Hi there,
We have fixed possible SQL injection in Anti-Spam by CleanTalk for WordPress. The vulnerability can be exploited in versions 5.150 till 5.153.4.
If you run one of these versions please update the plugin to the latest stable version as soon as possible,
https://cleantalk.org/help/update-wordpress
To find the current version please follow,
WordPress console -> Settings -> Anti-spam by CleanTalk -> Statistics & Reports > Plugin version.
If you are the owner of a web site, then by default it is available for the entire planet. Many websites are simply not relevant to people in other countries. Thus, you should not expect significant traffic from them for granted.
If you notice that there are requests to your site from a particular country for which your content is insignificant or you just want to deny access to your website from one or more countries, you can easily use the CleanTalk services.
Most of the visits to the site are various bots, brute-force attempts, vulnerability scanners and content, products and prices, why not block access to my site from China if it is targeted at users from the USA? Sometimes the danger is greater than the occasional visitor from Pakistan, Iran or Côte d’Ivoire.
CleanTalk provides 3 different types of blocking users by country:
Blocking by country using Anti-Spam service allows you to block only comments/registrations and any POST requests on the site from users from certain countries. The site will be available for visitors and they can view it, but will not be able to leave a comment. It will be useful to block spam sent manually and some types of online threats (SQL injections) from these IP addresses. How to use Black/White lists for Anti-Spam service.
Blocking traffic by country using Spam FireWall allows you to partially block access to the site for the IP addresses of specific countries. All visitors from the blocked country will be given a special page, while ordinary users will be able to go through it and be able to view the site, comment and register, but bots will not be able to go through this page. This option is useful because it can significantly reduce the load on the site, since all POST/GET requests will be blocked and the site will not execute scripts for these requests, the blocking page almost does not consume any server resources. It can be used to block brute force attacks, vulnerability scanners, various bots, as well as to temporarily block traffic in some types of DoS attacks, when attackers send thousands of HTTP requests to the site, reduce the likelihood of hacking the site. How to use the Spam FireWall BlackList.
If you need to block comments and registrations for this country too, then use country blocking for Anti-Spam service.
WordPress Security FireWall – tightly blocks access to the site for blocked countries. At the same time, all requests to the site will be blocked and visitors from these countries will not be able to go to the site pages. A blocking page will be displayed to visitors. This type of blocking will be useful to prevent all types of attacks on the web site via HTTP / HTTPS. How to use WordPress Security FireWall.
For all types of blocks requests are logged and available in the Dashboard for further analysis. All types of blocking allow to reduce the load on the site/server and block attacks on the site.
For most websites, we recommend blocking only problematic countries that have a large number of spam, brute force attacks, generate a large number of 404 errors on the website, or pose other security threats to your website. We also recommend that you review your block lists regularly.
For search bots Google, Bing, Yahoo, Baidu, MSN, Yandex and etc. we have made exceptions and they will not be blocked. Also, if you enter the IP address or network in the white list, this entry will have priority and requests will be skipped.
In addition to blocking by country, each type can use your personal lists to block individual IP addresses or IP networks.
It is enough to go to the CleanTalk dashboard and to see the block with the spam attack map and Top Spam Requests statistics.
You can also view general statistics on spam attacks https://cleantalk.org/spam-stats
You can see data on website visitors by country in Google Analytics statistics.
We will be happy to answer your questions. Leave a comment below or create a private ticket.
Thank you!
CleanTalk has launched Two-Factor Authentication for WordPress admin accounts that will improve your website security and make it safer, if not impossible, for hackers to breach your WordPress account.
Two-Factor Authentication works via e-mail. It makes the Two-Factor Authentication more reliable. The reason is that if an intruder knows your password they also need to know your e-mail address that is being used to get an authorization code and the password to your e-mail.
This method almost eliminates the possibility for strangers to get access to your account.
It requires a bit of your time but Two-Factor Authentication immediately gives a much higher level of protection.
With your first authorization, the CleanTalk Security plugin remembers your browser and you won’t have to input your authorization code every time anymore. However, if you started to use a new device or a new browser then you are required to input your authorization code. The plugin will remember your browser for 30 days.
