Should you exclude visitors from your website?

Since the beginning of 2015 it has been possible to subscribe to my newsletter and unfortunately there has not yet been a single issue.

One reason for the long delay is that since mid-2015 I have always been working at full capacity on customer contracts and have had to prioritize my time strongly so that the development of my own products is not coming short. The development of the newsletter system was not finished at the time and there was only a possibility to register, but no function to send newsletters. Third party systems were out of question because I don't want to give personal data like e-mail addresses to third parties.

In the last ten months I have focused primarily on the development of my products and have finally found the time to develop the missing functions, a layout for the newsletter and now I can finally start.

Structure of the newsletter

The newsletter is always opened with an article on a topic from the area of websites and web applications. Every now and then there will also be excursions into the field of IT security.

The article will be followed by a short review and outlook on the development of my own products, such as the Link-Checker, Sitemap-Generator and the digital business card.

At the very end there is a small collection of links to articles and blog posts worth reading, as well as important news from the field of IT security.

Block visitors from your website

We start with an article about whether you should exclude visitors from your website when they for example try to access the backend login URL.

I came across the German article Hide WP-Admin: Popular, complex and not very effective in a ad on Twitter. In response to the article, a commentator suggests to secure the website by simply changing the backend login URL with a plugin and completely blocking all visitors trying to access the default backend login URL from visiting the website, for example with fail2ban.

I consider this statement to be wrong on the one hand and on the other hand one also locks out legitimate visitors with such a measure. Tools like fail2ban should be used very carefully in my opinion, because they have some disadvantages and risks:

1. Attackers often use large botnets and then every login attempt comes from a different IP. In these cases, the blocking does not do much good, but only slightly increases the effort for the attacker.
2. The used IPs from botnets often belong to private persons or companies and they can also appear as legitimate visitors later, but with fail2ban they are permanently blocked.
3. Many IP addresses are assigned dynamically and you never know who will use them after the attacker. Here, too, legitimate visitors may be locked out.
4. In addition, any additional plugin represents a significant security risk, especially if it hooks into a sensitive process such as the login.

Webmasters, web designers and web developers in particular are perhaps also familiar with the situation where you see a website where you suspect at first glance that Joomla or WordPress is being used and would like to check this assumption by briefly calling up the backend login URL. Such a check could already lead to a complete lock if fail2ban is used restrictively.

Personally, I don't think much of blocking visitors because of the risks involved and I also never experienced a wave of attacks that was so massive that, for example, the performance of the website was affected. It is much more sustainable:

• to always keep the content management system (CMS) up to date,
• change the default username of the admin account if necessary,
• choose a secure password and
• to secure the login with two-factor authentication.

Review

The review is more detailed in the first newsletter, as a lot has happened in the last four years. For a long time my main products were the sitemap generator and link checker. Both products are available as online tool, WordPress plugin and Joomla extension. They are quite successful and are used together about 10'000 times per month.

At the end of 2018 and beginning of 2019 I developed the web application myFOTOSHOOT for photographers. It allows the creation of customer galleries and the collection of feedback and photo selections from customers. Unfortunately, the start was not very successful, because I underestimated the market size and the majority of photographers only do photography as a side-job. I still have some good ideas for pivoting the product, but the further development has currently no priority.

In the middle of 2019 I started with the development of the digital business card (German only) and published a first version in the middle of July. The start is promising so far and new users register daily.

Outlook

In the next one or two weeks I will take care of the further development of the Sitemap Generator. For now, the following three functions are planned:

1. Support for Sitemaps with more than 50'000 URLs by splitting the Sitemap into several small Sitemaps.
2. Hosting Sitemaps directly on my server.
3. Processing of the Last-Modified headers and include the information in the sitemap.

Thereupon I will either invest time in the further development of the digital business card or extend my website tools and make them publicly available.

I already use the website tools internally for monitoring websites for updates and for the daily, automated creation of backups. In addition, I would like to integrate the Link Checker and Sitemap Generator, as well as develop other tools that I need for technical search engine optimization.

Link collection

• WordPress 5.2.3 Security and Maintenance Release
• Joomla 4 is on the horizon
• A note on unsupported rules in robots.txt
• Superhuman is Spying on You