WordPress 5.0.1 Security Release – Immediate Update Recommended

WordPress 5.0.1 was released Wednesday night, less than a week after the much anticipated release of WordPress 5.0. This security release fixes seven security vulnerabilities, a few of which are quite serious.

Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along with 5.0.1 to address the issues for those users.

We have not seen attempts to exploit these vulnerabilities in the wild yet, but given the number of sites impacted we expect that to change.

The speed at which these security issues were discovered, reported and fixed is a testament to the strength of the WordPress community working together.

Vulnerability Details

Sensitive Data Exposure

Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords. WordPress has addressed this by stripping the activation key used in the URL, and storing the value in a cookie instead.

PHP Object Injection

Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection. This looks to be similar to the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. This vulnerability allows an author to assign an arbitrary file path to an attachment. The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “feature” of the PHAR file type which stores serialized objects in the metadata of the PHAR file. Sam Thomas presented this technique at BlackHat earlier this year.

Unauthorized Post Creation

Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input. The requirement that an attacker would need at least ‘author’ level privileges makes the likelihood of this being exploited on a widespread basis very low.

Privilege Escalation / XSS

Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. This is another vulnerability that requires a higher-level user role, making the likelihood of widespread exploitation quite low. WordPress addressed this issue by removing the <form> tag from their HTML whitelist.

Privileged XSS

Tim Coen and Slavco discovered that users with ‘author’ privileges on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability. Yet again, the ‘author’ level user requirement makes an unlikely target for attackers.

XSS That Could Impact Some Plugins

Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. The code change in WordPress core affects the wpmu_admin_do_redirect function which is not used in WordPress, but a plugin may call this function somewhere.

Unauthorized File Deletion

Karim El Oeurghemmi discovered that author-level users could alter metadata to delete files that they weren’t authorized to. This issue stems from the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. The fix in WordPress addressed how attachment files are deleted, by restricting the file paths to the uploads directory, but did not address the issue of authors having the ability to change the attachment paths to arbitrary files. An author can use this to delete other users’ attachments.

What To Do

We have released firewall rules to protect our Premium customers against the vulnerabilities most likely to be exploited. Sites running the free version of Wordfence will receive them in 30 days.

Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated, but given the nature of the vulnerabilities we recommend you check your sites manually just in case.

Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible. We’ve heard conflicting reports about automatic updates working for this upgrade. If you need to manually upgrade, the 4.9.9 update can be downloaded here.

You can find the official release announcement from the WordPress team here.

The post WordPress 5.0.1 Security Release – Immediate Update Recommended appeared first on Wordfence.

Read More

Video: WordCamp Atlanta Security Panel with Wordfence

In April, Wordfence sponsored WordCamp Atlanta and several of our team members attended the event. While there, we held a capture the flag (CTF) contest, which helps WordPress site owners learn to think like a hacker so that they can better defend their websites.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/video-wordcamp-atlanta-security-panel-with-wordfence/

Part of hacker culture is the art of lock picking, which many of our team members do as a hobby. At WordCamp Atlanta, we taught many of the attendees to pick their first lock. Doing this is a great way to illustrate how it helps to think like your adversary when you are defending something. If you know how to pick a lock, you can better secure your home or office. Similarly, if you think like a hacker, you can better defend your WordPress websites. Our team does these demonstrations at every WordCamp we sponsor, and if you successfully pick a lock, we will award you a lock-pick set as a prize.

At WordCamp Atlanta, one of the scheduled speakers was unable to attend and our team volunteered to fill in. Four Wordfence team members participated in a panel, taking questions and discussing various WordPress security topics with the audience. Our panel consisted of:

Mark Maunder – CEO
Matt Barry – Lead Software Developer
Sean Murphy – Director of Threat Intelligence
Tim Cantrell – Customer Support Engineer

Aaron Campbell, the head of security for WordPress and an all-around great guy also makes an off-camera cameo. If you are interested in WordPress security and would like to get to know some of our best people a little better, I think you will really enjoy the conversation.

 

 

Video produced by nishasingh and originally published on WordPress.tv.

The post Video: WordCamp Atlanta Security Panel with Wordfence appeared first on Wordfence.

Read More

Meet the Defiant Team

In August, most of our team attended DefCon, a hacker conference in Las Vegas attended by tens of thousands of security professionals. All of us work remotely, so it is always really special to spend time together as a team.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/09/meet-the-defiant-team/

While we were there we completed a fun project. We created a video with footage from many of our team events and interviews of team members talking about what it’s like to work at Defiant. We’re really happy with how it turned out, and thought you might enjoy getting to know the team behind Wordfence a little better and how we work together to keep your sites safe.


