WordCamp US Recap

WordCamp US was held in Nashville, Tennessee this year. We sponsored the event, had a booth and of course provided lock picking lessons, as has become our tradition at WordCamps. Our goal is to get you to think like a hacker, so that you can better secure your sites. Picking a lock really gets you into that mindset. Plus it is a lot of fun!!

From our team we had Sean Murphy – Director of Threat Intelligence, Tim Cantrell – Customer Service Engineer, Dan Moen – Chief Marketing Officer, Kathy Zant – Client Partner and of course me, Mark Maunder – CEO.

We sponsored 13 WordCamps this year and our team spoke at an additional three. I attended Atlanta, Los Angeles, Portland (Oregon), Vancouver (BC), Seattle and Nashville. On a personal note WCUS was intense for a few reasons. Our team has traditionally attended security conferences like DEF CON, Black Hat, RSA, DerbyCon and more – and we haven’t spent much time attending or sponsoring WordCamps. This year we changed that and put a lot of energy into engaging with the WordPress community.

By the time WCUS rolled around I had already made a lot of friends across the industry. In many cases, these are people in the WordPress community that I have been engaging with for over 6 years via Slack or email but have never met in person. Others I met at WordCamps across the country and when WCUS arrived, it was like a giant reunion which was a lot of fun.

One of my favorite new friends from this year’s WordCamps is Matt Mullenweg, the WordPress founder. I had the pleasure of having a beer with Matt at WordCamp Portland, where he made a surprise appearance. My colleagues Kathy Zant, Mikey Veenstra and I spent over 2 hours just hanging out with Matt in Portland and chatting. Matt is a really cool dude and we again met up at WCUS a few times. Matt came around to our booth and it turns out he has been into lock picking for some time and is quite good at it! (Photo below)

One of the things I love about WordCamps is it really brings the community together, including vendors like us and our peers in cybersecurity. My colleague Kathy Zant is deeply involved in the WordPress community and has made many friends across the industry. This is one of my favorite pictures from WCUS.

From left to right: Alycia Mitchell from Sucuri/GoDaddy, Jamie Schmid from SiteLock, our own Kathy Zant from Wordfence and Rianna MacLeod from Sucuri/GoDaddy.

 

I would be remiss if I didn’t mention Kathy Zant from our team in a bit more detail. Kathy has the most incredible energy and she really brought it at WCUS and WordCamps throughout the year that we sponsored. I would show up at our booth to set up at 7:30am to find that Kathy had already been there for an hour and was just about done booth-building.

Or I’d show up at 9am on a Sunday morning because I was up till 3am the previous evening “networking”, and Kathy was at the booth bright and early chatting with customers and solving security problems. During gaps at the booth she would be on her phone helping our larger customers with their challenges in her role as client partner. And as if that isn’t enough, Kathy is an Executive Producer on a certain project we are collaborating on (I think many of you already know what that is – more news on that soon) and is of course completely owning that role too. And most of that work happens at WordCamps.

Kathy. Is. Amazing.

During WordCamp Atlanta I had the great pleasure of meeting Kathy Drewien, one of the Atlanta organizers. Kathy is also an organizer for WordCamp US and of course we spent some time catching up. Kathy does a lot for WordCamps around the US and my team and I are very grateful for her contribution!!

This is a rather hasty selfie of Kathy Drewien and me at WordCamp US in front of our booth. Looks like Dan and Tim are having an animated conversation behind us and a few visitors are busily picking locks. Kathy Zant is on the far right talking to customers. As you can tell we fully utilized our booth space, and will most likely get a larger space next year.

 

WCUS is awesome. There is no other way to put it. By 9am every morning my body was producing its own caffeine, and by the time the evening came around I was literally high on life after spending time with the most incredible people. If you are passionate about WordPress, WCUS is Disneyland for WP.

This is Tim Cantrell with one of the harder practice locks we had at our table. A lot of our students had a hard time picking this one!!

 

This is Kathy Zant surrounded by her newly minted lock picking prodigies, working on a difficult lock of her own. Tim is on the right answering customer questions.

 

This is Matt Mullenweg with Josepha Haden from Automattic picking locks and chatting with Tim Cantrell.

 

The after-party for WCUS was held at the Adventure Science Center in Nashville. One of my life goals has been to go to a party that has beer at a science center. Goal achieved!!

This is a photo of me and another WCUS attendee battling it out on a mind game. You put a strap with electrodes on your forehead and the goal is to calm your mind as much as possible. The person with calmer mind pushes a ball towards their goal. I got absolutely killed on this game within a few seconds. My colleague apparently has a way calmer mind than I do. This was the moment of my defeat.

 

The after-parties hosted by sponsors were incredible. They really allowed our team and the attendees to experience Nashville, and Broadway in particular. The first time I walked onto Broadway my jaw dropped. I hadn’t actually heard much about Nashville’s party central, and the light show was incredible. I took this photo.

 

Thank you very much to the City of Nashville for hosting WordCamp US 2018. We had a wonderful time in your amazing city. I will be visiting again even if I can’t find a conference to attend. See you all in St Louis next year for WordCamp 2019. The Wordfence team will definitely be there!

~Mark Maunder

The post WordCamp US Recap appeared first on Wordfence.

Read More

How We Think About WordPress Security and Research

This weekend I had a really fun conversation with Doc Pop from Torque Magazine. Torque is a great news source for WordPress news. They are part of WP Engine, but maintain editorial independence.

I chatted with Doc in Nashville, in the Music City Center where WordCamp US was being held. Music City Center is an amazing facility and you can see some of it in the background of our interview. Nashville is also an incredible city. We will be posting a roundup of WordCamp US tomorrow morning.

In our conversation, Doc asked me various questions about WordPress security and the research we do. He got me talking about how we work, how we think about security, responsible disclosure of vulnerabilities and WordPress security in general.