To activate Two-Factor Authentication go to the settings of the CleanTalk Security plugin and enable the option “General Settings” -> “Miscellaneous” -> “Two-Factor Authentication”. The letter with your authorization code will be sent to your e-mail that you put into the general settings of your WordPress website.
You will be notified by e-mail each time the Two-Factor Authentication was successfully passed.
By spending a few minutes to set up Two-Factor Authentication you save your time and other resources by not having to deal with the consequences of the hacked website.
If you have any questions, we will be happy to help you.
You can leave a comment below or create a private ticket here.
Hello,
We are happy to announce CleanTalk Web Application FireWall for WordPress Security Plugin. The main purpose of WAF is to protect the Web application from unauthorized access, even if there are critical vulnerabilities.
It allows you to protect Web applications from known and unknown attacks. Its use is transparent to all visitors to the website and does not require knowing how is HTTP working and allows very accurate filtering, supports both GET and POST methods, requests to dynamic resources.
So, hackers use additional HTTP parameters to use vulnerabilities that allow them to get access to a website or prevent changes on your website.
WAF catches all requests to your website and checks HTTP parameters that include: SQL Injection, Cross Site Scripting (XSS), uploading files from non-authorised users, PHP constructions/code, the presence of malicious code in the downloaded files.
So, if HTTP request contains these parameters then this request will be blocked. The special page and reason for blocking will show for blocked requests.
In addition to effective information security and information security applications are required to know what is quality of protection and CleanTalk is logged all blocked requests that allow you to know and analyze accurate information. You can see your Cleantalk Logs in your Control panel. https://cleantalk.org/my/logs_firewall
CleanTalk Web Application FireWall for WordPress is the proactive defense against known and unknown vulnerabilities to prevent hacks in real-time.
Learn more, how to set up and test
https://cleantalk.org/help/security-waf
As you know DDoS attacks on the site are of different intensity, it is important to the number of hosts involved in the attack, the number of network packets and the amount of data transmitted. In the most severe cases, it is possible to repel the attack only using specialized equipment and services.
If the volume of the attack is less than the bandwidth of the network equipment and the computing power of the server (server pool) serving the site, you can try to “block” the attack without resorting to third-party services, namely to include a program filter of traffic coming to the site. This filter will filter out the traffic of bots participating in the attack, while skipping legitimate traffic of “live” site visitors.
Scheme of software filter from DDoS attacks on the site
The filter is based on the fact that bots participating in DDoS attacks are not able to execute JavaScript code, so bots will not go beyond the stop page of the filter, which will significantly unload the frontend/backend and the site database. Because to process each GET/POST DDoS attack request, you will need to execute no more than 20 lines of code in the backend of the site and give the page-stub of less than 2KB of data.
Project filter on github.com.
Synthetic tests of the filter
We tested ab utility from Apache Foundation on the main page of the combat site, previously removing the load from one of the nodes.
Results with a disabled filter,
ab -c 100 -n 1000 https://cleantalk.org/
Total transferred: 27615000 bytes
HTML transferred: 27148000 bytes
Requests per second: 40.75 [#/sec] (mean)
Time per request: 2454.211 [ms] (mean)
Time per request: 24.542 [ms] (mean, across all concurrent requests)
Transfer rate: 1098.84 [Kbytes/sec] receivedNow the same thing with the filter on,
Total transferred: 2921000 bytes
HTML transferred: 2783000 bytes
Requests per second: 294.70 [#/sec] (mean)
Time per request: 339.332 [ms] (mean)
Time per request: 3.393 [ms] (mean, across all concurrent requests)
Transfer rate: 840.63 [Kbytes/sec] receivedAs you can see from the test results, enabling the filter allows the web server to process almost an order of magnitude more requests than without the filter. Naturally, we are talking only about requests from visitors without JavaScript support.
Application of the filter in practice, the history of saving the site from one small DDoS attack
Periodically, we are faced with DDoS attacks on our own corporate site https://cleantalk.org. Actually during the last of the attacks, we applied a filter from DDoS at the level of the website applications.
