Introducing Wordfence Central

Over the last several months, we have been focused on making Wordfence a better option for organizations with a large number of WordPress sites to protect. To start, we added the ability to secure your staging and development environments with a single Wordfence premium license, something you should take advantage of if you haven’t already.

Next we changed the way we handle volume discounts to make managing a large number of sites easier.

Shortly after that we launched Wordfence Agency Solutions, empowering our client partners to develop custom security solutions for agencies and our enterprise customers.

Today we are thrilled to announce the launch of Wordfence Central. Wordfence Central provides an efficient way to manage the security of many WordPress sites in one place. It includes a powerful dashboard, a single interface to view and manage security findings across all of your sites and powerful new tools that make managing Wordfence configuration for your websites a breeze.

It’s Completely Free to Use

One of the first questions we get from people when we show them Central is, “What’s the catch? This can’t really be free, can it?”

There’s no catch, it’s really free.

You’re welcome to use Wordfence Central to manage all of your websites at no charge. There are no limits or restrictions of any kind.

The Wordfence Central Dashboard

The Wordfence Central Dashboard shows you the security status of your websites at a glance.

A high level summary of the latest scan tells you how many issues were discovered, along with a brief summary of the highest severity findings. You can view detailed findings with a single click, never leaving Wordfence Central.

High level metrics show you the current configuration status for the Wordfence firewall and scanner. The Premium license status lets you know which sites need to be upgraded. You can upgrade sites and update their configurations in just a few clicks, without ever leaving Wordfence Central.

Powerful sort, filter and search capabilities make managing even hundreds of sites a breeze.

Security Findings

Before Wordfence Central, keeping up with Wordfence scan results meant either visiting your sites regularly or reading through a constant flow of email alerts. Now you can view the current status of all your sites in one place, and drill down to view detailed findings without leaving Central.

In many cases you can take action on a finding without leaving Central. When you do need to visit your site to deal with a security finding, Central makes it easy by taking you to the relevant page with a single click.

If your site hasn’t been scanned recently, no problem! Launch a scan in Central and watch the results stream back in real-time.

Configuration

The default Wordfence configuration works for most site owners, but advanced users tend to make changes. As someone responsible for multiple sites, this can be a daunting task. With Wordfence Central you can now make those changes quickly and efficiently.

When you first land on the Configuration page in Wordfence Central you are greeted with a high level summary, showing you the current firewall, scan and premium license status for each site, whether a template has been applied to it and whether its configuration still matches the template. More on the magic of templates later!

To view or make changes to a site’s configuration you can simply click the “Manage Site” link, which will bring you to the equivalent of the “All Options” page in the Wordfence plugin. Once the changes you need to make are complete, hitting “Save Changes” will send your changes down to your site in seconds. It’s that easy.

Templates!

The real configuration workhorse in Wordfence Central is templates. Templates give you the ability to create and manage as many Wordfence configurations as you like. For example, you might want one template for your VIP clients and another for everyone else.

Templates make configuring new sites incredibly easy. Simply add the new site to Central, navigate to Configuration and apply a template to the new site. This will take care of 99% of the settings in Wordfence. Enabling “extended protection” for the firewall, which is strongly recommended, still requires a visit to the admin area of your site.

Getting Started

To get started with Wordfence Central, go to wordfence.com/central. You’ll be greeted with a high-level overview of Central including screenshots. To dive right in click the “Get Started” button. You will need to sign in or create an account if you don’t already have one.

Once you’re logged in you will be asked to set up two-factor authentication, or 2FA, for your account. It’s optional, but we strongly recommend that you set it up. Wordfence Central will have the ability to make changes to how Wordfence is configured for all of the sites you connect, so we want to take extra care to keep your account safe.

Once you’ve set up 2FA, you will be prompted to connect your first website. After you submit the site URL, Wordfence Central runs a quick series of connectivity checks. If everything checks out your site is added and you will be prompted to add another. It’s that easy.

Live-Stream Demo + Q&A

Tomorrow morning (Thursday) at 8am Pacific / 11am Eastern Mark Maunder, our CEO, will be live-streaming a Wordfence Central demo followed by Q&A. You can attend by visiting https://wordfence.com/blog/2019/02/wordfence-central-livestream/. Submit your questions via the comments for that post now and during the event.