The video of the interview is below. I’ll be around to answer any questions in the comments.

~Mark Maunder

 

The post How We Think About WordPress Security and Research appeared first on Wordfence.

Read More

WordPress 5.0: How and When to Update

WordPress 5.0 is being released tomorrow, December 6th. This release contains a major change to the WordPress editor. The new editor, code-named Gutenberg, is a substantial leap forward in functionality. It uses a new block-based system for editing which allows you to embed a wide range of content in your posts and pages, and gives you a lot of flexibility in laying out those blocks on the page.

Once Gutenberg and WordPress 5.0 have stabilized, they will provide long term benefits to WordPress users and the community. But in the short term, this change may introduce challenges for some WordPress site owners. In this post we will discuss a few points that will help you decide when to upgrade to WordPress 5.0, and to formulate a successful strategy for making the transition.

Why is WordPress changing the editor?

The WordPress core development team has been talking about Gutenberg for quite some time. The goal, according to Matt Mullenweg, is “to simplify the first-time user experience with WordPress — for those who are writing, editing, publishing, and designing web pages. The editing experience is intended to give users a better visual representation of what their post or page will look like when they hit publish.”

Overall, we agree that Gutenberg will be a giant leap forward in using WordPress to create content online. But, as Matt stated, the goal is to simplify the experience for the first-time user. For the rest of us who have assembled a number of tools to fill the gaps in the older editor’s shortcomings, this will be a period of adjustment.

Potential Problems With Legacy Plugins and Themes

WordPress has been around for over 15 years, and in that time millions of websites have been created using the current editing framework. Often, sites are created and never updated to more modern themes. There are a large number of abandoned plugins installed on WordPress sites – plugins that are no longer being actively maintained by their developers.  No one is testing these abandoned plugins or older themes to see how they will behave with Gutenberg.

Adding to the complexity, many of these sites may be hosted on managed WordPress hosting services that will auto-update to the new WordPress version.

Some WordPress site owners may be unable to effectively edit pages they had previously published. Some may be unable to access their edit screen. There may be server 500 errors or white screens for some users. Or everything may run smoothly, even with legacy plugins and a legacy theme.

With over 60,000 unique plugins in the WordPress plugin directory, it is not feasible to test all of the plugins with the new editor. Actively maintained plugins are, for the most part, being tested by the plugin authors. Abandoned plugins will not have been tested, so it is up to you to test whether WordPress 5.0 will work with these plugins.

The same applies to themes. Many themes are actively maintained by their authors. In other cases, a theme may have been created as a single project for a customer or created for the community and then left unmaintained. These unmaintained themes have not been tested with Gutenberg and WordPress 5.0.

If you do anticipate compatibility problems with WordPress 5.0, you can keep the current WordPress editor by installing the WordPress Classic Editor Plugin. We recommend you do this ahead of time, rather than try to use the new editor with incompatible code. But it’s also worth pointing out that Gutenberg and WordPress 5.0 are a significant step forward in editing power and flexibility. So it is worth investing the time to make your site compatible, modifying it if needed, and then reaping the benefits of a brand new block-based editor.

Will Wordfence work with Gutenberg?

Yes. Wordfence does not interact with the editor, so it will not be impacted by Gutenberg. Our QA team has thoroughly verified that Wordfence is ready for Gutenberg and WordPress 5.0.

Because you do have Wordfence installed, you will receive a notification that WordPress is out of date and requires an update. Please keep in mind that this is no ordinary update. This is a major change to your content management system, and we recommend that if you’re not ready for the new editor, wait to update WordPress. Yes, you will receive security warnings from Wordfence because the basic premise has always been to keep open source software updated. If you are not entirely ready for WordPress 5.0, however, there is no harm in staying on the current version while you get ready.

The current version of WordPress core is 4.9.8. If you remain on this version, you will continue to receive security updates from the WordPress core team. The current policy of the WordPress security team is to back-port security fixes to all auto-update compatible WordPress core versions. That means that all versions of WordPress core will continue to receive security updates all the way back to WordPress 3.7. This is not an open-ended policy and may change in the future.

How do I know if I am ready?

Do you have a testing environment for your website? Have you tried the new Gutenberg editor? Are you using a modern version of PHP? Great, you’ll likely be prepared for WordPress version 5.0. As with all major releases, we recommend updating your test environment first to look for problems.

Look for anomalies with all of your page layouts. It also makes sense to go back in time on your test environment and review older posts and pages to ensure they’re ready for the new editor.

As always back up both your site files and your database prior to any update, especially an update of this magnitude.

If your hosting provider auto-updates

If you’re on managed WordPress hosting, your hosting provider will automatically update WordPress for you. Your managed WordPress provider should be taking backups for you. Check with your hosting provider to see what support they will provide for the new WordPress editor and when they will be updating to WordPress 5.0. Some hosting providers, like Page.ly, are waiting until January of next year to do the update.

If you’re using a page builder or premium theme

If your site uses a page builder like Visual Composer, Divi, Beaver Builder or any other tool that uses shortcodes, check with the developer to ensure that your tool is ready for Gutenberg. Many page builders come bundled with premium themes. You may need to check with your theme developer to ensure that you have the updated versions installed on your sites.

What are the security implications of Gutenberg?

We are not currently aware of any security issues with WordPress 5.0 or Gutenberg. The project is being moved into production at a rapid pace which increases the risk of a security issue emerging, because this reduces the amount of time available for testing and debugging.

At this phase in the evolution of WordPress, there are a large number of security teams globally that have eyes on the code and are actively conducting research to determine if there are vulnerabilities in new WordPress releases. As soon as an issue emerges, our team will react and release a firewall rule in real-time to protect our Premium Wordfence customers.

