WordFence Security Plugin Reminds Users How Important Updates Are
Its been a while since I posted any updates for Wordfence Security and unfortunately a lot has happened since then when it comes to this plugin. One of the key factors in any website security program is staying on top of the updates.
You might ask: “Why are updates so important?”. In fact, you should already know why, but just in case:
Failure to update your websites, regardless of which CMS you are using, can be a critical entry point for hackers to either gain access to or cause malicious damage to your sites. Anytime there is a software program created there will be people who wish to cause trouble or find weakness with that program.
The Wordfence staff reminds us that even WordPress itself can have vulnerabilities: Multiple Critical Vulnerabilities in WordPress Core.
While WordPress has fixed these issues in the 4.0.1 updates, many people will not have made the updates for their blogs as of yet.
Last year at this time the Wordfence Security plugin was the first WordPress security plugin listed in our suggested must have plugin list. We still like this plugin very much but will still re-evaluate it as our go to main security plugin. We actually like to employ different security plugins on different sites to accommodate our various testing and reviewing process.
If you have not updated this plugin in a while please note there will be a different look and feel to the admin panels. Also, please note that there are several key security updates within the last year. These are highlighted below to make sure you don’t miss them. Make sure that you are upgrading this to the most recent version. Make sure to double check your settings and make a backup before making any major changes.
- Version: 5.3.3
- Author: Wordfence
- Last Updated: 11-20-2014
- Requires WordPress Version: 3.3.1 or higher
- Compatible up to: 4.0.1
- Average 5-Star Rating: 4.9
- Security fix. Thanks Matt B!
- Changed what we consider to be private addresses to a smaller range of addresses. See current range at:http://docs.wordfence.com/en/How_Wordfence_handles_Private_Addresses
- Fixed a warning about an undefined value which appeared after we added referer blocking in 5.3.2.
- Feature: Advanced blocking now includes referer blocking. i.e. you can block visitors arriving from certain websites or pretending to. See updatedhttp://docs.wordfence.com/en/Advanced_Blocking
- Feature: Developers, you can now ask Wordfence to whitelist your server IP by calling wordfence::whitelistIP(). See http://docs.wordfence.com/en/WhitelistIP
- IP to Country database updated to November 4th 2014 version.
- Options export and import now also exports Country Blocking and Scan Schedule configuration.
- Scans fully documented at docs.wordfence.com. Link on ‘Scan’ page under heading.
- Live Traffic fully documented at docs.wordfence.com. Link on Live Traffic page.
- Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page.
- Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page.
- Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page.
- Country blocking fully documented. Link on Country blocking page.
- Scan Scheduling fully documented. Link on Scan Scheduling page under title.
- Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together.
- Removed unnecessary text from several menu items and moved into official docs where needed.
- Added ability to export Wordfence settings and reimport on one or many sites using secure token.
- Added API function to programatically import Wordfence settings from another WordPress site.
- Upgraded to Wordfence API version 2.14.
- Detailed documentation for all options on the Wordfence options page. Launching docs.wordfence.com wiki.
- Fixed server-side issue where diff’ing certain files would give a blank page or an API error.
- Removed now unused whois library because we’re now using Wordfence API server to get around whois port blocking.
- Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear.
- Whois queries now go via our own server as a workaround for hosting providers who block your web server’s access to port 43 preventing you from making a direct whois query.
- Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue.
- Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks!
- Updated Wordfence server API to version 2.12.
- Added facility at bottom of Wordfence options page to send a test email from your WordPress sytem to check if email sending is working.
- Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don’t support flock() or reliable file locking.
- Updated to the October 2014 version of the Geo IP country DB. (newest edition)
- Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL’s relative path matched the current page’s relative path.
- Made it clear that country blocking URL’s require absolute URL’s.
- Security release. Update immediately. Thanks to Julio Potier.
- Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
- Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don’t have E=noabort:1 in your .htaccess and give you instructions.
- Auto-update also disabled now for LiteSpeed customers who don’t have E=noabort:1 and you will get an email alert with an explanation.
- Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled.
- Removed a benign warning in wfCache.php.
- Added clarity to the banned URL option on the options page. All URL’s must be relative.
- Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities.
- Fixed advanced country blocking which was not correctly displaying advanced options.
- Migrated to using wp_kses() for sanitization.
- Prevent IP spoofing in default Wordfence IP configuration.
- Change explanations of how Wordfence gets IP’s to make it clear which to use to prevent spoofing.
- Make it clear that the option to have IP’s immediately blocked when they access a URL requires relative URL’s starting with a forward slash.
