contact support ⧉.
FAQ
How do I get rid of the captcha blocking me from WP administration?
Captcha protects against unwanted traffic accessing the uncached wordpress administration interface. There can be hundreds such requests in one second, and this load significantly affects your website’s performance. You only need to complete the captcha challenge once per 24 hours. This is why we don’t allow removing the captcha check for WP administration.
Can I use the plugin for an account with a different email address than the one I use to log into the WEDOS customer administration?
Yes, use your WEDOS administration login email to log in. The verification code will still be sent to the WordPress administrator’s email, though.