Once WordPress 5.0 is released, there will likely be a series of smaller releases that will emerge over the following weeks. We recommend that you monitor the official WordPress blog and if they announce a security update, upgrade as soon as possible.

Overall This is Good News

As mentioned above, Gutenberg and WordPress 5.0 are a major leap forward in the evolution of WordPress. Rapid innovation does not come without risk or inconvenience to a such a large user base. Our team is excited to embrace the new WordPress and to use it ourselves. By following our recommendations above, you can reduce the risk of this transition and migrate smoothly into 2019 with a powerful new editor for WordPress.

 

The post WordPress 5.0: How and When to Update appeared first on Wordfence.

Read More

Using PHP 5 Becomes Dangerous in 2 Months

WordPress, Joomla, Drupal and many other popular website CMSs were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months. Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends in two months, these sites are in a precarious position and will become exploitable as new PHP 5 vulnerabilities emerge without security updates.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/php5-dangerous/

This post is in a FAQ format and describes why PHP 5 is reaching end-of-life, what the timeline is and what to do about it. The Wordfence team is working to create awareness of this issue in the WordPress and broader PHP community. You can help by sharing this post with your colleagues that manage PHP websites or use WordPress.

What is End-Of-Life or ‘EOL’ in Software?

When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not fix it.

If a development team is productive, they will release many versions of the software they work on over time. It becomes impractical to support every version of the code ever released. So a compromise needs to be made.

This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrade to a newer version of the same software, which usually does things better than the old versions and is fully supported.

Is PHP Version 5  going to be EOL soon?

Yes. PHP version 5 will be declared End-Of-Life on January 1st, 2019. That is, in approximately two months at the time of writing.

The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years has elapsed from the date of release, the version of PHP is no longer supported.

PHP 7.0, the very first PHP 7 release, was released on 3 December, 2015, almost three years ago. PHP version 5 is rapidly approaching end-of-life and will no longer be supported starting on 1 January, 2019.

The final branch of PHP version 5 that is still supported is PHP 5.6. Because this is the final PHP 5 branch, the PHP team chose to extend the security fix period from the usual one years, to two years. That extended security support will end on 1 January 2019.

The following table includes the important dates for PHP 5 and PHP 7 branches. You can find this table on this page on the PHP website.

Why Should I Upgrade to PHP 7?

As mentioned above, PHP 5 will no longer be supported with security fixes, starting on 1 January 2019. That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable.

PHP 7 has many improvements over PHP version 5. These include performance improvements. PHP 5 has many known bugs that relate to performance, memory usage and more. PHP 7 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently.

As an added benefit, PHP 7 also allows the use of more modern programming structures, which is a nice benefit for software developers.

How can I find out my PHP version?

If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.

Alternatively you can install this extremely basic plugin on your WordPress site which will display your PHP version. Please note that this plugin is not produced by the Wordfence team and we do not endorse it.

If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:

<?php

phpinfo();

Save the file in your web root directory and then visit the file in your web browser. Your PHP version will be displayed at the top of the screen. Don’t forget to delete your temporary file once you’re done.

Which specific version of PHP 7 should I upgrade to?

Ideally, you should upgrade to PHP 7.2 which is the newest version of PHP. This version will be fully supported for another year and will receive security updates for a year after that.

If you are unable to upgrade to 7.2, then at a minimum you should upgrade to PHP 7.1. Full support for PHP 7.1 will end in 1 month. However, you will continue to receive security updates for another year after that.

Do not upgrade to PHP 7.0. This version will also become end-of-life in one month.

Does PHP 5 have any vulnerabilities?

Security vulnerabilities are continuously reported in PHP. Some of these are serious. Viewing this page on CVEDetails.com will give you an idea of the volume and severity of PHP vulnerabilities that have recently been reported.

Many of the vulnerabilities reported in PHP were discovered this year. Many more will be discovered in PHP version 5 next year, after security support for all versions of PHP 5 have ended. That is why it is critically important that you upgrade to a version of PHP 7 that is supported and is receiving security updates.

Will anything break if I update to PHP 7.2?

You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2. PHP has undergone some changes since version 5 which has improved the language and made it more secure, but may result in warnings or errors for code that has not been made compatible with PHP 7.

If you are a WordPress user, WordPress core is fully compatible with PHP 7.2 and greater.

However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2. If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities. For this reason, we recommend you test your website on a hosting account or server that is running PHP 7.2. If you encounter any problems, contact the developer of the theme or plugin and ask them for an urgent fix. Remind them that PHP 5.6 reaches end-of-life in just two months and that you must update to PHP 7.2 by then.

This page has a migration guide for PHP developers who are migrating code from PHP 5.6 to PHP 7.

This page has a list of deprecated functions under PHP 7.2 and will be helpful to a developer that is migrating code from PHP 5 to PHP 7.

What if my hosting company does not support PHP 7?

Your hosting account should include some kind of control panel or options and settings page. If you’re not seeing an option to upgrade to PHP 7, you should contact your hosting company’s support team to see what your options are. If none are available, we recommend you transition to new hosting before the end of the year.

What if my developer does not support PHP 7?

PHP 7.0 was released two years and 10 months ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7 report problems within the last 2 years and 10 months, which they would have fixed.

Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.

What is the easiest way to upgrade to PHP 7.2?

Many hosting providers offer a one click PHP version change in CPanel. This allows you to switch to PHP 7 and check your site for problems. If something doesn’t work, you can switch back and create a plan for addressing the issues you found.

If you can’t find where to update your PHP version, your hosting provider can advise you how to update PHP in their environment. It may mean them making a change on their end or even moving your site to another server.

Remind me again why I need to update to PHP 7.2?

