A comprehensive security addon for Statamic that provides Web Application Firewall (WAF), brute force protection, country blocking, vulnerability scanning, and audit logging capabilities.
-
Web Application Firewall (WAF)
- Protection against SQL injection
- XSS attack prevention
- Path traversal protection
- Command injection protection
- Customizable rules and whitelist
-
Brute Force Protection
- Configurable attempt limits
- Automatic IP blocking
- Customizable lockout duration
- Attempt tracking and logging
-
Country Blocking
- Block access by country
- GeoIP-based detection using MaxMind's GeoLite2 database
- Automatic database updates
- Whitelist support
- Easy country code management
-
Vulnerability Scanner
- Package vulnerability detection
- Regular automated scanning
- Severity-based reporting
- Detailed vulnerability information
-
Audit Logging
- User activity tracking
- Login/logout monitoring
- IP address tracking
- Configurable retention period
- Install the addon via Composer:
composer require siterig/fortress- Publish the configuration:
php artisan vendor:publish --tag=fortress-config- Run the migrations:
php artisan migrate- Add the following to your
config/logging.phpchannels array:
'fortress' => [
'driver' => 'daily',
'path' => storage_path('logs/fortress.log'),
'level' => 'debug',
'days' => 30,
],- Set up GeoIP (Required for Country Blocking):
- Create a free MaxMind account at https://www.maxmind.com/en/geolite2/signup
- Get your license key from your MaxMind account
- Add the license key to your
.envfile:
MAXMIND_LICENSE_KEY=your_license_key_here- Download the initial database:
php artisan fortress:update-geoip
The addon can be configured through the config/fortress.php file. Here are the main configuration options:
'waf' => [
'enabled' => true,
'whitelist' => [
// Add IP addresses to whitelist
],
],'brute_force' => [
'enabled' => true,
'max_attempts' => 5,
'decay_minutes' => 30,
'lockout_minutes' => 60,
],'country_blocking' => [
'enabled' => false,
'blocked_countries' => [
// Add country codes to block (e.g., 'RU', 'CN')
],
],'geoip' => [
'license_key' => env('MAXMIND_LICENSE_KEY'),
'database_path' => storage_path('app/geoip/GeoLite2-Country.mmdb'),
'update_frequency' => 'weekly',
],The addon provides three dashboard widgets:
-
Security Overview
- Vulnerability statistics
- Blocked attempts counter
- Active threats monitor
- Last scan timestamp
-
Recent Security Incidents
- Latest attack attempts
- Blocked IP addresses
- Attack type and details
- Timestamp information
-
Package Vulnerabilities
- Current vulnerabilities
- Severity levels
- Package information
- Update recommendations
Add the following middleware to your routes:
Route::middleware(['fortress.waf', 'fortress.brute-force', 'fortress.country-block'])->group(function () {
// Your protected routes
});The addon automatically logs security events. You can access the logs through:
Log::channel('fortress')->info('Your message');The GeoLite2 database is updated weekly by MaxMind. You can update it manually using:
php artisan fortress:update-geoipFor automatic updates, add this to your scheduler in app/Console/Kernel.php:
protected function schedule(Schedule $schedule)
{
$schedule->command('fortress:update-geoip')->weekly();
}- All security features are enabled by default
- IP whitelisting is available for trusted sources
- Regular vulnerability scanning helps maintain security
- Comprehensive audit logging for security monitoring
- GeoIP database is kept up to date for accurate country blocking
For support, please open an issue on the GitHub repository or contact the maintainers.
This addon is open-sourced software licensed under the MIT license.
The GeoLite2 database is provided by MaxMind under a Creative Commons Attribution-ShareAlike 4.0 International License. You can find the license details at: https://creativecommons.org/licenses/by-sa/4.0/