Conclusion

We couldn’t be more excited about launching Wordfence Central this week. We hope it will make life easier for you, whether you manage three sites or three thousand. New features are already in the works, so expect to see additional functionality released throughout the year.

As always we’d love to hear from you in the comments and we hope you can join us for tomorrow’s live-stream demo and Q&A!

The post Introducing Wordfence Central appeared first on Wordfence.

Read More

Analyzing a Week of Blocked Attacks

If you’ve never taken a few minutes to look at the information available in the Wordfence Live Traffic feature, I strongly recommend it. It gives you a detailed look at what attackers are trying to do to break into your site, and how Wordfence is blocking them.

For today’s post we analyzed all of the blocked attacks on Defiant.com for a week. In order to see them in Live Traffic, I simply selected “Blocked by Firewall” from the “filter traffic” drop-down above the data table.

What Attackers Were Up To

For the week there were a total of 223 attacks blocked. I was excited to see that all of them were blocked by the Wordfence real-time IP blacklist. We are used to seeing really high percentages blocked by our blacklist – usually in the high 90s. The real-time IP blacklist is a Premium feature that blocks all requests from IPs that are actively attacking WordPress sites.

Attacks originated from 14 unique IP addresses from around the world. Of the countries represented, Germany was the origin for the most attacks at 85. India was second with 61 and France was third with 45. Other countries represented were Ukraine, South Africa, China, Italy and the United Kingdom.

Next we’ll break down what they were trying to do to break in.

Reconnaissance

Five of the IPs appeared to just be performing reconnaissance, as they were simply requesting our home page or some other page on the site. They were likely just checking to see if the site was up and responding to their requests. Since all of the IPs were on the Wordfence real-time IP blacklist, their requests were blocked and they moved on after a couple of blocked page requests.

Author Enumeration

A Chinese IP attempted to retrieve a list of author usernames for the site. Since the authors of posts are very often also administrators, this information can significantly improve the odds of success for a brute force password guessing attack. The attacks all look like the following:

https://www.defiant.com/?author=1

The attacker worked through fifteen author numbers before giving up and moving on. In the Wordfence “Brute Force Protection” settings, look for the following option to enable this feature:

“Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”

Once you enable this, Wordfence will block these scans. This option is enabled by default and is available for both free and premium users.

We have blocked 382,131 attacks from that IP in the last 7 days across all of our customers. It seems quite likely that had the attempt to retrieve usernames been successful, attempts to log in using lists of common passwords would have followed.

Login Attempts Via XML-RPC

Sixty Three of the blocked attacks were attempts to log in to the site via the XML-RPC interface, which is an API developers can use to communicate with WordPress sites. We see a high percentage of brute force password guessing attempts hit this interface.

In our case we saw a single IP from Chennai, India attempt 61 login attempts in the period of just over an hour. Two other IPs, one in Hong Kong and another in Italy, made just one attempt each. They most likely moved on because they were blocked.

Login Attempts Via wp-login.php

We had just one IP attempt to login via the interface you use to login your site. The first attempt to login was followed immediately by an attempt to access our home page. The script was most likely checking to see if they were only being blocked from accessing the login page or the entire site. A second attempt following the same pattern occurred just two minutes later. We didn’t see additional attempts from that IP. I assume the attacker’s bot is programmed to move on if it’s blocked twice in a row.

A French IP Probes for Opportunities

A single French IP sent 43 requests in a 33 second burst. The first was a simple home page request, which I assume was an attempt to verify the site was up and accepting requests. Surprisingly the attack continued despite being consistently blocked by the Wordfence firewall. The following are a few examples of what the attacker was up to.

One request was checking for the existence of a known malicious file, commonly used by attackers to upload files to hacked websites. The request looks like this:

https://www.defiant.com/wp-upload-class.php

Another interesting request was looking for opportunities to exploit fresh WordPress installs, which we wrote about in July of 2017. Here’s what the request looks like:

https://www.defiant.com/wp-admin/setup-config.php?step=1

We also saw two attempts to find a copy of searchreplacedb2.php laying around. In July of 2017 we wrote about how hackers use the searchreplacedb2.php script to make malicious database changes. Here’s an example request:

https://www.defiant.com/searchreplacedb2.php

A German IP Probes for Opportunities

A single IP from Hirschfield, Germany attacked our site 85 times in just under two minutes. Most of the attacks were repeats of what we saw from the French IP. So it’s possible that it was a different bot at work for the same attacker. However, this IP also attempted to exploit a number of known theme and plugin vulnerabilities.