The really good news is that you are probably going to see a nice performance improvement when you update your site. Sure, you may need to deal with a few, hopefully minor incompatibilities. But once you have updated to PHP 7.2, you can rest assured that you will continue to receive security updates until November 30, 2020.

If you remain on PHP 5.6, you may find yourself dealing with a hacked site some time next year when a vulnerability is released for PHP 5.6 and no fix is released by the PHP team because PHP 5.6 is end-of-life.

How can I help?

This deadline is coming up fast. All versions of PHP 5 will stop receiving security updates in 2 months. There are a huge number of websites that are still on PHP 5. As soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit, because those vulnerabilities will not be fixed and will be exploitable for a long time.

To help transition the global web community to PHP 7, please spread the word by sharing this post and helping create awareness about this tight deadline and how to transition to PHP 7.

The post Using PHP 5 Becomes Dangerous in 2 Months appeared first on Wordfence.

Read More

Wordfence Is GDPR Compliant

Today the team at Defiant completed the required steps to make our organization and services GDPR compliant.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-is-gdpr-compliant/

Your starting point for Wordfence and GDPR should be the following page: Wordfence and GDPR – General Data Protection Regulation page.

On the above page you can find everything you need to ensure that you remain GDPR compliant while enjoying the security benefits of Wordfence. This includes a pre-signed data processing agreement if you need to sign one. We also include a list of the cookies the Wordfence plugin sets when installed on a site and what each cookie does to improve security.

As part of this project, we have also updated our terms of use and privacy policy. Current users of Wordfence will be prompted with our new terms of service and privacy policy within the next 24 hours as the newest version of Wordfence is deployed. New users of Wordfence will see the terms of service and privacy policy prompt as soon as they install Wordfence.

The Wordfence user interface will be disabled until you review and agree to our new terms. The prompt will look like this:

We have optimized this process so that, if you have many sites running Wordfence Premium, once you agree on one site, you won’t have to repeatedly agree to the same terms across all your other sites.

I’d like to congratulate our team on completion of this project. It required hundreds of hours of work which included product updates, website changes, the creation of new agreements and documentation and a thorough data and security audit.

While we can not provide GDPR advice to other companiesif you have any questions about GDPR as it relates to Wordfence, you are most welcome to post them in the comments below.

Mark Maunder – Defiant Founder and CEO

 

The post Wordfence Is GDPR Compliant appeared first on Wordfence.

Read More

Wordfence GDPR Update 2: On Target For May 25th

Preparations to get Wordfence and our organization ready for GDPR continue at Defiant and we are on schedule. Last week we sent out an update that said we are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-gdpr-compliance-update-2/

We have now completed our application for the Privacy Shield certification programs mentioned above. As of this morning, May 16th, our Privacy Shield application has not been processed yet. We expect it to be completed by this coming Monday, the 21st of May.

Once the Privacy Shield application is processed, on Monday, we plan to roll out plugin updates, website updates, policy updates, new ‘Help’ content and a further blog post explaining the updates. Most of this work is already completed, we just need to complete the application process and the rollout.

If for some reason our Privacy Shield application is not processed by early next week, we have a contingency plan in place that would meet the deadline. It will create more work for us, but would ensure that we can continue to serve our European customers and keep ourselves and them GDPR compliant. The contingency plan does not require any changes to our software, only changes to our policies. Hopefully our Privacy Shield application will be processed in a timely fashion and we’ll remain on track. But as they say, hope for the best, plan for the worst.

The bottom line is that by the end of next week, we will have completed our rollout to become fully GDPR compliant. Wordfence remains committed to serving our European customers, along with our US and world-wide customers, and the Defiant team is working hard to ensure that you will remain secure and compliant.

As always, you are welcome to post in the comments below. Just a reminder, I am not a lawyer and, while we have a spectacular legal team of our own (Thank you Charlie, Mark, Corey and K&L Gates!), I can not give you general GDPR advice. I can only advise you on our own progress with regards to GDPR compliance.

The post Wordfence GDPR Update 2: On Target For May 25th appeared first on Wordfence.

Read More

Introducing Discounted Hacked Site Cleanings

Last month we introduced ‘high demand’ pricing for our site cleaning service. We did this because demand for site cleanings is seasonal and it became a challenge for us to deal with the surges in business we would see while maintaining a high level of customer service.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/discounted-hacked-wordpress-site-cleanings/

We have always run our site cleaning business at break-even, which is why we are the lowest priced site cleaning service in the industry for such high quality. We clean sites to gain a better understanding of how hackers successfully compromise them, and to gather forensic data to improve our malware detection capability.

We introduced the concept of demand based pricing to regulate the volume of orders we receive. It does not generate significantly more revenue. As demand goes up, by increasing the price we keep the number of orders from overwhelming our team, enabling us to deliver a consistent level of service to our customers.

Before we introduced high demand pricing, we had a system in place that would just extend the wait time for a site cleaning. We would tell customers that it would take 1, then 2, then 4 – and we eventually got up to a 6 business day wait time for turnaround on a hacked site. That was completely unacceptable in our view. We wanted to deliver a consistent level of customer service, even if we were telling our customers what the wait time was and setting their expectations.

Instead, I wanted our team to clean sites with a consistently fast turnaround time that never changed. In the face of fluctuating demand, the only way to regulate the order volume we received was to allow pricing to fluctuate. So we came up with ‘high demand’ pricing which helps keep our order volume at a manageable level during periods of high demand.

Introducing Discounted Site Cleanings

Now that our new pricing model has been live for a month, we have learned that we also have periods of low demand, like weekends. And we also have periods of very high productivity from our team, like Monday mornings. Yesterday morning, a Monday, we saw our team just charge through the site cleaning queue and almost empty it very quickly.

We think that demand driven pricing should work both ways and our customers should benefit during times of low demand. If we’re going to regulate demand in one direction, why not do it in the other? So starting last Friday, we introduced discounted pricing.