The start of the attack
The attack started at 18:10 UTC + 5 on January 18, 2018, attacked the GET with requests to the URL https://cleantalk.org/blacklists. On the network interfaces of the Front-end servers, there appeared an additional 1000-1200 kbit/second of incoming traffic, i.e. received a load of 150/second GET requests to each server, which is higher than the nominal load 5 times. As a consequence, the Load average of Front-end servers and database servers has grown dramatically. As a result, the site began to issue error 502 due to the lack of free processes php-fpm.
CPU front-end servers were loaded an order of magnitude higher than the surge load on network interfaces.
Accordingly, it was decided to include a filter of visitors to the site using the algorithm described above, additionally including in it the checking of incoming traffic through our database of blacklists, thereby reducing the probability of issuing a stop page to legitimate visitors to the site.
Enabling the filter
After spending some more time preparing the filter, it was switched on at 19:15-19:20.
After a few minutes, we got the first positive results, first Load average returned to normal, then the load on the network interfaces fell. A few hours later, the attack was repeated twice, but its consequences were almost invisible, the frontends worked without errors 502.
Conclusion
As a result, by using the simplest JavaScript code, we solved the problem of filtering traffic from bots, thereby extinguishing the DDoS attack and returning the availability of the site to its regular state.
Honestly, this bot filtering algorithm was not invented on the day of the attack described above. A few years ago, we implemented the additional function SpamFireWall to our Anti-Spam service, SpamFireWall uses more than 10 thousand websites and there is a separate article about it.
SpamFireWall was developed primarily to deal with spam bots, but since the lists of spambots intersect with the lists of other bots used for questionable purposes, the use of SFW is quite effective, including for stopping small DDoS attacks on the site.
About CleanTalk service
CleanTalk is a cloud-based service for protecting websites from spambots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to opt out of methods of protection that require the user to prove that he is human (captcha, question-answer, etc.).
E-mail is still one of the most important and effective elements of online business and marketing and is the most effective channel for generating revenue. Therefore, for any online business and website owners, it is important to be sure that the email owner used it for registration/subscription so that the user used his real email address.
There are several important reasons for this.
First, it is important to recover the forgotten password, for example: the user has misspelled his email address, after a while used the password recovery function and cannot get a new password.
Second, this user will not receive your email notifications.
Third, the user whose email was used by spammer for registration/subscription will send your newsletter to spam. Further, spammers can use this email for sending spam, brute force, etc.
The use of such emails for marketing mailings and other mailings may carry certain risks for the owner of the site and increase the risks of adding to the lists DNSBL, various blacklist’s, increase the likelihood of getting into the spam folder and your other emails. Increase your budget costs for mailing to fake addresses or addresses whose owners have been compromised by spammers.
To avoid or minimize risks to a minimum, the list of email addresses must be checked before sending.
Recently, we started checking the existence of email addresses, which checks if such an email address exists or not. It uses the MX records of the domain of the email address and connects to the mail servers (via SMTP, and also simulates the sending of the message) to ensure that the mailbox does exist for that user/address and it can receive mail.
This test solves several tasks at once, reducing the likelihood of skipping spam and allowing users to check the emails of their users. To test users, you can use the API method https://cleantalk.org/help/api-spam-check.
An example of the result of the API response for https://cleantalk.org/blacklists?record=mattressfg%40gmail.com
{"data":
{"ma********@gm***.com":
{"appears":1,
"frequency_time_10m":0,
"spam_rate":"1",
"frequency":"8",
"frequency_time_24h":1,
"updated":"2018-03-26 00:26:48",
"exists": 0,
"frequency_time_1h":1}
}
}At the moment, we use this tool only to improve spam detection and check all email addresses that have had spam activity in the last 10 minutes. For checked addresses, a flag is set in the database, which is taken into account in the further spam filtering and API response.
“exists”: “1” – exists
“exists”: “0” – does not exist
You can sum up the interim results; the percentage of non-existent email addresses in the spam mailing is 25.34%.