The post Meet the Defiant Team appeared first on Wordfence.

Read More

Wordfence: Live On Tour In A City Near You

This year we’ve attended and sponsored quite a few WordCamps, and have had members of our team speak at some as well. If you haven’t attended one recently we highly recommend it. They’re a great opportunity to learn and connect with other members of the WordPress community.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/wordfence-live-on-tour-in-a-city-near-you/

WPCampus Highlights

While not strictly a WordCamp, in July we sponsored and attended WPCampus, “a community and conference for web professionals, educators and people dedicated to the confluence of WordPress in higher education.” We work with many educational institutions throughout the world to protect their WordPress sites, so sponsoring and attending the conference was a great opportunity to connect with our users face to face and introduce Wordfence to those who haven’t discovered us yet.

The Wordfence table was lively throughout the event, with Mikey giving impromptu lock picking lessons and Kathy going deep on how to protect WordPress at scale.

Mikey teaching lock picking to a WPCampus attendee

 

If you’re tasked with securing WordPress for a college or university and missed WPCampus, consider setting up some time with Kathy to discuss how best to leverage Wordfence to tackle the unique challenges you’re facing.

Those who attended the conference were treated to a presentation, “What the hack? Fortifying your security by understanding your adversary”, by our very own Mikey Veenstra. He is one of the Threat Analysts on our team who are responsible for developing the malware signatures and firewall rules that keep your sites safe. The WPCampus team was kind enough to capture the presentation and publish it on YouTube. We think you’ll enjoy it.

Upcoming WordCamps

WordCamp Minneapolis – this weekend

Through tomorrow (August 25th), we are attending and sponsoring WordCamp Minneapolis. Tim, Matt and James from our team are there manning the Wordfence table and running a capture the flag contest. We’re giving away great prizes including a Sony Playstation with a VR Bundle. Most of you probably know Tim from his years providing excellent support on our customer service team. Matt and James are both software developers on our team.

The Wordfence table at WordCamp Minneapolis

 

WordCamp Omaha  –  Sunday (8/26)

Our very own Brad Haas, Wordfence’s Senior Security Analyst, will be speaking tomorrow at WordCamp Omaha. His presentation, “Hacking War Stories (and what you can learn from them)”, is going to be really fun.

WordCamp New York – September 15 & 16th

Our Director of Information Security Colette Chamberland and Chloe Chamberland from our Security Services Team will be presenting “How to Optimally Secure Your WordPress Environment” on Saturday, September 15th at WordCamp New York.

WordCamp Sacramento – September 15th & 16th

We will be sponsoring and attending WordCamp Sacramento. Mark Maunder, our CEO, will be attending along with Kathy Zant, a Client Partner on our team. We will be running a capture the flag contest with great prizes. Kathy will be giving a talk titled “Evaluating Plugins: Strategies To Effectively Extend WordPress”, don’t miss it!

WordCamp Los Angeles – September 21st & 22nd

We will be sponsoring and attending WordCamp Los Angeles. A number of us will be attending and we will be running a capture the flag contest.

WordCamps Later in the Year

They’re still in planning stages, but we’re planning to attend quite a few WordCamps this fall. You will most likely see us in Vancouver, Orlando, Seattle, Portland and a few other cities. Stay tuned for more updates.

The post Wordfence: Live On Tour In A City Near You appeared first on Wordfence.

Read More

Announcing Revamped Volume Pricing for Premium Licenses

This year we have been very focused on the needs of agencies and other organizations with lots of sites to protect. We’ve spoken with many of you and have a clear picture of what we can do to make Wordfence work even better for you.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/revamped-volume-pricing-premium-licenses/

To start things off, in June we released a feature that makes Premium licenses work seamlessly across development, test and staging domains. We’ve gotten tremendous feedback on it so far and encourage you to take advantage of it if you haven’t already.

The latest change we’ve made addresses what is probably the most common piece of feedback we receive from organizations that manage lots of sites. We’re changing the way we handle volume discounts. We have always offered volume discounts, but your discount was based solely on the number of licenses you purchased, and for how many years, during a single transaction. That worked well for us for a long time, but based on your feedback it was clear we needed to make a change.