When our site cleaning queue falls below a certain threshold, discounted pricing kicks in and the multiplier will drop. So for example, yesterday morning we were selling site cleanings for 0.7X their usual price because the team emptied the queue. So instead of a site cleaning costing you $179 per site, it costs $125.70 if you order during a discount window. That’s a huge discount and without a doubt the best value for a hacked site cleaning in the business.

You’ll know that discounted pricing is in effect on our site cleaning page because you’ll see a notice like this:

Additional Sites Are Only $99 Each

Many people don’t realize that we only charge $99 for each additional site you want cleaned for a given order. If you are an agency or developer, this is an incredible deal if you are working to clean up several hacked sites. You can order up to 10 sites through our standard checkout with this pricing. If you have more, please contact us using the link on the checkout page.

Our work comes with a 90 day guarantee and we don’t lock you into an expensive recurring billing subscription. Our team are also some of the nicest people I’ve had the pleasure to work with and they are mentored by Brad Haas (CISSP, GCIH, and GCFA), one of our very talented senior analysts.

Integrating The Team

We recently made some additional changes to the Security Services Team (SST), by integrating them with our Customer Service team. Our SST and CS teams now work as a unit, seamlessly working with our site cleaning customers to securely get the required credentials, get the systems set up for the site cleaning and get the job done as quickly, securely and effectively as possible.

We continue to measure, evaluate and improve our processes to ensure that our customers, their data and their customers stay secure and recover from a hack as quickly as possible.

As always, we value your feedback and would love to hear from you, so please go ahead and post in the comments below. I’ll be around to read and reply.

Regards,

Mark Maunder

Defiant Founder & CEO

The post Introducing Discounted Hacked Site Cleanings appeared first on Wordfence.

Read More

Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR

We want to send out an update on the new data protection law, the General Data Protection Regulation (GDPR), going into effect soon and how Defiant is getting ready for it.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordfence-and-gdpr-how-the-defiant-team-are-preparing-for-gdpr/

This new European law goes into effect on May 25, 2018. It is a new set of rules designed to give European citizens more control over their personal data. Defiant is actively preparing with new website changes and updates to the Wordfence plugin.

Additional changes will include updated privacy policies and terms of use. We are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

These updates will be made before the deadline. We will send out another notification with a detailed blog post when we have completed preparing for the new privacy regulations. You will begin to see these changes and updates emerge starting next week.

The team at Defiant, makers of Wordfence, care deeply about our customer privacy and data protection. This extends to our European customers and the rest of the globe. To this end, we have been working diligently with our internal team and with outside experts to understand the implications of the GDPR, to perform a comprehensive internal audit and to get our software, systems and processes compliant with the GDPR.

As always I welcome your questions and comments below.

Regards,

Mark Maunder – Defiant Founder & CEO.

 

The post Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR appeared first on Wordfence.

Read More

WordPress: Tracking Emerging Cryptomining Threats

This is a post written by James Yokobosky who works on the Defiant Threat Intelligence team. In his daily job he analyzes new WordPress threats as they emerge and adds detection capability to the Wordfence malware scanner. In addition to making sure we detect new malware, James also researches the pieces of malware we find to learn more about how they work, what they do and who is behind each campaign.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordpress-tracking-emerging-cryptomining-threats/

This post will give you an idea of what the workflow looks like for one of our Threat Analysts at Defiant, and will give you some insight into the emerging malware variants that we are seeing that target WordPress, how they work and what they do.

In this post, James describes his analysis of a Monero cryptocurrency miner that he recently examined, and explains how he tracked down and communicated with the command and control infrastructure for this malware variant. This post provides a clear illustration of how we rapidly add detection capability to the Wordfence malware scanner for emerging threats.

Fresh Malware Arrives for Analysis

One of our sources of threat data at Defiant is cleaning hacked websites. In this case, Ivan, a member of our SST team had cleaned a hacked site and handed me the forensic data for analysis. The site had been hacked for months before the owner discovered that it had been compromised.

My normal routine is to start by verifying the files we already detect to check if there is any new information inside any of them. Usually there is not, and this infection did not yield any surprises in the files that Wordfence already detected.

What did surprise me is that the server had a large number of malicious files we have not seen before. The server had been infected for a long time, which may have left the attacker feeling confident enough to upload more valuable code. For us, a server with code we have not seen before is a treasure trove, because it immediately allows us to add new detection capability to the Wordfence malware scanner. If an attacker is caught in this situation, they generally have a bad day, because many of their files that may have previously been undetected by malware scanners will now be detected by our scan.

The first thing that made this attacker different from others is that, instead of using a standard javascript code obfuscator that just scrambles the code, they were using a finite wordlist to replace variable and function names in the code. When you look at the code, the variable and function names just seem like gibberish:


function flu(sake,immobilitys)
    {
        chains = neatly / seehis;
        plotted = airs / lucky;
        storm = immediately + lowly;
        guests = soothed - lucie;
    }

I immediately searched for other similar files out of the remaining samples and found several, then proceeded to write new signatures to detect those files. That accomplished, I moved on to the next file in the list. That was a basic PHP file that selectively redirects regular users, not search engines, to a malicious website. This is a standard thing we see, so I wrote a signature to detect this updated malware variant and moved on.

A Cryptomining Binary is Found

The third file was a bit more interesting. It was an ELF 64-bit LSB shared object, x86-64, dynamically linked and stripped executable. It is a compiled file designed to run on a Linux system with a specific architecture, which has meaningful debugging data removed. It is similar to a Windows .exe file. These are relatively rare to see on WordPress infections because most web servers are not set up to allow arbitrary executables to run, and for this to work, an attacker needs to do more work on their end.

