Introducing Wordfence 7

Wordfence is the most popular WordPress security software in the world for good reason. The protection offered by the endpoint firewall outperforms alternatives. The scanner delivers the best detection in the industry. A long list of other features like country blocking, two-factor authentication and password auditing make Wordfence the best and most comprehensive security solution available for WordPress.

From the beginning, our development efforts have always focused on function over form. Having rapidly innovated for so many years, the resulting software does an extraordinary job of protecting WordPress websites, but it is also quite complex. Last summer we decided it was time to make a major investment in the user experience, making Wordfence not only the best security software available, but also intuitive and incredibly easy to use.

For the last 6 months we have been hard at work rebuilding the Wordfence user interface from the ground up. Today’s release of Wordfence 7 revolutionizes WordPress security by making a deep and complex product easier and more intuitive to use. We think Wordfence 7 is amazing, and we know you will, too.

 

Overview of Changes in Wordfence 7

Our goal with Wordfence 7 was simple: make Wordfence intuitive and easy to use for all users.

It needed to be easy for the novice to understand and configure without taking away any functionality from more advanced users.

To achieve that, we made the following high-level changes:

  • Updated our design framework to use modern interface standards
  • Focused more on the core Wordfence security features, like firewall and scan, and less on everything else
  • Eliminated the ‘Options’ page and added options sections for each feature
  • Added feature status indicators for core features
  • Added a help page with links to documentation and support options

Design Framework

Based on current UI/UX patterns and trends, we’ve built a framework using standard interface and experience approaches. The dashboard and feature pages provide configuration status, alerts and reporting. Detailed configuration screens are easily accessible with relevant links throughout the experience. Status summaries are interactive, guiding the user directly to the security hardening opportunities and giving you real-time information on the impact of any changes you make. The resulting software is more discoverable, approachable and user-friendly.

Feature Status Circles

One of our objectives with Wordfence 7 is to provide security hardening opportunities to users in a simple, intuitive way. With that in mind, we are introducing status circles. They provide a clear status summary for each feature. By hovering over the status circle, you will trigger a popover detailing the list of things you can do to improve the percentage shown. All popovers include a link to detailed documentation.

We also include status circles on the scan and firewall options pages, giving you immediate feedback as you improve your security posture.

Here’s an example of the status circles on the new scan page in action:

Simplified Dashboard

The new version of the dashboard is similar to the one we added in Wordfence 6, but is now less busy and even more useful. We added feature status sections for the firewall, scan and Wordfence Premium. You’ll still find notifications here, primarily based on scan results. Global options for the plugin are now accessible via the link on this page (more on our options page approach later).

Finally, we removed most of the charts from this page, leaving just a high-level Firewall Summary and a chart of attacks across the Wordfence network.

Simplified Navigation

We reduced the number of navigation options from 8 to 6. The two most important features, firewall and scan, are still available in the main navigation. Blocking is now accessible in the Firewall section and Live Traffic has been moved to Tools. Links for both features can be added back to the main navigation via their respective options, for those of you who prefer it.

The Options page has been removed completely in favor of a new approach.

New Options Sections

Prior to Wordfence 7, the majority of the Wordfence configuration options were on a single page. While there are some advantages to that approach, we found that it caused a majority of our users to never discover many useful features and options.

With Wordfence 7, you will now find an options link on all major feature pages. Global options are now accessible via a link on the Dashboard page. All options links can be found next to a gray gear icon.

Help Page

We know that security is a complex topic, and that configuring Wordfence can be challenging for less technical users, especially with some of the more exotic hosting configurations we sometimes come across. In an effort to make it easier to find the documentation or support you need, we added a Help page to the plugin. It includes links to our documentation organized by feature, along with links to our most popular help articles. Links to our free and Premium support options are also available, and you will find links to the new help section throughout the plugin.

Alongside this project, we also completely revamped our documentation for the product. Our old documentation will still be available for a while, but we will no longer be updating it going forward.