Volume discounts for license purchases are now based on your total active license count, including what you’re buying today. For example, if you already have 5 licenses and want to purchase 2 more today, your discount is based on a total of 7. The table below shows our new volume discount rates:

Active License Count Discount % Price Per License
1 0% $99.00
2-4 10% $89.10
5-9 15% $84.15
10-14 20% $79.20
15+ 25% $74.25

 

If you are currently a Premium customer this means that any purchase you place going forward qualifies for a discount, regardless of how many licenses you purchase.

We are also offering incentives for purchasing additional years. Currently you will receive an additional 10% discount on your transaction if you purchase a 2 year license and 20% for 3.

Renewal prices for your new licenses are also based on your active license count. As you purchase more licenses, the discount applied to your renewal prices goes up.

Your old licenses won’t change… unless it’s in your favor

With this change we wanted to make sure that we didn’t raise prices for the licenses you already own. Your renewal price for licenses purchased before July 24th of this year will not change, unless your active license discount qualifies you for an even lower price. In that case we will automatically charge you the lower price. And as long as they’ve been installed on a website they count toward your active license count, improving your discount for new license purchases and lowering the renewal rate for your newer licenses.

More is on the way

Our team is currently hard at work on a major feature that will make managing and monitoring Wordfence across multiple sites much, much easier. We haven’t set a launch date yet, but you should see it within a few months. If you’d like early access I highly recommend signing up for our beta program.

Need help managing Wordfence at scale?

Our new Client Partner program was created with agencies and organizations with high profile sites to protect in mind. Set up a free 15 minute consultation today to learn how we can help you protect your sites with Wordfence.

 

 

 

The post Announcing Revamped Volume Pricing for Premium Licenses appeared first on Wordfence.

Read More

Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy

Last September we published a series of three blog posts exposing a threat actor who had purchased a number of WordPress plugins as part of an elaborate supply chain attack. This ownership enabled him to inject SEO spam into hundreds of thousands of websites, boosting search engine rankings for various illicit online businesses.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/known-wordpress-threat-actor-under-investigation-for-prescription-free-online-pharmacy/

In the first post we reported that a backdoor had been placed in the Display Widgets plugin by its author. We demonstrated how the backdoor worked and its purpose. We also found evidence that the plugin had recently been sold.

In our second post the following day, we were able to identify the man behind the plugin spam, Mason Soiza. We were also able to tie him to another plugin we had written about back in August of 2016, 404 to 301, which had also been used to inject SEO spam into websites. With the aid of the original plugin authors we were able to gather comprehensive information about the purchases. We were also able to tie Soiza to some of the illicit businesses the SEO spam was benefitting.

We continued our research and published a third and final post a week later. In it we were able to tie together a 4.5 year campaign impacting 9 WordPress plugins, all used by Mason Soiza to serve SEO spam on victim websites. These WordPress supply chain attacks caught the community by surprise.

The Times and BBC Take Things Further

Last week The Times published an article focused on the website UK Meds, which is owned by none other than Mason Soiza. According to The Times, the site is under investigation by regulators for selling prescription medications, including highly addictive opioid painkillers, to customers without a prescription. Customers need only complete a free “online consultation”, which is reviewed by a doctor in Romania.

A spokesman for Mason Soiza who was referenced in The Times article, “[…] accepted that he had bought WordPress plugins and inserted code but disputed that this was malicious code and denied he was a spammer.” The article also suggests the business has been profitable enough to allow Mr. Soiza to purchase a £215,000 Lamborghini and a £100,000 watch.

On Monday, the BBC Panorama series covered the topic of online pharmacies in the UK (linked content only accessible from the UK). Mason Soiza’s site UK Meds is among the four online pharmacy sites profiled.

In the episode, five volunteers order prescriptions, most of which could prove fatal for them. Three of them ordered opioid-based painkillers, one diet pills and another antibiotics. All five were able to successfully place their orders online by answering online questions dishonestly and receive the medications. In the most touching part of the episode, a mother whose son died as the result of a drug overdose is interviewed. Dependent on the drugs, he was able to buy them online for two years after his doctor had cut him off.

They also go undercover to talk to the owner of EuroRX, who explains how online pharmacies can leverage doctors in Romania to circumvent prescription requirements.