Because we already know this mystery file is doing something malicious, a good first step is to see if other antivirus software has already identified it. VirusTotal is an industry-standard way to achieve this, and sure enough a handful of the supported vendors do detect and identify the file.

The names VirusTotal returned provide a hint of what the file is:

  • Misc.Riskware.BitCoinMiner.Linux,
  • LINUX/BitCoinMiner.dbwhf,
  • not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b,

and similar suggest this is a cryptocurrency miner. At this point I performed a cursory inspection of the binary file to search for plaintext strings or recognizable disassembly and quickly identified the specific build: This is a mostly-stock xmrig ( https://github.com/xmrig/xmrig ) Monero-focused miner, well known in that community. Other artifacts inside the file allow me to confirm it was compiled on 2018-01-16 with a modern version of GCC.

I could tell there had been some modifications from the original source code. A quick look revealed that the change was hardcoding the addresses to send results – the pool addresses – so anyone running this specific file will be sending money to the attacker. At this point I had more than enough information to write a reliable signature to detect this malware, and I quickly did. We have more samples and I had yet to discover how the attacker runs and manages this hacked, zombie miner.

Analyzing the Configuration File

The next unique file shows another unusual level of technical sophistication from the “average” WordPress attacker: A separate configuration! Having just seen xmrig, it is easy to tell this JSON file contains instructions for how to run the mining executable.

It includes instructions to run in the background (hidden), use only 40% of the maximum available CPU, to slow down if the machine is otherwise busy, and other specific technical details related to the mining process. Luckily for us it is normally a terrible idea to run cryptominers on your WordPress web server if you are the person paying for it, so I can safely add a signature to identify this otherwise-benign configuration code without creating false positives.

Discovering the Command and Control Servers

With our next sample we hit the jackpot. It is a Python backdoor script that, while running, will check for new instructions against a centralized command and control server every 5 minutes. The backdoor itself is written to hide from system administrators. It masquerades as php-fpm ( https://php-fpm.org ) which is a normal process to be running on that server, and it is “well-behaved.” That is to say, it sits quietly and most of the time is not doing anything unusual or malicious.

Built into the backdoor is a report function, used to give the attacker data about the hacked machine and status updates on any activity, and a variety of normal system administration tasks related to downloading files, controlling processes, and executing commands. The code is well-formed and has obvious updates and adjustments made, implying the attacker has been developing and using this backdoor for some time. The method of hiding and the interval to check for new commands are easily configurable to evade intrusion detection systems and firewalls.

Most importantly, the command and control server’s IP address and method of communication is now available to us. I checked that it is still “up” – online and responding to requests – and put a pin in it. First I needed to develop a signature so that Wordfence detects this backdoor, then I inspected the remaining samples for more hints about the attacker before I risked exposing myself as infiltrating his botnet.

Only one of the remaining samples is noteworthy and related to the backdoor. It is a short Bash script used to start the backdoor running. Two things here again indicate a relatively sophisticated attacker: The backdoor is installed to look like a common part of a Linux shell and is executed in such a way that it looks like the legitimate owner of the server ran an innocuous command. This is easy to write a signature to detect, now that we have seen it. But this technique is an effective misdirect for a sysop trying to identify where the malicious activity is coming from. Had the attacker deleted this remnant file it would probably have been impossible to identify how the backdoor started, given the lack of forensic logging on the server.

Deploying Signatures to our Premium Customers

I confirmed that all of the previously undetected samples are detected by Wordfence with our new signatures and I immediately entered them into our Premium BETA feed. This allows us to receive instant feedback about possible bugs or false positives from our users who are aware of the Wordfence beta feed for scan signatures.

We do a more rigorous QA over the following hours and, once completed, the signatures proceed out into our production Premium feed so that our Premium customers receive this new detection capability in real-time. The important part is getting that protection to our users as quickly as possible before engaging in other research.

Going Deeper Down the Rabbit Hole

But now, of course, I was free to spend some time doing that research! As mentioned earlier, I had all of the information I needed to communicate with the attacker’s command and control server (C&C server). Rather than setting up a controlled infection and monitoring how the script runs, I can manually act as the “infected server” and see what other data I can gather by sending my own status updates.

The C&C server works via HTTP and includes several different endpoints. For the developers in the audience, it’s a REST-like API. When an infected server first executes, it encodes a set of values that give the attacker information about the operating system, hardware, and active processes and requests a configuration file.

I started by sending a false report for a non-existent server and I receive a customized configuration. What I receive is very similar to the JSON configuration file I examined earlier, with lower settings to match the lower quality machine I’m pretending to be, along with some other settings tailored to improve that machine’s specific performance during cryptomining. At this point the backdoor will wait quietly for several minutes so I did the same.

On the next report I sent the same machine information and a plausible change in the active processes and this time receive a set of commands. The C&C server instructed the backdoor to download a file, apply basic cloaking techniques, execute the file, and report the output of that file on the next instruction. I downloaded the file and it is another more recently compiled xmrig build. It also matches the different architecture I am claiming to have. The initial command is a test to confirm the program works correctly, and I simulated this and at the next report interval sent the expected data.

Finally the C&C server sent back an instruction set to run the miner, reconfigure the interval to send status reports, and to continue checking for a change of commands every 5 minutes. The goal of the attacker is to make money and this miner will use the server resources to mine Monero, a cryptocurrency which we have written about extensively in the past.

Monero is uniquely suited for this sort of hack for two reasons. Firstly, it is designed for individual anonymity and identifying the person who is receiving the mined coins is extremely difficult. Secondly, the mining algorithm is meant to be run on a CPU rather than GPU. Most web servers don’t have GPUs, and so mining a currency that allows you to effectively use a CPU is an ideal way to turn stolen web server processing power into hard cryptocurrency. When you aggregate a thousand or tens of thousands of hacked web servers together, that can result in a significant profit for an attacker.