- Whitelist Sucuri’s scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan.
- Improved Wordfence’s code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP’s more elegantly.
- Security release. Upgrade immediately.
- This release fixes an XSS vunlerability on Wordfence “view all traffic from IP” page.
- Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
- Improves Revolution Slider proteciton.
- Fixed bypass for fake googlebot blocking.
- Updated Geo IP country database to newest version (September 2014 edition)
- Security fix. Improved referrer sanitization in live traffic.
- Changed scan success messaging for clarity.
- Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.
- Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
- Changed the Wordfence Memory config option’s label to make it clearer what the option does.
- Moved screenshots out of plugin distro directory to reduce plugin payload size.
- Fix: Users with large lists of blocked IP’s (over 2,100) would receive a browser error “Uncaught RangeError: Maximum call stack size exceeded”. Fixed.
- Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change)
- Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
- Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
- Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
- Improvement: Upgraded country DB to newest version.
- Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
- Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.
- Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
- Note: If you are seeing the “cron key does not match the saved key” error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
- Note: If you are trying to save your Wordfence options and the options keep reverting, enable the “disable config caching” at the bottom of your Wordfence options page, save and this will fix it.
- Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
- Fix: Removed old image files that were unused.
- Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
- Improvement: Upgraded the country blocking database to the newest version which is July 2014.
- Improvement: Improved server-side performance for Wordfence scanning.
- Improvement: Offer the option to keep Wordfence up-to-date automatically.
- Improvement: If file contains malicious code, include filename in email alert summary info.
- Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
- Fix: Prevent lockout email alerts being sent for blank usernames.
- Fix: Bing crawler was being misidentified as human. Fixed.
- Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com)
- Feature: Auto updates for Wordfence! This is a much-requested feature by our power admin’s. Enable the “Update Wordfence automatically when a new version is released” option on the Wordfence options page.
- Fix: Security fix. Thanks to Narendra Bhati from Suma Soft.
- Feature: You can now specify one or more URL’s that if accessed will cause the IP to immediately be blocked. See below “Other Options” for the new feature.
- Improvement: Added additional debugging info when cron key does not match saved key to help diagnose any problems.
- Improvement: New Issues email now contains site URL rather than just hostname to help identify subdirectory sites.
- Improvement: Upgraded the country blocking database to the newest version which is June 2014.
- Fix: Some browser versions were being reported as 0.0. Updated browser detection.
- Improvement: WooCommerce now officially supported out of the box.
- Feature: Added the wordfence:doNotCache() function that you can call in your themes and plugins to prevent caching of items.
- Fix: Fixed the warning appearing in lib/wfUtils.php about a scalar being treated as an array which appeared in 5.0.9.
- Fix: Failed logins were not being logged for non-existent usernames that were set to immediatelly block. Fixed.
- Fix: Removed several warnings/notices that would appear when WP_DEBUG is enabled.
- Fix: Added default character set to .htaccess which fixes garbled international characters being served from cache on sites with no default apache charset.
- Feature: (Premium) Advanced Comment Spam Filter. Checks comment source IP, author URL and hosts and IP’s in body against additional spam lists.
- Feature: (Premium) Check if your site is being Spamvertised i.e. your domain is being included in spam emails. Usually indicates you’ve been hacked.
- Feature: (Premium) Check if your website IP is generating spam. Checks against spam lists if your IP is a known source of spam.
- Improvement: Cache clearing errors are nown shown with clear explanations.
- Improvement: Added lightweight stats logging internally in preparation for displaying them on the admin UI in the next release.
- Fix: If a non-existent user tries to sign in it is not logged in the live logins tab. Fixed.
- Fix: Removed warning “Trying to get property of non-object” that would occur under certain conditions.
- Fix: Removed call to is_404() which was not having any effect and would issue a warning if debug mode is enabled.
- Fix: Check if CURL is installed as part of connectivity test.
- Feature: Support for Jetpack Mobile Theme in Falcon Caching engine. Regular pages are cached, mobile pages are served direct to browser.
- Improvement: Pages that are less than 1000 bytes will not be cached. The avg web page size in 2014 is 1246,000 bytes. Anything less than 1000 bytes is usually an error.
- Improvement: Wordfence will now request 128M on hosts instead of 64M where memory in php.ini is set too low.
- Fix: Wordfence was caching 404’s under certain conditions. Fixed.
- Fix: Nginx/FastCGI users would sometimes receive an error about not being able to edit .htaccess. Fixed.
