From the author
January 22, 2014
Version 4.0.1 Updates:
- Real-time WordPress Security Network Launched.
- If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites.
- See our home page on http://www.wordfence.com for a live map of attacks being blocked. Then blog about us!!
- Fixed bug where wfBrowscapCache.php is reported as malicious.
- Big improvement in scanning speed and efficiency of URL's and IP addresses.
- Fixed preg_replace() warning by using newer preg_replace_callback() func.
December 12, 2013
The newest version of WordPress, version 3.8, also known as "Parker" was released a few minutes ago. We've released an updated version of Wordfence which is fully compatible and includes several fixes and improvements, so upgrade your WordPress and Wordfence now.
Wordfence also now includes the ability to verify the core files of WordPress 3.8 and as always will verify the integrity of your core files for all previous versions of WordPress too.
We've seen new exploits in the wild for the following themes and plugins. If any are listed, make sure you've upgraded to the newest version and that the theme or plugin is being maintained by it's author:
- WordPress Download Manager. The current version is 2.5.8 and this contains a cross site scripting vulnerability which does not appear to have been fixed yet. The XSS security hold exists in the form used to create a new download package where the title input field is not sanitized.
- The Page Flip Image Gallery plugin contains a remote file upload vulnerability which was published on the 7th of December and appears to exist in the current version of this popular plugin. Please contact the author for further information.
March 20, 2013 by Ron Dorsey
Update: Wordfence version 3.6.1 Still one of our favorite security plugins.
Firewall Lock Down Issues The fake Google crawler firewall routine is unforgiving in that it locks the site and leaves a nasty screen. I do not know how practical this method will assist the client's safety while leaving the site inaccessible to the public, client and admin. Ultimately the outcome makes the admin or site developer look bad.
Our staff concerning WordPress matters at Talking Manuals is observing complaints that the fake Google crawler firewall routine within Wordfence does more harm than good, in that it locks the entire site down and bars access to all for no apparent security reason. To unlock the site, you must strong arm and FTP to rename Wordfence. What is theoretically is a good thing, backfires.
When seen through the eyes of the client and the viewing public this kind of security measure is usually too harsh, unacceptable and embarrassing.
Possibly a better way is to block site accessibility for a set time upon detection of a fake Google crawler (and flag a report to the admin), then unblock and allow access. At present state, I would suggest Wordfence users not set this routine as active.
Setup Suggestion for Option Settings:
- Do not set firewall options
- Do not set critical alerts - usually more of a nag than critical
- Set auto scanning to: off
- If you are in the States, IP blocking is not a good idea as a long term method of blocking
- Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking.
- Added feature: WHOIS for IP's and Domains. Supports all registries and local rWhois
- Added feature: Advanced Blocking to block IP ranges and browser patterns.
- Added feature: WHOIS on live traffic pages.
- Added feature: network blocking links on live traffic pages.
- Fixed bug where W3 Total Cache and WP Super Cache cache blocked pages.
- Added explanation of how caching affects live traffic logging if we detect a caching plugin.
- Fixed AJAX loading to deal with multiple parallel ajax requests.
- Updated tour to include info on new WHOIS and Advanced Blocking features.
- Changed manual IP blocks to be permanent by default.
- Fixed issue that caused live traffic page not to reload when IP is unblocked.
- Modified "How does your site get IP's" config to avoid confusing new users.
- Changed 503 block message to be more helpful with link to FAQ on how to unblock.
- Removed redundant code in wfAPI.php
- Optimized code by moving firewall specific code to execute only if firewall is enabled.
- Fixed issue that caused "last attempted access" to show over 500 months ago.
- Fixed issue that was causing warning in getIP() code.
- Upgraded to Wordfence API version 2.6.