We collect information about spam IP/email addresses from more than 237,000 websites. The email database contains more than 10,095,239 email addresses. And in our immediate plans, check all emails in the database and run a scan of all the email addresses that are processed by the service.
This document provides information about the law and our plans for implementing the GDPR’s important principles for CleanTalk’s services.
All clients of the service represent controllers of any personal data that are being transferred to CleanTalk to offer proper functioning service. A Data Controller defines aims and means of personal data processing, while a Data Processor works with data on behalf of Data Controller. CleanTalk as a Data Processor will work with personal data on behalf of its clients in view of offering its service to the clients.
Inform your clients about what data are being collected on your website and who process them. Indicate this information in your rules of your website usage or/and in your confidentiality policy.
Example:
“By using this website, your IP address can be stored and processed for security reasons. Your IP address may be saved in the server log files, CMS log files, CleanTalk Anti-Spam & Security log files, Google Analytics, Google Adwords.
Our website uses the 3rd parties services such as the CleanTalk Anti-Spam & Security, Google Analytics, Google Adwords. They can store and process your IP address.
CleanTalk can use Cookies to manage access to the website by the CleanTalk SpamFireWall Function, to secure and to protect this website from spam.”
You can add, remove or change this text as you wish.
The moment a visitor sends POST request such as comment, registration or contact form submission, the CleanTalk Anti-Spam receives and processes the following personal data if they exist: IP address, e-mail, text and values of each filled form field. Therefore each website form should grant a visitor the ability to give permission to process and keep these data.
Example:
By pressing “Submit” I confirm and give permission to process my personal data.
You can leave the link to the description of who and what data will be stored and processed. Example:
When you submit this website form your personal data will be stored in this website such as your IP address, your e-mail, your text of the comment and data of website form fields. Also, for security reasons and to protect this website from spam, your data will be processed in the CleanTalk Cloud Service and they will be stored in log files for 7 or 45 days. On the expiry of the mentioned period, they will be deleted completely. CleanTalk may use information of spam activity of IP/email addresses to offer proper anti-spam protection to all websites connected to its service. It concerns exclusively those IP/email addresses that are being used for spam mailing.
Personal Data Management
At any moment you can delete information of any request via your CleanTalk Control Panel.
You can choose how long the service should keep data: 7 or 45 days or do not keep approved requests at all.
https://cleantalk.org/my/profile
You also can exclude any website form fields from sending their data to the CleanTalk Anti-Spam or you can set a list of website pages for CleanTalk to ignore them completely.
We have already talked about the launch of security service for WordPress in the previous article. Today we want to talk about the launch of heuristic analysis to detect malicious code.
The very presence of malicious code can lead to a ban in search results or a warning in the search for that the site is infected, to protect users from potentially dangerous content.
You can find malicious code on your own, but it’s a lot of work and most WordPress users do not have the necessary skills to find and remove unnecessary lines of code.
Often, the authors of malicious code disguise it, which makes it difficult to determine by its signatures. The malicious code itself can be located anywhere on the site, for example the obfuscated PHP-code in the logo.png file, and the code itself is called by one inconspicuous line in index.php. Therefore, the use of plugins to search for malicious code is preferable.
CleanTalk on the first scan scans all WordPress kernel files, plugins and themes. When rescanning, only those files that have changed since the last scan were scanned. This saves resources and increases scanning speed.
How heuristic analysis works
One of the main disadvantages of heuristic analysis is that it is quite slow, so we use it only when it is really necessary. First of all, we divide the source code into lexemes (the minimal language construct) and remove all unnecessary:
Next, we recursively simplify the code until there are no “complex constructs”:
Also, in the process of simplifying the code, we monitor the origin of the variables and many others.
In the end, we get a clean code that can be analyzed. It is very important that we get the code not in the form of a string, but in the form of lexemes. Thus, we know where the lexeme is a string with the desired text, and where the lexeme function is.