All of these attempts to exploit known vulnerabilities were trying to download the wp-config.php file, which is a WordPress file that includes the database credentials for the site. If successful, these attacks would give the attacker an easy route to obtaining administrative control of target website.

In one example, the attacker is attempting to exploit an arbitrary file download vulnerability in the “Epic” theme that was disclosed way back in 2014.

https://www.defiant.com/wp-content/themes/epic/includes/download.php?file=wp-config.php

In another, the attacker is trying to exploit a different arbitrary file download vulnerability – this time in the WP Hide & Security Enhancer plugin. The vulnerability was disclosed less than six months ago.

https://www.defiant.com/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=%2Fwp-config.php

It’s important to note that we are not running any of the themes or plugins this attacker is attempting to exploit on Defiant.com. Many of the attacks on WordPress sites are what we often refer to as “spray and pray” attacks, where the attacker simply tries hundreds or thousands of exploit attempts hoping to get lucky. It’s likely that attack volumes are lower for Defiant.com because it’s protected by the Wordfence real-time IP blacklist. Like you, attackers don’t want to waste resources. If all of their attacks are being blocked they will move on to an easier target.

Conclusion

As you know, WordPress sites are under constant attack. There are many attackers, all of whom deploy different tactics. The free version of Wordfence includes protection for all of the attacks outlined above. For even better peace of mind, and likely lower attack volumes, consider upgrading to Wordfence Premium. For only $8.25 per month (billed annually) you can put the Wordfence real-time IP blacklist to work protecting your site around the clock.

The post Analyzing a Week of Blocked Attacks appeared first on Wordfence.

Read More

Analyzing a Week of Blocked Attacks

If you’ve never taken a few minutes to look at the information available in the Wordfence Live Traffic feature, I strongly recommend it. It gives you a detailed look at what attackers are trying to do to break into your site, and how Wordfence is blocking them.

For today’s post we analyzed all of the blocked attacks on Defiant.com for a week. In order to see them in Live Traffic, I simply selected “Blocked by Firewall” from the “filter traffic” drop-down above the data table.

What Attackers Were Up To

For the week there were a total of 223 attacks blocked. I was excited to see that all of them were blocked by the Wordfence real-time IP blacklist. We are used to seeing really high percentages blocked by our blacklist – usually in the high 90s. The real-time IP blacklist is a Premium feature that blocks all requests from IPs that are actively attacking WordPress sites.

Attacks originated from 14 unique IP addresses from around the world. Of the countries represented, Germany was the origin for the most attacks at 85. India was second with 61 and France was third with 45. Other countries represented were Ukraine, South Africa, China, Italy and the United Kingdom.

Next we’ll break down what they were trying to do to break in.

Reconnaissance

Five of the IPs appeared to just be performing reconnaissance, as they were simply requesting our home page or some other page on the site. They were likely just checking to see if the site was up and responding to their requests. Since all of the IPs were on the Wordfence real-time IP blacklist, their requests were blocked and they moved on after a couple of blocked page requests.

Author Enumeration

A Chinese IP attempted to retrieve a list of author usernames for the site. Since the authors of posts are very often also administrators, this information can significantly improve the odds of success for a brute force password guessing attack. The attacks all look like the following:

https://www.defiant.com/?author=1

The attacker worked through fifteen author numbers before giving up and moving on. In the Wordfence “Brute Force Protection” settings, look for the following option to enable this feature:

“Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”

Once you enable this, Wordfence will block these scans. This option is enabled by default and is available for both free and premium users.

We have blocked 382,131 attacks from that IP in the last 7 days across all of our customers. It seems quite likely that had the attempt to retrieve usernames been successful, attempts to log in using lists of common passwords would have followed.

Login Attempts Via XML-RPC

Sixty Three of the blocked attacks were attempts to log in to the site via the XML-RPC interface, which is an API developers can use to communicate with WordPress sites. We see a high percentage of brute force password guessing attempts hit this interface.

In our case we saw a single IP from Chennai, India attempt 61 login attempts in the period of just over an hour. Two other IPs, one in Hong Kong and another in Italy, made just one attempt each. They most likely moved on because they were blocked.