New Firewall Interface

The firewall interface has changed significantly. The main firewall page now includes four status circles, providing a broad overview of your site’s configuration status at the top. All firewall-related options are now accessible via the options link on this page. All firewall-related reporting is now available here as well.

Blocking and Rate Limiting are also now available via links on this page.

New Scan Interface

We’re really excited about the new scan interface. It’s exceptionally functional, very usable, and beautiful at the same time. At the top you’ll find status circles, summarizing your current configuration status. Below that, you will find the “Start new scan” button, along with links to Help and Options.

The Scan Options area is now where you set up scheduled scans. We removed the Scan Summary section and replaced it with a new status summary bar, displaying what the scanner is working on. The Scan Detailed Activity is now hidden by default, but you can reveal it by clicking the “show log” link above the results table.

The scan findings table has been revamped to show a summary view of each finding by default. You can view the details of the finding, and take action on it, by clicking the “Details” icon.

We also added statistics to the top of the table showing a summary of what the scanner found the last time it ran.

Other Updates

The Blocking interface has been completely redesigned. IP, Country and Custom Pattern blocking features have all been combined, and block count reporting is now available for each blocking rule you create. You can now manage and monitor the effectiveness of blocking rules in one place.

The Diagnostics page has been completely redesigned. All diagnostics sections are now collapsible, and collapsed by default, to make it easier to find what you’re looking for.

We replaced the product tour with a new guide that runs as you access each area of the plugin. We will be leveraging this new capability when we roll out new features that require more in-depth explanations, including the launch of Wordfence 7.

Live Traffic has been completely redesigned. The traffic table now shows summary data for each observation. You can view more detailed information by clicking the “View” icon. Viewing whois information and seeing recent traffic is now presented in a beautiful popover.

Wordfence has always included a great comment spam filter. Unfortunately, it was buried in the Options page, split into two different sections. In Wordfence 7, it now has its own page in the Tools section, which now includes basic reporting.

Thank You

It took us many months to get this right, and many people contributed to making this release happen. A big thank you to the hundreds of beta testers who helped us over the last couple of weeks. Your feedback has been invaluable.

With today’s release, we are excited to bring Wordfence 7 to the global Wordfence user community!

If you do find an issue, please submit tickets via Premium support or the forums so we can get them fixed. And as always, we welcome your comments here.

The post Introducing Wordfence 7 appeared first on Wordfence.

WP Cerber Security 6.0

New features

Hacker attacks on websites get stronger and smarter because fast-growing technologies create new opportunities for hackers and cybercriminals. We cannot ignore those facts and that’s the reason we’ve implemented a new feature: Traffic Inspector. It’s a specialized request inspection algorithm that acts as additional protection layer. Since v 6.0 WP Cerber Security performs inspection all suspicious requests and blocks them before they can harm a website. This security algorithm is enabled by default and requires no configuration. We will be constantly improving based on the knowledge we get during collecting and analyzing hacker attack patterns in our Cerber Lab.

Traffic Inspector not only inspects requests but also optionally logs them, so you can inspect them manually. Is it possible that the logging slows down website performance? Probably it’s possible on a free hosting if the logging all traffic is enabled, ignore search engine crawlers is disabled and saving requests fields is enabled.

Improvements

  • Added ability to clean up Cerber’s DB tables. Now you can manually delete all rows in a Cerber’s DB table on the Tools / Diagnostic admin page. Note: this operation cannot be rolled back.
  • If your hosting environment (web server) has some issues and those issues can affect plugin functionality, they are shown on the Tools / Diagnostic page.
  • On the Access Lists admin page there are new links for each entry to check HTTP requests from a particular network or an IP address.
  • Added protection to prevent scheduled tasks from being executed multiple times an hour. If you, from time to time, get several identical weekly reports, that is your case.

Updates

  • Language translations have been updated. Thanks to all translators!
  • JavaScript code is improved to eliminate excessive fields in GET requests.
  • Code performance optimizations.