Wrapping Up

Once I completed my analysis and ensured that Wordfence detects all variants of this new malware, I documented the tactics, techniques and procedures (TTPs) of this new attacker along with logging the malware and other indicators of compromise (IOCs) into our internal threat intelligence platform.

It’s worth noting that the attacker who controls machines compromised by this infection is controlling a large cluster of stolen compute power. You can think of this as a private AWS cloud that the attacker can use for anything that needs computing resources. They are currently using their stolen cluster for cryptocurrency mining, but there is nothing preventing them from using these resources to conduct DDoS attacks, email spam campaigns, to brute force crack stolen password hashes or use the machines as proxies for misdirection while attacking other sites. They could even lease the compute resources to other attackers.

That is why I am excited whenever we have an opportunity to add detection for these kinds of new infections to the Wordfence malware scan. By analyzing a single compromised website and deploying detection to Wordfence, we have a good chance of shutting down this attacker once all sites running Wordfence detect this infection.

Closing Notes

I’d like to thank James for taking the time out of his busy schedule chasing malware to write this comprehensive post. If you have any questions, please don’t hesitate to post them in the comments below. Both James and I will be around to answer any questions. ~Mark Maunder

This post was written by James Yokobosky and edited by Mark Maunder with assistance from Dan Moen.

The post WordPress: Tracking Emerging Cryptomining Threats appeared first on Wordfence.

Read More

WordPress: Tracking Emerging Cryptomining Threats

This is a post written by James Yokobosky who works on the Defiant Threat Intelligence team. In his daily job he analyzes new WordPress threats as they emerge and adds detection capability to the Wordfence malware scanner. In addition to making sure we detect new malware, James also researches the pieces of malware we find to learn more about how they work, what they do and who is behind each campaign.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/05/wordpress-tracking-emerging-cryptomining-threats/

This post will give you an idea of what the workflow looks like for one of our Threat Analysts at Defiant, and will give you some insight into the emerging malware variants that we are seeing that target WordPress, how they work and what they do.

In this post, James describes his analysis of a Monero cryptocurrency miner that he recently examined, and explains how he tracked down and communicated with the command and control infrastructure for this malware variant. This post provides a clear illustration of how we rapidly add detection capability to the Wordfence malware scanner for emerging threats.

Fresh Malware Arrives for Analysis

One of our sources of threat data at Defiant is cleaning hacked websites. In this case, Ivan, a member of our SST team had cleaned a hacked site and handed me the forensic data for analysis. The site had been hacked for months before the owner discovered that it had been compromised.

My normal routine is to start by verifying the files we already detect to check if there is any new information inside any of them. Usually there is not, and this infection did not yield any surprises in the files that Wordfence already detected.

What did surprise me is that the server had a large number of malicious files we have not seen before. The server had been infected for a long time, which may have left the attacker feeling confident enough to upload more valuable code. For us, a server with code we have not seen before is a treasure trove, because it immediately allows us to add new detection capability to the Wordfence malware scanner. If an attacker is caught in this situation, they generally have a bad day, because many of their files that may have previously been undetected by malware scanners will now be detected by our scan.

The first thing that made this attacker different from others is that, instead of using a standard javascript code obfuscator that just scrambles the code, they were using a finite wordlist to replace variable and function names in the code. When you look at the code, the variable and function names just seem like gibberish:


function flu(sake,immobilitys)
    {
        chains = neatly / seehis;
        plotted = airs / lucky;
        storm = immediately + lowly;
        guests = soothed - lucie;
    }

I immediately searched for other similar files out of the remaining samples and found several, then proceeded to write new signatures to detect those files. That accomplished, I moved on to the next file in the list. That was a basic PHP file that selectively redirects regular users, not search engines, to a malicious website. This is a standard thing we see, so I wrote a signature to detect this updated malware variant and moved on.

A Cryptomining Binary is Found

The third file was a bit more interesting. It was an ELF 64-bit LSB shared object, x86-64, dynamically linked and stripped executable. It is a compiled file designed to run on a Linux system with a specific architecture, which has meaningful debugging data removed. It is similar to a Windows .exe file. These are relatively rare to see on WordPress infections because most web servers are not set up to allow arbitrary executables to run, and for this to work, an attacker needs to do more work on their end.

Because we already know this mystery file is doing something malicious, a good first step is to see if other antivirus software has already identified it. VirusTotal is an industry-standard way to achieve this, and sure enough a handful of the supported vendors do detect and identify the file.

The names VirusTotal returned provide a hint of what the file is:

  • Misc.Riskware.BitCoinMiner.Linux,
  • LINUX/BitCoinMiner.dbwhf,
  • not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b,

and similar suggest this is a cryptocurrency miner. At this point I performed a cursory inspection of the binary file to search for plaintext strings or recognizable disassembly and quickly identified the specific build: This is a mostly-stock xmrig ( https://github.com/xmrig/xmrig ) Monero-focused miner, well known in that community. Other artifacts inside the file allow me to confirm it was compiled on 2018-01-16 with a modern version of GCC.

I could tell there had been some modifications from the original source code. A quick look revealed that the change was hardcoding the addresses to send results – the pool addresses – so anyone running this specific file will be sending money to the attacker. At this point I had more than enough information to write a reliable signature to detect this malware, and I quickly did. We have more samples and I had yet to discover how the attacker runs and manages this hacked, zombie miner.

Analyzing the Configuration File

The next unique file shows another unusual level of technical sophistication from the “average” WordPress attacker: A separate configuration! Having just seen xmrig, it is easy to tell this JSON file contains instructions for how to run the mining executable.