- Feature: Immediately block IP if hacker tries any of the following usernames. (Comma separated list that you can specify on the Wordfence options page)
- Feature: Exclude exact URL’s from caching. Specifically, this allows you to exclude the home page which was not possible before.
- Feature: Exclude browsers or partial browser matches and specific cookies from caching.
- Fix: Fixed issue where /.. dirs would be included in certain scandir operations.
- Fix: logHuman function was not analyzing user-agent strings correctly which would allow some crawlers that execute JS to be logged as humans.
- Fix: Removed ob_end_clean warnings about empty buffers when a human is being logged.
- Fix: Removed warning in lib/wfCache.php caused by unset $_SERVER[‘QUERY_STRING’] when we check it.
- Fix: Fixed “logged out as ”” blank username logout messages.
- Fix: Improved security of config cache by adding a PHP header to file that we strip. Already secure because we have a .htaccess denying access, but more is better.
- Fix: Falcon Engine option to clear Falcon cache when a post scheduled to be published in future is published.
- Fix: Fixed Heartbleed scans hanging.
- Feature: Prevent discovery of usernames through ‘?/author=N’ scans. New option under login security which you can enable.
- Fix: Introduced new global hash whitelist on our servers that drastically reduces false positives in all scans especially theme and plugin scans.
- Fix: Fixed issue that corrupted .htaccess because stat cache would store file size and cause filesize() to report incorrect size when reading/writing .htaccess.
- Fix: Fixed LiteSpeed issue where Falcon Engine would not serve cached pages under LiteSpeed and LiteSpeed warned about unknown server variable in .htaccess.
- Fix: Fixed issue where Wordfence Security Network won’t block known bad IP after first login attempt if “Don’t let WordPress reveal valid users in login errors” option is not enabled.
- Fix: Sites installed under a directory would sometimes see Falcon not serving cached docs.
- Fix: If you are a premium customer and you have 2FA enabled and your key expires, fixed issue that may have caused you to get locked out.
- Improvement: If your Premium API key now expires, we simply downgrade you to free scanning and continue rather than disabling Wordfence.
- Improvement: Email warnings a few days before your Premium key expires so you have a chance to upgrade for uninterrupted service.
- Fix: Removed mysql_real_escape_string because it’s deprecated. Using WP’s internal escape.
- Fix: Wordfence issues list would be deleted halfway through scan under certain conditions.
- Fix: Connection tester would generate php error under certain conditions.
- Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers.
- Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon.
- Improvement: Once Falcon is enabled, if we can’t write to .htaccess, we fall back to PHP based IP blocking.
- Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button.
- Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root.
- Fix: Changed the extension of the backup .htaccess to be .txt to avoid anti-virus software alerting on a download with .com extension. [Props to Scott N. for catching this]
- Removed ability to disable XML-RPC. The feature broke many mobile apps and other remote services.
- Fix: Issue that caused users running WordPress in debug mode to see a is_404 warning message.
- Fix: Issue that caused Call to undefined function wp_get_current_user warning.
- Fix: Issue that caused caching to not work on sites using subdirectories.
- Fix: Issue that caused SQL errors to periodically appear about wfPerfLog table.
- Fix: Issue that caused warnings about array elements not being declared.
- To see a video introduction of Falcon Engine included with Wordfence 5, please watch this video
- SUMMARY: This is a major release which includes Falcon Engine which provides the fastest WordPress caching available today. It also includes many other improvements and fixes. Upgrade immediatelly to get a massive performance boost for your site, many new features and fixes.
- Feature: Falcon Engine provides the fastest caching algorithm for WordPress. Get up to a 50x site speedup now when you use Wordfence.
- Feature: PHP based caching as an alternative to Falcon.
- Feature: IP, browser and IP range blocking is now done using .htaccess if Falcon Engine is enabled providing a big performance boost.
- Feature: Falcon and PHP caching includes ability to exclude URL patterns from cache along with cache management.
- Feature: Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.
- Feature: Option to disable Wordfence cookies from being sent.
- Feature: Option to start all scans using the remote start-scan option. This may fix some customers who can’t start scans.
- Feature: Falcon Engine includes the ability to block IP ranges using .htaccess. We take your ranges and convert them into CIDR compatible .htaccess lines that very efficiently block the ranges you’ve specified. Another great performance improvement.
- Feature: If user disables permalinks we automatically disable Falcon Engine caching.
- Feature: Before you enable Falcon Engine we make you download a backup of your .htaccess file just in case.
- Improvement: Real-time traffic monitoring loads asynchronously to provide a faster user experience.