Bugs fixed

  • To eliminate possible warning messages in the server error log or the WordPress dashboard, the inet_pton() function has been replaced with filter_var().
 

An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience

Last week the news of two significant computer bugs was announced. They’ve been dubbed Meltdown and Spectre. These bugs take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. Even highly technical people can find it difficult to wrap their heads around how these bugs work. But, using some analogies, it’s possible to understand exactly what’s going on with these bugs. If you’ve found yourself puzzled by exactly what’s going on with these bugs, read on — this blog is for you.

When you come to a fork in the road, take it.” — Yogi Berra

Late one afternoon walking through a forest near your home and navigating with the GPS you come to a fork in the path which you’ve taken many times before. Unfortunately, for some mysterious reason your GPS is not working and being a methodical person you like to follow it very carefully.

Cooling your heels waiting for GPS to start working again is annoying because you are losing time when you could be getting home. Instead of waiting, you decide to make an intelligent guess about which path is most likely based on past experience and set off down right hand path.

After walking for a short distance the GPS comes to life and tells you which is the correct path. If you predicted correctly then you’ve saved a significant amount of time. If not, then you hop over to the other path and carry on that way.

Something just like this happens inside the CPU in pretty much every computer. Fundamental to the very essence and operation of a computer is the ability to branch, to choose between two different code paths. As you read this, your web browser is making branch decisions continuously (for example, some part of it is waiting for you to click a link to go to some other page).

One way that CPUs have reached incredible speeds is the ability to predict which of two branches is most likely and start executing it before it knows whether that’s the correct path to take.

For example, the code that checks for you clicking this link might be a little slow because it’s waiting for mouse movements and button clicks. Rather than wait the CPU will start automatically executing the branch it thinks is most likely (probably that you don’t click the link). Once the check actually indicates “clicked” or “not clicked” the CPU will either continue down the branch it took, or abandon the code it has executed and restart at the ‘fork in the path’.

This is known as “branch prediction” and saves a great deal of idling processor time. It relies on the ability of the CPU to run code “speculatively” and throw away results if that code should not have been run in the first place.

Every time you’ve taken the right hand path in the past it’s been correct, but today it isn’t. Today it’s winter and the foliage is sparser and you’ll see something you shouldn’t down that path: a secret government base hiding alien technology.

But wanting to get home fast you take the path anyway not realizing that the GPS is going to indicate that left hand path today and keep you out of danger. Before the GPS comes back to life you catch a glimpse of an alien through the trees.

Moments later two Men In Black appear, erase your memory and dump you back at the fork in the path. Shortly after, the GPS beeps and you set off down the left hand path none the wiser.

Something similar to this happens in the Spectre/Meltdown attack. The CPU starts executing a branch of code that it has previously learnt is typically the right code to run. But it’s been tricked by a clever attacker and this time it’s the wrong branch. Worse, the code will access memory that it shouldn’t (perhaps from another program) giving it access to otherwise secret information (such as passwords).

When the CPU realizes it’s gone the wrong way it forgets all the erroneous work it’s done (and the fact that it accessed memory it shouldn’t have) and executes the correct branch instead. Even though illegal memory was accessed what it contained has been forgotten by the CPU.

The core of Meltdown and Spectre is the ability to exfiltrate information, from this speculatively executed code, concerning the illegally accessed memory through what’s known as a “side channel”.

You’d actually heard rumours of Men In Black and want to find some way of letting yourself know whether you saw aliens or not. Since there’s a short space between you seeing aliens and your memory being erased you come up with a plan.

If you see aliens then you gulp down an energy drink that you have in your backpack. Once deposited back at the fork by the Men In Black you can discover whether you drank the energy drink (and therefore whether you saw aliens) by walking 500 metres and timing yourself. You’ll go faster with the extra carbs in a can of Reactor Core.