Login Attempts Via wp-login.php

We had just one IP attempt to login via the interface you use to login your site. The first attempt to login was followed immediately by an attempt to access our home page. The script was most likely checking to see if they were only being blocked from accessing the login page or the entire site. A second attempt following the same pattern occurred just two minutes later. We didn’t see additional attempts from that IP. I assume the attacker’s bot is programmed to move on if it’s blocked twice in a row.

A French IP Probes for Opportunities

A single French IP sent 43 requests in a 33 second burst. The first was a simple home page request, which I assume was an attempt to verify the site was up and accepting requests. Surprisingly the attack continued despite being consistently blocked by the Wordfence firewall. The following are a few examples of what the attacker was up to.

One request was checking for the existence of a known malicious file, commonly used by attackers to upload files to hacked websites. The request looks like this:

https://www.defiant.com/wp-upload-class.php

Another interesting request was looking for opportunities to exploit fresh WordPress installs, which we wrote about in July of 2017. Here’s what the request looks like:

https://www.defiant.com/wp-admin/setup-config.php?step=1

We also saw two attempts to find a copy of searchreplacedb2.php laying around. In July of 2017 we wrote about how hackers use the searchreplacedb2.php script to make malicious database changes. Here’s an example request:

https://www.defiant.com/searchreplacedb2.php

A German IP Probes for Opportunities

A single IP from Hirschfield, Germany attacked our site 85 times in just under two minutes. Most of the attacks were repeats of what we saw from the French IP. So it’s possible that it was a different bot at work for the same attacker. However, this IP also attempted to exploit a number of known theme and plugin vulnerabilities.

All of these attempts to exploit known vulnerabilities were trying to download the wp-config.php file, which is a WordPress file that includes the database credentials for the site. If successful, these attacks would give the attacker an easy route to obtaining administrative control of target website.

In one example, the attacker is attempting to exploit an arbitrary file download vulnerability in the “Epic” theme that was disclosed way back in 2014.

https://www.defiant.com/wp-content/themes/epic/includes/download.php?file=wp-config.php

In another, the attacker is trying to exploit a different arbitrary file download vulnerability – this time in the WP Hide & Security Enhancer plugin. The vulnerability was disclosed less than six months ago.

https://www.defiant.com/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=%2Fwp-config.php

It’s important to note that we are not running any of the themes or plugins this attacker is attempting to exploit on Defiant.com. Many of the attacks on WordPress sites are what we often refer to as “spray and pray” attacks, where the attacker simply tries hundreds or thousands of exploit attempts hoping to get lucky. It’s likely that attack volumes are lower for Defiant.com because it’s protected by the Wordfence real-time IP blacklist. Like you, attackers don’t want to waste resources. If all of their attacks are being blocked they will move on to an easier target.

Conclusion

As you know, WordPress sites are under constant attack. There are many attackers, all of whom deploy different tactics. The free version of Wordfence includes protection for all of the attacks outlined above. For even better peace of mind, and likely lower attack volumes, consider upgrading to Wordfence Premium. For only $8.25 per month (billed annually) you can put the Wordfence real-time IP blacklist to work protecting your site around the clock.

The post Analyzing a Week of Blocked Attacks appeared first on Wordfence.

Read More

WordPress 5.0.1 Security Release – Immediate Update Recommended

WordPress 5.0.1 was released Wednesday night, less than a week after the much anticipated release of WordPress 5.0. This security release fixes seven security vulnerabilities, a few of which are quite serious.

Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along with 5.0.1 to address the issues for those users.

We have not seen attempts to exploit these vulnerabilities in the wild yet, but given the number of sites impacted we expect that to change.

The speed at which these security issues were discovered, reported and fixed is a testament to the strength of the WordPress community working together.

Vulnerability Details

Sensitive Data Exposure

Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords. WordPress has addressed this by stripping the activation key used in the URL, and storing the value in a cookie instead.

PHP Object Injection

Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection. This looks to be similar to the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. This vulnerability allows an author to assign an arbitrary file path to an attachment. The file path supplied by the author uses the phar:// stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “feature” of the PHAR file type which stores serialized objects in the metadata of the PHAR file. Sam Thomas presented this technique at BlackHat earlier this year.

Unauthorized Post Creation

Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input. The requirement that an attacker would need at least ‘author’ level privileges makes the likelihood of this being exploited on a widespread basis very low.

Privilege Escalation / XSS

Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. This is another vulnerability that requires a higher-level user role, making the likelihood of widespread exploitation quite low. WordPress addressed this issue by removing the <form> tag from their HTML whitelist.