It includes instructions to run in the background (hidden), use only 40% of the maximum available CPU, to slow down if the machine is otherwise busy, and other specific technical details related to the mining process. Luckily for us it is normally a terrible idea to run cryptominers on your WordPress web server if you are the person paying for it, so I can safely add a signature to identify this otherwise-benign configuration code without creating false positives.

Discovering the Command and Control Servers

With our next sample we hit the jackpot. It is a Python backdoor script that, while running, will check for new instructions against a centralized command and control server every 5 minutes. The backdoor itself is written to hide from system administrators. It masquerades as php-fpm ( https://php-fpm.org ) which is a normal process to be running on that server, and it is “well-behaved.” That is to say, it sits quietly and most of the time is not doing anything unusual or malicious.

Built into the backdoor is a report function, used to give the attacker data about the hacked machine and status updates on any activity, and a variety of normal system administration tasks related to downloading files, controlling processes, and executing commands. The code is well-formed and has obvious updates and adjustments made, implying the attacker has been developing and using this backdoor for some time. The method of hiding and the interval to check for new commands are easily configurable to evade intrusion detection systems and firewalls.

Most importantly, the command and control server’s IP address and method of communication is now available to us. I checked that it is still “up” – online and responding to requests – and put a pin in it. First I needed to develop a signature so that Wordfence detects this backdoor, then I inspected the remaining samples for more hints about the attacker before I risked exposing myself as infiltrating his botnet.

Only one of the remaining samples is noteworthy and related to the backdoor. It is a short Bash script used to start the backdoor running. Two things here again indicate a relatively sophisticated attacker: The backdoor is installed to look like a common part of a Linux shell and is executed in such a way that it looks like the legitimate owner of the server ran an innocuous command. This is easy to write a signature to detect, now that we have seen it. But this technique is an effective misdirect for a sysop trying to identify where the malicious activity is coming from. Had the attacker deleted this remnant file it would probably have been impossible to identify how the backdoor started, given the lack of forensic logging on the server.

Deploying Signatures to our Premium Customers

I confirmed that all of the previously undetected samples are detected by Wordfence with our new signatures and I immediately entered them into our Premium BETA feed. This allows us to receive instant feedback about possible bugs or false positives from our users who are aware of the Wordfence beta feed for scan signatures.

We do a more rigorous QA over the following hours and, once completed, the signatures proceed out into our production Premium feed so that our Premium customers receive this new detection capability in real-time. The important part is getting that protection to our users as quickly as possible before engaging in other research.

Going Deeper Down the Rabbit Hole

But now, of course, I was free to spend some time doing that research! As mentioned earlier, I had all of the information I needed to communicate with the attacker’s command and control server (C&C server). Rather than setting up a controlled infection and monitoring how the script runs, I can manually act as the “infected server” and see what other data I can gather by sending my own status updates.

The C&C server works via HTTP and includes several different endpoints. For the developers in the audience, it’s a REST-like API. When an infected server first executes, it encodes a set of values that give the attacker information about the operating system, hardware, and active processes and requests a configuration file.

I started by sending a false report for a non-existent server and I receive a customized configuration. What I receive is very similar to the JSON configuration file I examined earlier, with lower settings to match the lower quality machine I’m pretending to be, along with some other settings tailored to improve that machine’s specific performance during cryptomining. At this point the backdoor will wait quietly for several minutes so I did the same.

On the next report I sent the same machine information and a plausible change in the active processes and this time receive a set of commands. The C&C server instructed the backdoor to download a file, apply basic cloaking techniques, execute the file, and report the output of that file on the next instruction. I downloaded the file and it is another more recently compiled xmrig build. It also matches the different architecture I am claiming to have. The initial command is a test to confirm the program works correctly, and I simulated this and at the next report interval sent the expected data.

Finally the C&C server sent back an instruction set to run the miner, reconfigure the interval to send status reports, and to continue checking for a change of commands every 5 minutes. The goal of the attacker is to make money and this miner will use the server resources to mine Monero, a cryptocurrency which we have written about extensively in the past.

Monero is uniquely suited for this sort of hack for two reasons. Firstly, it is designed for individual anonymity and identifying the person who is receiving the mined coins is extremely difficult. Secondly, the mining algorithm is meant to be run on a CPU rather than GPU. Most web servers don’t have GPUs, and so mining a currency that allows you to effectively use a CPU is an ideal way to turn stolen web server processing power into hard cryptocurrency. When you aggregate a thousand or tens of thousands of hacked web servers together, that can result in a significant profit for an attacker.

Wrapping Up

Once I completed my analysis and ensured that Wordfence detects all variants of this new malware, I documented the tactics, techniques and procedures (TTPs) of this new attacker along with logging the malware and other indicators of compromise (IOCs) into our internal threat intelligence platform.

It’s worth noting that the attacker who controls machines compromised by this infection is controlling a large cluster of stolen compute power. You can think of this as a private AWS cloud that the attacker can use for anything that needs computing resources. They are currently using their stolen cluster for cryptocurrency mining, but there is nothing preventing them from using these resources to conduct DDoS attacks, email spam campaigns, to brute force crack stolen password hashes or use the machines as proxies for misdirection while attacking other sites. They could even lease the compute resources to other attackers.

That is why I am excited whenever we have an opportunity to add detection for these kinds of new infections to the Wordfence malware scan. By analyzing a single compromised website and deploying detection to Wordfence, we have a good chance of shutting down this attacker once all sites running Wordfence detect this infection.

Closing Notes

I’d like to thank James for taking the time out of his busy schedule chasing malware to write this comprehensive post. If you have any questions, please don’t hesitate to post them in the comments below. Both James and I will be around to answer any questions. ~Mark Maunder

This post was written by James Yokobosky and edited by Mark Maunder with assistance from Dan Moen.

The post WordPress: Tracking Emerging Cryptomining Threats appeared first on Wordfence.

Read More
Page 1 of 1012345»...Last »