Computers have also reached high speeds by keeping a copy of frequently or recently accessed information inside the CPU itself. The closer data is to the CPU the faster it can be used.

This store of recently/frequently used data inside the CPU is called a “cache”. Both branch prediction and the cache mean that CPUs are blazingly fast. Sadly, they can also be combined to create the security problems that have recently been reported with Intel and other CPUs.

In the Meltdown/Spectre attacks, the attacker determines what secret information (the real world equivalent of the aliens) was accessed using timing information (but not an energy drink!). In the split second after accessing illegal memory, and before the code being run is forgotten by the CPU, the attacker’s code loads a single byte into the CPU cache. A single byte which it has perfectly legal access to; something from its own program memory!

The attacker can then determine what happened in the branch just by trying to read the same byte: if it takes a long time to read then it wasn’t in cache, if it doesn’t take long then it was. The difference in timing is all the attacker needs to know what occurred in the branch the CPU should never have executed.

To turn this into an exploit that actually reads illegal memory is easy. Just repeat this process over and over again once per single bit of illegal memory that you are reading. Each single bit’s 1 or 0 can be translated into the presence or absence of an item in the CPU cache which is ‘read’ using the timing trick above.

Although that might seem like a laborious process, it is, in fact, something that can be done very quickly enabling the dumping of the entire memory of a computer. In the real world it would be impractical to hike down the path and get zapped by the Men In Black in order to leak details of the aliens (their color, size, language, etc.), but in a computer it’s feasible to redo the branch over and over again because of the inherent speed (100s of millions of branches per second!).

And if an attacker can dump the memory of a computer it has access to the crown jewels: what’s in memory at any moment is likely to be very, very sensitive: passwords, cryptographic secrets, the email you are writing, a private chat and more.

Conclusion

I hope that this helps you understand the essence of Meltdown and Spectre. There are many variations of both attacks that all rely on the same ideas: get the CPU to speculatively run some code (through branch prediction or another technique) that illegally accesses memory and extract information using a timing side channel through the CPU cache.

If you care to read all the gory detail there’s a paper on Meltdown and a separate one on Spectre.

Acknowledgements: I’m grateful to all the people who read this and gave me feedback (including gently telling me the ways in which I didn’t understand branch prediction and speculative execution). Thank you especially to David Wragg, Kenton Varda, Chris Branch, Vlad Krasnov, Matthew Prince, Michelle Zatlyn and Ben Cartwright-Cox. And huge thanks for Kari Linder for the illustrations.

WordPress Supply Chain Attacks: An Emerging Threat

In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site.

What Is a Supply Chain Attack?

In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates. In one case, we saw an existing plugin author install malware on customer sites in an effort to monetize an existing plugin. In every other case we have uncovered, the attack was carried out by someone who had purchased the plugin with the express intention of attacking its users.

Here are the WordPress supply chain attacks we have recently uncovered:

These attacks work because, as a site owner, you have already made the decision to trust the software vendor or author. In many cases, you may have gone so far as to enable automatic updates for the plugin, allowing the author turned attacker to push malware to your website any time they want.

Why Is WordPress a Target?

WordPress is an attractive target for supply chain attacks for a number of reasons.

The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.

Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.

Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.

Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.

Why Do WordPress Plugin Authors Sell Their Plugins?

The large majority of plugins in the repository are completely free to use, meaning there aren’t any premium features available for purchase. While that is generally a very positive thing for the WordPress community, the reality is that all the people behind those free plugins still need to make a living. If they aren’t making money from the plugin they created, they often lose interest in it or abandon it altogether.

When someone approaches them offering money for their plugin, it may be hard to pass up. And the plugin author may think it’s a perfectly innocent offer, because it’s not like the supply chain attacker announced their bad intentions. On the contrary: in the purchase solicitations we have seen, they often come across as someone wanting to help.