Privileged XSS

Tim Coen and Slavco discovered that users with ‘author’ privileges on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability. Yet again, the ‘author’ level user requirement makes an unlikely target for attackers.

XSS That Could Impact Some Plugins

Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. The code change in WordPress core affects the wpmu_admin_do_redirect function which is not used in WordPress, but a plugin may call this function somewhere.

Unauthorized File Deletion

Karim El Oeurghemmi discovered that author-level users could alter metadata to delete files that they weren’t authorized to. This issue stems from the 2 arbitrary file delete vulnerabilities fixed in WordPress 4.9.6. The fix in WordPress addressed how attachment files are deleted, by restricting the file paths to the uploads directory, but did not address the issue of authors having the ability to change the attachment paths to arbitrary files. An author can use this to delete other users’ attachments.

What To Do

We have released firewall rules to protect our Premium customers against the vulnerabilities most likely to be exploited. Sites running the free version of Wordfence will receive them in 30 days.

Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated, but given the nature of the vulnerabilities we recommend you check your sites manually just in case.

Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible. We’ve heard conflicting reports about automatic updates working for this upgrade. If you need to manually upgrade, the 4.9.9 update can be downloaded here.

You can find the official release announcement from the WordPress team here.

The post WordPress 5.0.1 Security Release – Immediate Update Recommended appeared first on Wordfence.

Read More

Video: WordCamp Atlanta Security Panel with Wordfence

In April, Wordfence sponsored WordCamp Atlanta and several of our team members attended the event. While there, we held a capture the flag (CTF) contest, which helps WordPress site owners learn to think like a hacker so that they can better defend their websites.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/video-wordcamp-atlanta-security-panel-with-wordfence/

Part of hacker culture is the art of lock picking, which many of our team members do as a hobby. At WordCamp Atlanta, we taught many of the attendees to pick their first lock. Doing this is a great way to illustrate how it helps to think like your adversary when you are defending something. If you know how to pick a lock, you can better secure your home or office. Similarly, if you think like a hacker, you can better defend your WordPress websites. Our team does these demonstrations at every WordCamp we sponsor, and if you successfully pick a lock, we will award you a lock-pick set as a prize.

At WordCamp Atlanta, one of the scheduled speakers was unable to attend and our team volunteered to fill in. Four Wordfence team members participated in a panel, taking questions and discussing various WordPress security topics with the audience. Our panel consisted of:

Mark Maunder – CEO
Matt Barry – Lead Software Developer
Sean Murphy – Director of Threat Intelligence
Tim Cantrell – Customer Support Engineer

Aaron Campbell, the head of security for WordPress and an all-around great guy also makes an off-camera cameo. If you are interested in WordPress security and would like to get to know some of our best people a little better, I think you will really enjoy the conversation.

 

 

Video produced by nishasingh and originally published on WordPress.tv.

The post Video: WordCamp Atlanta Security Panel with Wordfence appeared first on Wordfence.

Read More

Meet the Defiant Team

In August, most of our team attended DefCon, a hacker conference in Las Vegas attended by tens of thousands of security professionals. All of us work remotely, so it is always really special to spend time together as a team.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/09/meet-the-defiant-team/

While we were there we completed a fun project. We created a video with footage from many of our team events and interviews of team members talking about what it’s like to work at Defiant. We’re really happy with how it turned out, and thought you might enjoy getting to know the team behind Wordfence a little better and how we work together to keep your sites safe.


The post Meet the Defiant Team appeared first on Wordfence.

Read More

Wordfence: Live On Tour In A City Near You

This year we’ve attended and sponsored quite a few WordCamps, and have had members of our team speak at some as well. If you haven’t attended one recently we highly recommend it. They’re a great opportunity to learn and connect with other members of the WordPress community.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/wordfence-live-on-tour-in-a-city-near-you/

WPCampus Highlights

While not strictly a WordCamp, in July we sponsored and attended WPCampus, “a community and conference for web professionals, educators and people dedicated to the confluence of WordPress in higher education.” We work with many educational institutions throughout the world to protect their WordPress sites, so sponsoring and attending the conference was a great opportunity to connect with our users face to face and introduce Wordfence to those who haven’t discovered us yet.

The Wordfence table was lively throughout the event, with Mikey giving impromptu lock picking lessons and Kathy going deep on how to protect WordPress at scale.