- Improvement: All Wordfence configuration variables are now cached on disk rather than repeatedly looked up on the database providing a big performance improvement.
- Improvement: Updated browser detection algorithms for new browsers.
- Improvement: Updated country GeoIP database to the April edition.
- Improvement: Improved performance by only loading routines required for logged in users if they have a login cookie. No DB lookup required.
- Improvement: Added on-off switches to top of live traffic to make it easy to turn on/off.
- Improvement: Removed marketing message from Wordfence email alerts.
- Improvement: Added ability to exclude files from scan that match patterns. Multiple excludes using wildcards allowed.
- Improvement: Improved performance by moving all actions that would only be used by a logged in user to be set up using add_action if the user actually has a login cookie.
- Fix: Added a throttle to prevent identical email alerts being sent repeatedly.
- Fix: Changed order of IP blocking and alerting code to prevent multiple email alerts being sent in a race condition.
- Fix: Cleaned up legacy code including removing all array_push statements.
- Fix: Added try/catch block to fileTooBig() function when we encounter files that we can’t seek on and that throw an IO error to prevent scans from crashing.
- Fix: Resolved issue that may have caused wfhits table to grow continuously on some sites.
- Fix: Ensured that runInstall() isn’t called multiple times.
- Fix: Moved register_activation_hook to only be called if the user has a login cookie and has a likelihood of being actually logged in as admin. Performance improvement.
- Fix: Added doEarlyAccessLogging routine to move logging before caching so we can have both.
- Fix: Removed the “update LOW_PRIORITY” sql statement when updating wfHits which was intended to speed up MySQL performance but may have actually caused queries to queue up and slow things down.
- Fix: Whitelisted IP’s are no longer put through two factor authentication as one would expect.
- Fix: Changed our wp_enqueue_script calls to add a ‘wf’ prefix to our script names so that another plugin doesn’t cause our scripts to not load.
- Fix: Removed code that would cause all alerts to be turned on for some users under certain conditions.
- Fix: Automatically excluding backup files and log files from URL scans to reduce false positives on referring URLs in logs and backups.
- Improvement: Added “high sensitivity” scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
- Fix: Removed code that caused error message during scan initialization.
- Fix: IP to number conversation code had a problem with IP’s with a single 0 in them. Bug was introduced in 4.0.2.
- Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.
- Feature: Ability to bulk repair or delete files when cleaning a site.
- Feature: You can now limit the number of emails per hour that Wordfence sends.
- Feature: You can now scan image files as if they are executables when cleaning a site. See the option under scanning options.
- Feature: New connectivity test for wp_remote_post to our servers.
- Feature: New detection for backdoors that were previously missed in scans.
- Improvement: Added a link to the Wordfence admin URL for a site when an email alert is received.
- Improvement: Removed “buy premium” message from the alert emails which was causing confusion and irritation.
- Improvement: Improved private address detection by making it faster and adding all private subnets, not just RFC1918 nets.
- Improvement: Switched to wp_remote_get for triggering scans instead of wp_remote_post()
- Improvement: Added some more verbose debugging for scan starts when in debug mode.
- Improvement: No longer include private addresses when checking malware URL’s and scanning IP’s.
- Improvement: Added code to disable Wordfence if WordPress is installing.
- Fix: Text change because not all “scan” buttons are blue.
- Fix: Removed URL from wfBrowscapCache.php which was causing false positives during scans.
- Fix: Fixed SQL bug that triggered when we logged a vulnerability scan.
- Fix: IP range blocks where a digit is preceded by a ‘0’ char will no longer generate an error.
- Fix: The getIP() routine will no longer use the IP closest to a visitor in network topology if that IP is a private address and behind a proxy.
- Real-time WordPress Security Network Launched.
- If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites.
- See our home page on http://www.wordfence.com for a live map of attacks being blocked. Then blog about us!!
- Fixed bug where wfBrowscapCache.php is reported as malicious.
- Big improvement in scanning speed and efficiency of URL’s and IP addresses.
- Fixed preg_replace() warning by using newer preg_replace_callback() func.
- Fixed issue that caused Wordfence security to not log 404’s.
- Made 404’s more visible on the live traffic page.
- Fixed panel width that was too narrow for WP 3.8 on live traffic and issues pages.
- Report hack attempts to Wordfence Security scanning server for DDoS protection.
- Remind admin if security alert email is blank and tour is closed.
- Updated links to new Wordfence Security support website at support.wordfence.com.
- Made Wordfence Security paid-users-only message a little more user friendly.