Protect the Community by Keeping Your Site Secure

We were happy to see both The Times and BBC take this story further. What they uncovered serves as an important reminder that the people behind the attacks on our websites are generally up to no good. It might just be a website to you, but to a criminal it’s an important resource they can use to further their agenda. Unfortunately, that agenda sometimes includes potentially deadly activities. We can all do our part to help keep the community safe by keeping our sites secure and out of the hands of criminal actors.

The post Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy appeared first on Wordfence.

Read More

Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast

In early June we published an article and accompanying white paper detailing an interesting malware infection which we’ve internally dubbed BabaYaga. The relatively sophisticated malware is unique because it contains a number of features intended to ensure the infected site remains in working order. It keeps WordPress core up to date, performs and stores backups and even scans for and removes malware.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/baba-yaga-cyberwire-podcast/

Brad HaasOn Saturday one of our Senior Security Analysts and the author of the BabaYaga white paper, Brad Haas, sat down for an interview with Dave Bittner on the CyberWire podcast. We think you’ll really enjoy the 20 minute interview. Simply click play below to hear it. If you prefer a written version a full transcript is available here.

As always we’d love to hear your thoughts and questions in the comments.

The post Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast appeared first on Wordfence.

Read More

How the Wordfence Scanner Protects Your Site

When we think about Wordfence and how it improves your WordPress security posture, there are two core features we tend to focus on: the firewall, and the security scanner. As the first layer of defense, the Wordfence firewall gets the most attention because it blocks hackers from gaining access. But, the scanner plays an equally important role, alerting you to myriad of security findings that help you keep your site secure and respond quickly if you get hacked.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-wordpress-scanner/

In today’s post we’re doing a deep dive on the Wordfence security scan. We walk you through everything it does and explain why each step is important.

Our malware scanner is the best in the industry

The Wordfence security scan performs a variety of functions, but perhaps the most important is malware detection. Wordfence scan checks your site to ensure you have not been infected with malware.

As the leader in WordPress security, we see more WordPress malware than anyone else. We see tens of millions of attacks every day, giving us unrivaled access to the latest threat information. We also clean hundreds of hacked websites every month, giving us visibility into the latest malware variants and exploits.

Our team has a workflow where we collect malware samples in a repository for analysis. Then we test to see if our malware scanner already detects the variant. If it does then we move on. If not, then we create a new malware signature to detect the new malware variant. We run the signature through quality assurance to make sure it does not detect things it should not (known as ‘false positives’). Once the malware signature passes QA, we release it to our Premium customers immediately and then 30 days later our free customers receive the signature. That way we constantly release detection capability for new WordPress threats to our customers.

Unlike many companies in our space, our analysts and developers are completely focused on WordPress. We don’t have to divide our time securing desktop systems, mobile devices or network hardware. Ensuring that publishers can securely run their websites using WordPress is all we do.

Our scanner runs on your server, giving it access to your website’s source code. Malware detection rates for remote scanners are significantly worse than server based scans like ours. Remote scanners cannot access site source code. Ours does scan source code – and many malware variants hide in site source code.

Our scanner was built from the ground up to protect WordPress. Our depth of knowledge, coupled with our singular focus on WordPress has allowed us to produce the best WordPress malware scanning capability in the industry.

Checking for suspect files and changes makes it hard for attackers to hide their malware

In addition to looking for known malware, the Wordfence scanner compares your site’s files against the official WordPress.org repository. Any files that have been changed or appear to be out of place are reported to you. This additional step makes it very difficult for attackers to avoid detection.

We even give you the ability to revert changed files to the pristine version that is in the official WordPress repository when you detect a change.

Malware scanning so good, we added it to the firewall

In fall of 2016 we added a break-through feature, integrating our malware scanning capabilities into the Wordfence firewall. As traffic passes through the firewall and before it hits your website it is inspected using our malware scanner, blocking any requests that include malicious code.

This was a leap forward in detection capability. Many competitor products don’t have a firewall at all. And many don’t have a malware scanner. We provide both and instead of just a rule based firewall that blocks exploits, we actually detect and block malware payloads too with the scanning capability we integrated in 2016.

The safety of your content matters

Linking to spammy or malicious content can adversely impact your search engine rankings and reputation. For many sites, search traffic is a critical part of their marketing strategy.

It is difficult to stay on top of the quality of your outbound links for several reasons. First, the content on pages you link to can change over time, so even if the content was fine when you published the link, it can end up hurting you down the road.

Second, most active sites have more than one contributor, making it very difficult to stay on top of changes. And even if you have your posts and pages under control, malicious and spammy links can creep in via comments.