Mikey teaching lock picking to a WPCampus attendee

 

If you’re tasked with securing WordPress for a college or university and missed WPCampus, consider setting up some time with Kathy to discuss how best to leverage Wordfence to tackle the unique challenges you’re facing.

Those who attended the conference were treated to a presentation, “What the hack? Fortifying your security by understanding your adversary”, by our very own Mikey Veenstra. He is one of the Threat Analysts on our team who are responsible for developing the malware signatures and firewall rules that keep your sites safe. The WPCampus team was kind enough to capture the presentation and publish it on YouTube. We think you’ll enjoy it.

Upcoming WordCamps

WordCamp Minneapolis – this weekend

Through tomorrow (August 25th), we are attending and sponsoring WordCamp Minneapolis. Tim, Matt and James from our team are there manning the Wordfence table and running a capture the flag contest. We’re giving away great prizes including a Sony Playstation with a VR Bundle. Most of you probably know Tim from his years providing excellent support on our customer service team. Matt and James are both software developers on our team.

The Wordfence table at WordCamp Minneapolis

 

WordCamp Omaha  –  Sunday (8/26)

Our very own Brad Haas, Wordfence’s Senior Security Analyst, will be speaking tomorrow at WordCamp Omaha. His presentation, “Hacking War Stories (and what you can learn from them)”, is going to be really fun.

WordCamp New York – September 15 & 16th

Our Director of Information Security Colette Chamberland and Chloe Chamberland from our Security Services Team will be presenting “How to Optimally Secure Your WordPress Environment” on Saturday, September 15th at WordCamp New York.

WordCamp Sacramento – September 15th & 16th

We will be sponsoring and attending WordCamp Sacramento. Mark Maunder, our CEO, will be attending along with Kathy Zant, a Client Partner on our team. We will be running a capture the flag contest with great prizes. Kathy will be giving a talk titled “Evaluating Plugins: Strategies To Effectively Extend WordPress”, don’t miss it!

WordCamp Los Angeles – September 21st & 22nd

We will be sponsoring and attending WordCamp Los Angeles. A number of us will be attending and we will be running a capture the flag contest.

WordCamps Later in the Year

They’re still in planning stages, but we’re planning to attend quite a few WordCamps this fall. You will most likely see us in Vancouver, Orlando, Seattle, Portland and a few other cities. Stay tuned for more updates.

The post Wordfence: Live On Tour In A City Near You appeared first on Wordfence.

Read More

Announcing Revamped Volume Pricing for Premium Licenses

This year we have been very focused on the needs of agencies and other organizations with lots of sites to protect. We’ve spoken with many of you and have a clear picture of what we can do to make Wordfence work even better for you.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/revamped-volume-pricing-premium-licenses/

To start things off, in June we released a feature that makes Premium licenses work seamlessly across development, test and staging domains. We’ve gotten tremendous feedback on it so far and encourage you to take advantage of it if you haven’t already.

The latest change we’ve made addresses what is probably the most common piece of feedback we receive from organizations that manage lots of sites. We’re changing the way we handle volume discounts. We have always offered volume discounts, but your discount was based solely on the number of licenses you purchased, and for how many years, during a single transaction. That worked well for us for a long time, but based on your feedback it was clear we needed to make a change.

Volume discounts for license purchases are now based on your total active license count, including what you’re buying today. For example, if you already have 5 licenses and want to purchase 2 more today, your discount is based on a total of 7. The table below shows our new volume discount rates:

Active License Count Discount % Price Per License
1 0% $99.00
2-4 10% $89.10
5-9 15% $84.15
10-14 20% $79.20
15+ 25% $74.25

 

If you are currently a Premium customer this means that any purchase you place going forward qualifies for a discount, regardless of how many licenses you purchase.

We are also offering incentives for purchasing additional years. Currently you will receive an additional 10% discount on your transaction if you purchase a 2 year license and 20% for 3.

Renewal prices for your new licenses are also based on your active license count. As you purchase more licenses, the discount applied to your renewal prices goes up.

Your old licenses won’t change… unless it’s in your favor

With this change we wanted to make sure that we didn’t raise prices for the licenses you already own. Your renewal price for licenses purchased before July 24th of this year will not change, unless your active license discount qualifies you for an even lower price. In that case we will automatically charge you the lower price. And as long as they’ve been installed on a website they count toward your active license count, improving your discount for new license purchases and lowering the renewal rate for your newer licenses.

