Potential Plugin Issues For Anyone Using OSE Firewall On Their WordPress

There was a recent OSE Firewall update to version 2.0.2. Which has potentially become a case where upgrading right away may be detrimental. It also makes a good case for having a dedicated test environment.

Let’s take a look at whats going on.

OSE Firewall provides a number of cool features for blocking many of the various attacks a website gets. The most common stuff being block often include:

  • Block blacklisted methods (Trace / Delete / Track)
  • Checks Malicious User Agent
  • Your server IP (to avoid false alerts due to empty user agent)
  • Detect Directory Traversal
  • Checks Basic DoS Attacks
  • Checks Basic Direct File Inclusion
  • Checks Basic Remote File Inclusion
  • Checks Basic Javascript Injection
  • Checks Basic Database SQL Injection

These alone make it a very useful plugin addition to just about any website, however it also includes a virus scanner option and a couple other options.

The Problem With The OSE Firewall Upgrade…

The recent upgrade does a couple of things that were a little funky to say the least. So lets see what went wrong.

  1. During initial upgrading there were issues where the upgrade did not seem to take. This left issues where the plugin would still tell WordPress that an update was still available.
  2. As part of the upgrade you now get 2 plugins. One main security plugin as well as a new one to handle the “security image” on its own. Seems redundant to have a plugin to handle the “protected by OSE” image.
  3. After upgrade several options did not seem to work properly:
    1. Variables management page: button says “load WordPress default variables”, when clicked it comes up with this message: “Please confirm that you would like to load the Joomla white-listed variable rules”.
    2. variables page also shows a “0” ID variable, with NA listed… is this needed? garbage?
    3. Virus Scanner Panel: no progression bar during scan? says virus scanning in progress but nothing moving? lack of working indication status…. oversight?
    4. virus scan config page: the option for File Extensions when upgraded show slashes in the fields like this:

      \\htm\\,\\html\\,\\shtm\\,

      is that correct? or should they be like

      this:htm,html,shtm,shtml,css,js,php,php3,php4,php5,inc,phtml,jpg,jpeg,gif,png,bmp,c,sh,pl,pe

    5. scan file size box is incorrect sizing, not editable, blank. The box exists, but is nothing there, can’t click on it at all, not accepting input
    6. Admin Email Panel: shows a 0 ID, which cannot be deleted.
    7. cannot link to anything using the add linkage. it clicks, but shows no admin user in the drop down. can try entering name, will not save
    8. DATABASE SIZE
      This is a big one in my book. Seems my DB has quandrupled in size by updating the plugin. Going from 500k to 2 megs is not a lot in the grand scheme but when comparing the two sql files I noticed this type of issue.
    9. Also, Please note the plugin size.The plugin folder went from 1m of files, to 30 megs of files. That is a 30x factor increase. Most of this seems to be due to the use of a framework. Not familiar with the framework they are using, but for the changes they made this seems quite extreme file size change.

 

EDITED SECTION (From one of our other sites) – copied below is some additional information about what happened on one of our sites when we attempted to restore the site. The site was upgraded to the newest OSE release a few days ago.

Site Down Time BuyTycoonGoldAddon.com

 

After much work here’s what we found out.

  • Until such time as OSE Firewall gets it’s program under control for the newest version 2.1.3, we will not be using it.
  • Some of the original OSE firewall issues that we have encountered were posted here: Potential Plugins Issues With OSE Firewall,
  • OSE Firewall Support Section Via WordPress
  • The Newest OSE Firewall added over 400k lines of code to the databases of even a brand new, fresh install of WordPress. This was in addition to 30 megs of files due to the newest change over to using a Framework.
  • Much of this bloat was over 250k lines of SQL code related to just GEO IP aspect of the new release.
  • In addition, we encountered errors with the ability to import the sql sections of the DB backups as they pertained to the OSE Firewall. This was due to additional restrictions between foreign key and master key access within the DB. This meant we could not do an active import of the SQL database as long as the OSE SQL sections were intact.
  • Additionally the SQL Import required DB Privileges that were inappropriate to traditional website DB Server access. We consider this to be a potentially risky issue and further strengthened our resolve to avoid using the newest version.

Please note: We loved the older version of the plugin, however we cannot in good faith recommend the current new release.

 

So what did we do:

  • We manually verified and removed all tables in the DB related to the OSE Firewall plugin,
  • We Manually tested and imported the most recent backups of the site.
  • We have manually restored all files and plugins that were active on the site.
  • We have lowered the DB size back to a more respectable 1/4 of the size as it was with OSE installed.
  • Removed 40 megs of excess file from the site itself.
  • Re-implemented Caching functionality for the site: Bringing the site score up considerably, which can be seen here: GTMetrix – Latest Performance Report for BuyTycoonGoldAddon.com
  • The Above test was an almost 10% increase over previous tests only a few days before.
  • System will also run smoother as file access times are being reduced due to file cleaning and less DB calls.

END EDITED SECTION

This has been addressed with the company. I also have some confusion with regards to the nature of the major changes that were made.

I wonder what prompted the massive scale of these changes? This OSE Firewall plugin went from a version 1.6.4 up to Version 2.0.2.

As a software developer myself by trade, you do not jump major changes if you don’t have pretty good reasons. This is a large number of issues given the software’s previous performance rating of being excellent.

For instance, what prompted the use of a major framework? The old version looked good, was easy to setup, and most of all functioned properly, so why mess with something that worked? If it ain’t broke, Don’t fix.

If all they changed was the UI that would have been enough for a major update. Then they could have made sure the framework issues were addressed before adding GEO targeted IP.

And the sizing of the plugin now causes some other issues. Larger files mean larger backups, meaning more download time and bandwidth. More files also mean more potential places to rick a hack or intrusion attempt.

The last time I saw a company do this kind of upgrade it was due to a management change. After all, there is a new name on the plugin too boot. It have gone from being listed by:

Open Source Excellence, which according to their own website release version 1.5 in February, just six months ago:

https://www.opensource-excellence.com/blog/item/460-wordpress-anti-hacking

Here is the Open Source Excellence About page which states:

  • Published on Friday, 02 April 2010 22:53
  • Hits: 21331
  • Print Email
Open Source Excellence previously operated in the UK. Due to the need for further development and expansion, we have moved our corporate headquarters to Singapore and are registered as Open Source Excellence PTE. LTD., a Singapore Registered Company with Registration Number 201013240k.

Now the plugin is listed here: Pro Web https://www.protect-website.com/

Where the About Information is now listed as:

About us

Luxur Group PTY LTD
Sydney, Australia
ABN: 67 164 057 461

Now, this alone does not mean it is a completely separate entity, however given that there was sweeping changes to a software that was working great? That to me usually means someone bought a winning product, thought they could hire some new programmers to come in and update it and wanted to do it in a hurry. IMHO.

Having been the recipient of writing inventory programs more then once just to satisfy the “new owners” of a company leads me to believe this is what is happening here. They were likely told to “do it this way”, and the new owner may not be a programmer, but was sold some “framework” that he loves and won’t give up cause they spent $50k on it.

If this is however a completely separate company, then I feel it would have been nice to let the community know about these kind of sweeping changes long before putting this out into a production release. The WordPress community is super awesome at testing and finding bugs is software. They could have easily released it to WordPress community sites as a Beta and had tons of feedback. But this was not done.

Please note these are only the issues I noticed when testing it on a test site. There have been a number of other issues being brought up as well, so make sure you test any updates.

For more support stuff from OSE, check out the WordPress OSE Firewall Support Section

So if you are using OSE firewall version 1.6.4, consider staying with it for a few weeks until they iron out the kinks.