Wordfence helps you weed out links that harm your reputation by scanning your pages, posts and comments for malicious content and known malicious URLs. We alert you in the scan results to these problems in a timely manner. That gives you the ability to go in and remove the links to malicious sites before Google notices them and penalizes your search rankings.

Blacklist checks

Domain and IP blacklists are a powerful tool used by search engines, email providers and many others to keep their users safe. As a website owner, landing on a blacklist can have a lasting impact on your site traffic, SEO rankings and email delivery. And there a lot of ways to land on a blacklist, even if your site hasn’t been hacked.

If your site is running on shared hosting with a shared IP address, for example, your site can be blacklisted based on your neighbor’s behavior.

Wordfence Premium helps you protect your site’s reputation, alerting you quickly should your domain or IP be blacklisted. By reacting quickly you can minimize any adverse impact. The fix may be as simple as moving your site to another IP address or fixing content on your site that Google thinks is malicious.

Fixing the issue quickly is key because this will avoid your site visitors seeing a browser warning and will avoid search engine penalties. Wordfence provides early detection which leads to early fixes.

Sensitive File Checks

It’s much easier than you think to accidentally leave sensitive files lying around on your server. It only takes one misplaced configuration or backup file with the wrong permissions to arm an attacker with the information they need to compromise your site. Last year on this blog we wrote reported that 12.8% of sites scanned had at least one sensitive file visible to anyone on the internet.

Running regular Wordfence scans protects you from this risk by alerting you quickly to any issues, locking down or removing sensitive files before they fall into the wrong hands.

Removed and Abandoned Plugins

Last summer (2017) we added an important feature that alerts you when plugins have either been abandoned or removed from the WordPress.org plugin directory.

We define an abandoned plugin as one that hasn’t been updated in over two years. While it is possible that the plugin author is still engaged at that point and available to react to any security issues that arise, it’s not likely the case. We generally recommend that site owners replace or remove abandoned plugins if possible.

The WordPress.org team removes plugins for a variety of reasons. Unfortunately when they do so they rarely disclose why, and in many cases it is due to a security issue that hasn’t been addressed. If you’re unable to determine why a plugin was removed or you’ve confirmed that it was removed for security reasons you should remove it from your site. In cases where it was removed for non-security reasons, it may be okay to continue to run the plugin, but finding a well-maintained replacement is likely a better bet.

We tell you about weak passwords

The security of your website is only as strong as its weakest link. Every time you grant a user access to your site, especially administrators, you are relying on them to keep your site safe. Unfortunately not everyone uses strong passwords, putting your website at risk. Wordfence scan checks if any of your users are using very common passwords and performs an extended check on admin level accounts.

We let you know about core, plugin or theme vulnerabilities

A couple of years ago we published research showing that plugin vulnerabilities were the most common way attackers compromise WordPress websites. The third and fourth most common reasons were core and theme vulnerabilities. It goes without saying that staying on top of vulnerabilities in WordPress core, plugins and themes is critical.

Every time the Wordfence scanner runs it checks to see if you are running software with known security vulnerabilities. It also warns you about any other updates that are needed, just in case the author quietly slipped in a security fix, which happens more often than it should.

We keep making it better and faster

Our development team is always working on ways to make the scanner perform better. Over the last couple of years we delivered a number of innovative updates that improved performance and speed significantly. In Fall of 2016 we released a new version of the scanner that performed up to 18x faster than the previous version. In Summer of 2017 we introduced lightweight scanning and optimized scan timing across VPS instances. In a subsequent release that same summer we introduced short-circuit scan signatures, improving performance by up to 6x.

It’s even better with Premium

The malware scanner relies on threat intelligence developed by our awesome team of security analysts in the form of malware signatures. Premium customers receive updates in real-time as they are developed (free sites receive updates 30 days later). Detecting the latest malware lets you react quickly to a compromised website. In addition, Wordfence Premium delivers real-time updates to firewall rules and enables the real-time IP blacklist.

Conclusion

The Wordfence scanner is a critical component in a layered security strategy. Wordfence scan alerts you quickly to malware, blacklist issues, security vulnerabilities, important updates and other security issues. To take detection to the next level you can upgrade to Wordfence Premium and receive malware signature updates in real-time.

As always we welcome your feedback in the comments below and we’ll be around to reply.

The post How the Wordfence Scanner Protects Your Site appeared first on Wordfence.