More is on the way

Our team is currently hard at work on a major feature that will make managing and monitoring Wordfence across multiple sites much, much easier. We haven’t set a launch date yet, but you should see it within a few months. If you’d like early access I highly recommend signing up for our beta program.

Need help managing Wordfence at scale?

Our new Client Partner program was created with agencies and organizations with high profile sites to protect in mind. Set up a free 15 minute consultation today to learn how we can help you protect your sites with Wordfence.

 

 

 

The post Announcing Revamped Volume Pricing for Premium Licenses appeared first on Wordfence.

Read More

Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy

Last September we published a series of three blog posts exposing a threat actor who had purchased a number of WordPress plugins as part of an elaborate supply chain attack. This ownership enabled him to inject SEO spam into hundreds of thousands of websites, boosting search engine rankings for various illicit online businesses.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/08/known-wordpress-threat-actor-under-investigation-for-prescription-free-online-pharmacy/

In the first post we reported that a backdoor had been placed in the Display Widgets plugin by its author. We demonstrated how the backdoor worked and its purpose. We also found evidence that the plugin had recently been sold.

In our second post the following day, we were able to identify the man behind the plugin spam, Mason Soiza. We were also able to tie him to another plugin we had written about back in August of 2016, 404 to 301, which had also been used to inject SEO spam into websites. With the aid of the original plugin authors we were able to gather comprehensive information about the purchases. We were also able to tie Soiza to some of the illicit businesses the SEO spam was benefitting.

We continued our research and published a third and final post a week later. In it we were able to tie together a 4.5 year campaign impacting 9 WordPress plugins, all used by Mason Soiza to serve SEO spam on victim websites. These WordPress supply chain attacks caught the community by surprise.

The Times and BBC Take Things Further

Last week The Times published an article focused on the website UK Meds, which is owned by none other than Mason Soiza. According to The Times, the site is under investigation by regulators for selling prescription medications, including highly addictive opioid painkillers, to customers without a prescription. Customers need only complete a free “online consultation”, which is reviewed by a doctor in Romania.

A spokesman for Mason Soiza who was referenced in The Times article, “[…] accepted that he had bought WordPress plugins and inserted code but disputed that this was malicious code and denied he was a spammer.” The article also suggests the business has been profitable enough to allow Mr. Soiza to purchase a £215,000 Lamborghini and a £100,000 watch.

On Monday, the BBC Panorama series covered the topic of online pharmacies in the UK (linked content only accessible from the UK). Mason Soiza’s site UK Meds is among the four online pharmacy sites profiled.

In the episode, five volunteers order prescriptions, most of which could prove fatal for them. Three of them ordered opioid-based painkillers, one diet pills and another antibiotics. All five were able to successfully place their orders online by answering online questions dishonestly and receive the medications. In the most touching part of the episode, a mother whose son died as the result of a drug overdose is interviewed. Dependent on the drugs, he was able to buy them online for two years after his doctor had cut him off.

They also go undercover to talk to the owner of EuroRX, who explains how online pharmacies can leverage doctors in Romania to circumvent prescription requirements.

Protect the Community by Keeping Your Site Secure

We were happy to see both The Times and BBC take this story further. What they uncovered serves as an important reminder that the people behind the attacks on our websites are generally up to no good. It might just be a website to you, but to a criminal it’s an important resource they can use to further their agenda. Unfortunately, that agenda sometimes includes potentially deadly activities. We can all do our part to help keep the community safe by keeping our sites secure and out of the hands of criminal actors.

The post Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy appeared first on Wordfence.

Read More

Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast

In early June we published an article and accompanying white paper detailing an interesting malware infection which we’ve internally dubbed BabaYaga. The relatively sophisticated malware is unique because it contains a number of features intended to ensure the infected site remains in working order. It keeps WordPress core up to date, performs and stores backups and even scans for and removes malware.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/baba-yaga-cyberwire-podcast/

Brad HaasOn Saturday one of our Senior Security Analysts and the author of the BabaYaga white paper, Brad Haas, sat down for an interview with Dave Bittner on the CyberWire podcast. We think you’ll really enjoy the 20 minute interview. Simply click play below to hear it. If you prefer a written version a full transcript is available here.

As always we’d love to hear your thoughts and questions in the comments.

The post Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast appeared first on Wordfence.

Read More
Page 1 of 512345»