This is an excerpt from a solicitation to purchase a plugin that we saw earlier in 2017:

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

As a plugin author who created something that thousands of people are using, what a wonderful opportunity! This nice person is offering to not only pick up where you left off with something you cared enough to build, but they’re willing to give you money for it as well.

How to Protect Your Websites

Fortunately, you can protect your website against these attacks with a number of effective tactics.

  1. Screen plugins and themes very carefully. Every time you install a plugin or theme, you are allowing a new person’s code to run on your site. In general, the more established and active the author, the better.
  2. Scan your site for malware regularly. We recommend enabling scheduled scans by both Wordfence and Gravityscan. Both include a free scheduled scan option.
  3. Check your site and IP address against blacklists regularly. Gravityscan checks over 20 of them for free.
  4. Exercise great caution when the WordPress.org repository removes or “closes” one of your installed plugins, or when it changes hands. Wordfence alerts you when a plugin has been removed from the repo for any reason.
  5. Consider removing or replacing abandoned plugins. Authors of these plugins are the most likely to sell them. Wordfence alerts you when a plugin hasn’t been updated in 2 years.
  6. Keep an eye on our blog. We will continue to share information about plugins that have been compromised as we discover them in our research.

Conclusion

Unfortunately, we believe that these types of attacks on the WordPress ecosystem are going to grow in popularity. Attackers will also very likely employ new and creative tactics that we can’t foresee in the new year.

As a site owner, you will need to apply extra scrutiny to every plugin and theme you add to your website while keeping your eyes open for anything odd that crops up to stay vigilant against any such potential attacks in the future.

The post WordPress Supply Chain Attacks: An Emerging Threat appeared first on Wordfence.

Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature

Last week, we reported a massive upsurge in brute force login attempts following the leak of a database of 1.4 billion clear text credentials. No one had seen 14% of the exposed username/password pairs before, making this a ripe opportunity for hackers to attempt to break into WordPress sites.

Historically, brute force attacks targeting WordPress have not been very successful. But this new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

Password Auditing Improvements

Wordfence Premium includes a powerful Password Auditing feature. Using a GPU cracking cluster, we give you the ability to audit the strength of your admin and user passwords. You can learn more about how this feature helps protects your site here.

In response to this latest leak, we’ve merged this updated password list into our own large password list that we currently use to audit administrator accounts. Our previous list contained 269 million known passwords from various breaches, such as LinkedIn, and eHarmony. After merging and removing duplicates, this new list comes in at 609 million known passwords against which we can test your users’ passwords.

We ran some initial tests to compare how our previous list performed against the new list. In a random sampling of 100 user accounts, our previous list cracked 42% of the 100 password hashes. The current list cracks 57% when run against the same list. That’s a 36% increase over the previous capability. This means that a Wordfence password audit is now 36% more likely to find a weak password than before.

Recommendations

We strongly recommend that you upgrade to Wordfence Premium to benefit from the new capability we’ve added to our Password Auditing feature.

We also recommend you follow these additional steps:

  1. Install a firewall like Wordfence that intelligently blocks brute force attacks.
  2. Ensure that you have strong passwords on all user accounts, especially admin. Wordfence provides an option to enforce strong passwords when creating/updating a user account under “Login Security Options”.
  3. Change your admin username from the default ‘admin’ to something harder to guess.
  4. Delete any unused accounts, especially admin accounts that you don’t use. This reduces your attack surface.
  5. Enable two-factor authentication on all admin accounts. Wordfence Premium provides two-factor.
  6. Enable an IP blacklist to block IPs that are engaged in this attack. Wordfence Premium provides a real-time IP blacklist.
  7. Monitor login attempts by configuring alerts for when an admin signs in to your website. Wordfence (free version) provides this.
  8. Do not reuse a password on multiple services. That way, if you have a password from a data breach in this new database, it won’t be the same as your WordPress admin password. You can use a password manager like 1password to manage many passwords across services.

The post Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature appeared first on Wordfence.

Top

Fresh View Partners