Read More

Introducing High Demand Pricing for Security Services

In Summer 2016,  we began offering a site cleaning service for people with hacked websites. In Spring 2017, we added a second service: site security audits. The popularity of both services has grown tremendously since then. We now service hundreds of sites every month.

Our approach to cleaning or auditing a website requires a highly trained security analyst to perform hours of work on each site. We know that there are shortcuts we could take to speed up the process, but only at the expense of quality. That’s not a trade-off we’re willing to make.

At the same time, while demand for our services is consistently strong, it is also highly volatile. In the last year, we cleaned 3.6 times more sites in our busiest week than in our slowest. These increases in demand are driven largely by the success of cybercriminals at any given time, which is impossible to forecast. We continued to work on our ability to adjust our capacity to match incoming demand, but inevitably there were times when demand exceeds our maximum capacity.

To date, we have dealt with this problem by posting an estimated wait time at checkout. This worked quite well for a long time. Unfortunately we hit a point last month where it stopped working. During an unprecedented spike in order volume, our posted wait times grew to 7 business days. That is simply too long to wait. We knew we needed a new approach.

Introducing High Demand Pricing

Beginning today, we are changing the way we handle spikes in demand for our site security services. When the number of orders exceeds a preset threshold, we will be increasing our prices. The price increases will be expressed as a multiplier, eg 1.4x. For example, a single site cleaning purchased during a period where the high demand pricing multiplier is 1.2 would cost $214.80 (1.2 x $179). As demand increases, we will continue to increase the size of the multiplier.

We believe that with this change, price elasticity will dampen demand during spikes, preventing our security services team from getting swamped with orders and ensuring that you receive an acceptable turnaround time.

We will be closely monitoring the impact the pricing multiplier has on order volume and making adjustments as necessary.

A Continued Focus on Customer and Employee Experience

We have always prided ourselves on providing industry-leading customer service. We also work very hard to make Defiant a company that the best people in the industry want to work for. With that in mind, our approach to handling the inevitable mismatch between demand for services and our capacity to serve it could not compromise on the experience of our customers or employees doing the work.

We are confident that this change in approach will allow us deliver on both. We recognize that this will be an adjustment for many of you longtime customers. Your continued support is what enables us to remain the leader in WordPress security and ultimately make the web safer.

The post Introducing High Demand Pricing for Security Services appeared first on Wordfence.

Read More

PSA: Highly Critical Drupal Core Vulnerability Impacts Over 1 Million Sites

Yesterday the Drupal security team announced a highly critical unauthenticated remote code execution vulnerability in Drupal core. The vulnerability allows an attacker to leverage multiple attack vectors and take complete control of a website. The Drupal team estimates that, at the time of the announcement, over one million sites are affected – about 9% of Drupal sites. They also reported that, to their knowledge, it was not being actively exploited.

We normally don’t cover Drupal vulnerabilities on this blog, but given the nature and scope of the issue, we felt compelled to help spread the word via this public service announcement (PSA).

Site owners should upgrade to a safe version of Drupal core immediately. While the reports of no active exploits are comforting, the announcement will draw a lot of attention from attackers. Given the nature of the vulnerability, there will literally be a race between site owners upgrading and attackers figuring out an exploit.

Here is a high-level summary of the versions impacted and recommended actions:

  • Sites running Drupal 8.x should update to version 8.5.1
  • Sites running Drupal 7.x should update to version 7.58
  • There are patches available for 8.3.x and 8.2.x versions
  • Sites running end of life versions will need to upgrade to a supported version of Drupal

A more detailed overview of upgrade recommendations from the Drupal security team is available on Drupal.org. They have also published a detailed FAQ.

Looking at the diff of the patches provided by the Drupal team, they reveal a new DrupalRequestSanitizer class used to sanitize user input.

This class is used to filter values from the query string, post body, and cookies that begin with #.

A proof of concept demonstrating the attack has not yet been made public, but we expect that one will be made available soon.

This attack has been nicknamed “Drupalgeddon 2.” The previous Drupalgeddon was as high in severity as this, and had automated attacks against unpatched Drupal sites within a matter of hours after the public announcement of the vulnerability was made.

Please help us spread the word about this potentially nasty vulnerability to other site owners so they can stay a step ahead of attackers.

The post PSA: Highly Critical Drupal Core Vulnerability Impacts Over 1 Million Sites appeared first on Wordfence.

Read More
Page 1 of 512345»