February 08, 2013 by: Ron Dorsey
Update: Wordfence 3.5.2 has really made the grade of a top-notched five-star rated security product. The recent advances sports 4 preset security level settings provided in a dropdown selection bar, however these security levels descriptions are vague as there is no published policy for each of the levels. In our test model I have the ThemeMyLogin plugin installed with most of the security task which are duplicated, assigned to Wordfence. The lockout function in Wordfence is overall more reliable in our test then the lockout function provided in ThemMyLogin. ThemeMyLogin would inadvertently lockout the admin. The most recent version of ThemeMyLogin, 6.2.3 lockout function, has not been tested. IP Blocking - Ninety-nine percent of IP addresses change at anytime as the term, "Dynamic IP" implies. Therefore IP blocking is useless. The danger is that if an IP is blocked, then the IP gets assigned to another party, that party is now blocked. IP blocking is only good as a short term solution. Our security policies here at Talking Manuals selects not to block based upon IP. Critical Alerts: An outdated plugin should generate more of a heads up alert rather then a critical alert response. Generally plugin updates are not critical. I think the notification wording should be softer. August 13, 2012 Cons: Database tables do not delete when you delete the plugin. Wordfence version 3.1.4 - pending review A major update 3.0.2 for Wordfence is available. These changes has added greater performance while scanning to: database queries, debugging logs, logs, reduced status messages and reduced max size of wfStatus table from 100,000 rows to 1,000 rows. See changelog list. June 20, 2012 Wordfence provides another layer of security by scanning your host and reporting back issues that need to be fixed or corrected. Alertsinclude:
|Alert on critical problems|
|Alert on warnings|
|Alert when an IP address is blocked|
|Alert when someone is locked out from login|
|Alert when the "lost password" form is used for a valid user|
|Alert me when someone with administrator access signs in|
|Alert me when a non-admin user signs in|
Scans includes: Scan for signatures of known malicious files Scan file contents for backdoors, trojans and suspicious code Scan posts for known dangerous URLs and suspicious content Scan comments for known dangerous URLs and suspicious content Scan for out of date plugins, themes and WordPress versions Check the strength of passwords Monitor disk space Scan for unauthorized DNS changes Scan files outside your WordPress installation Login Security Options
|Enable login security|
|Lock out after how many login failures|
|Lock out after how many forgot password attempts|
|Count failures over what time period|
|Amount of time a user is locked out|
|Immediately lock out invalid usernames|
|Don't let WordPress reveal valid users in login errors|
Comments: Wordfence is non intrusive and easy to use firewall and system file scanner for the non-tech to handle.While it provides both scanning of files that have changed, identifies viruses or agents from a database, and acts as a firewall, it does not harden the Wordpress install for hackers. For an all around protection, I suggest using Wordfence with a plugin like WP Best Security. There are not any known conflicts with these two.
Best WP Security
August 07, 2012
- Activate this plugin using the minimum security.
- Do not check 404 Detection - good chances you will get locked out
- Do not check lockout option
June 15, 2012 This WordPress plugin steps up the security level for a hack proof environment for starters by securing the back end and locking down files from being modified. For non techs, just click on one button to protect. This is a minimum security level and will be helpful if nothing else is added or configured. Best WP Security also has automatic database backup and an "Away Mode" which shutdown accessing the admin area on custom times. This is very useful, while you are at sleep, why have the admin accessible? Objective: To keep hackers and bot crawlers, especially those who specialize in WordPress intrusions lockout. How?: By hiding files, folders and allowing you to custom rename WordPress system folders and auto renames the database index prefix. By default WordPress puts all your content including images, plugins, themes, uploads, and more in a directory called "wp-content". This makes it easy to scan for vulnerable files on your WordPress installation as an attacker already knows where the vulnerable files reside. There exist plugins and themes with security vulnerabilities. Moving this folder can make it much more difficult for an attacker to find problems with your site as scans bots looking for system files and folders will not produce any results. Here is a list of functions:
- - changes files attributes by locking them down from hackers
- - allows you to rename admin
- - closes access to the theme file editor (theme-editor.php)
- - hides update notices
- - changes the database index prefix
- - hides the WP backend
- - notify when users log in
- - notify when an IP is locked
- - notify on lost password
- - rename wp-content
Comments: The renaming of the system folder, wp-content - can be challenging. Here are the problems:
- All images will have broken links
- The renaming process will toss you out of the admin, you must log back in again
- In some instances, WordPress will try to create another folder named "wp-content" which may or may not have all of the contents in the original wp-content prior to renaming
How does Best WP Security work? It does all of this be changing the .htaccess file and adding those path references to it. So even if uninstall Best WP Security, the custom path stays intact. If for any reason you want to restore the original path statement back to "wp-content," install the plugin and go and reinstate the wp-content path by just pressing the button. Pros: Excellent product for both non-techs and techs alike. The level that which this plugins goes to clamp down on hacks and exploits is truly remarkable. The one button lock-down is convenient for non techs. There are no need for manuals as there are self explanatory help dialogs next to the check boxes. Cons:
- There will be times when you will have the login name Admin and Best WP Security will state: "Congratulations! You do not have a user named "admin" in your WordPress installation. No further action is available on this page." Which is a false negative. You will need to go into the database and manually change the login name "admin" to something else. WP Better Security has problems sometimes in reading the login name from the database.
- Locking down the admin area intentionally obscures the login URL/path, this can cause problems while having plugins like SimpleModal Login or a custom login script. You stand the chance of being locked out. You would then need to disable the plugin by renaming it, then you may gain access again. So I suggest not to check this option.
- Best WP Security may continue to lock you out if you successfully log in too many times. This is a bug no doubt. I suspect that upon a complete uninstall, (delete all files) there is not a good clean up which may leave files that may impact a new install of Best WP Security.
- Another possible bug, "A host, 18.104.22.168, has been locked out of the WordPress site at http://yoursite.com until Sunday, June 24th, 2012 at 3:31:13 pm UTC due to too many login attempts. You may login to the site to manually release the lock if necessary." Unfortunately, Better WP Security sees successful logins as login attempts. The result is that the admin or user will get kicked even though logins are successful.
Stay tuned for more on Better WP Security. Last updated: June 23, 2012