In the sense of finding “bad constructs” eval for us there is a difference:
<?php echo 'eval("echo \"some\"")'; ?>
— in this case there will be no lexeme T_EVAL,
there is a lexeme T_CONSTANT_ENCAPSED_STRING ‘eval (“echo \” eval\”)’
<?php eval('echo "some"'); ?>– and here it is. And this is the version we will find.
We look for such constructs, we break them down into degrees of criticality:
Critical:
Dangerous
Suspicious
And other.
We are constantly improving this analysis: adding new constructions to search, reducing the number of false alarm, optimize the simplification of the code.
In the plans to teach it to detect and decode strings encoded in URL and BASE64 and others.
The plugin itself is available in the WordPress directory.
While developing the Anti-Spam service, we often encounter other issues related to the security of websites. The most common questions were about brute force attacks. In addition to problems with the selection of passwords for the administrator account, often brute force attacks cause a high load on the server, and users receive notification from the hosting about exceeding the allowed load values for the processor.
We thought if we are receiving such requests, why don’t we solve them? Since tasks relate to security functions, the decision to launch a separate security service was obvious.
At the moment, the Security service is developed only under WordPress, there are several reasons for this: the greatest demand, a large number of websites use this particular CMS, the complexity of the development of several CMS.
Despite the fact that anti-spam protection is a part of security, we decided to split these two services. There are several reasons for this:
We decided to start with the implementation of protection against brute force attacks and further gradually expand the functionality.
Protection from brute force attacks – implemented by adding delays between incorrect authorization attempts. A delay of 3 seconds is set for the first attempts, for a subsequent one in 10 seconds. If there were 10 unsuccessful attempts of authorization within an hour, the IP address will be added to the FireWall database for 24 hours. To protect against hackers trying to find a password for your account, this is enough, since they significantly increase the time between attempts, and they can be tens or hundreds of thousands. All logs of access attempts are available in the weekly report and in the service control panel, which allows you to quickly add IP addresses to the FireWall blacklist. Protection against brute force attacks extends only to users with administrator rights.
Traffic control – allows you to view information about visitors, such as:
Another option in traffic Control — “Block visitor if the number of requests is greater than” – blocks access to the site for any IP that exceeds the number of HTTP requests per hour. The number of requests can be set in the settings, the default is 1000. If the IP is exceeded, the Firewall will be added to the Blacklist for 24 hours.
This will help solve the problem of DoS attacks on the site when a large number of HTTP requests are sent to the site, because of which it stops responding or starts to work very slowly. This situation is possible because of a massive brute force attack.
Audit log – allows you to monitor the actions of users in the admin WordPress, keeps a log of visits to pages with the date/time and length of stay. Allows you to monitor the actions of administrators and unauthorized access and in case of problems to understand where by whom and what changes have been made.
Malware Scanner – scans WordPress files, plugins and themes for malicious code and changes. If the changes in the files were made illegally, it allows you to restore the original files.
Automatic scanning takes place every 24 hours, and you can also start it manually.
Security FireWall – blocks access to the site for POST/GET requests by IP addresses. Base IP addresses for the FireWall is generated from our database of blacklists CleanTalk. It is possible to get IP addresses that have a high spam activity or was seen in attempts brute force attacks. It is possible to use their own blacklists, both for individual IP addresses/subnets and by country. Due to this, it is possible to reduce the load on the website or to block a DOS attack.
Ready to release:
Development notes
Everything was written from scratch, not peeking at other solutions. This was done specifically to not to pick up other people’s mistakes and to develop your own vision for the application.
Further development for other CMS is planned, so it was decided to develop a modular design. Use an object-oriented approach and everything like that. Of course, in the process had to solve various problems that do not fit into this concept and did not do without a workaround.
As a result, there are several classes that without significant improvements can be used on other CMS (including self-recording), using a couple of wraps, for example for the database.
Was written our own class Cron is not dependent on Cron WordPress. Still, the application for security and should not rely on functionality that may or may not work, or which may interfere with the work of third-party developers.
To implement heuristic code analysis, we have written our own code minimizer parser, which will continue to develop. With it, you can track dangerous variables, functions, constructions. Not sure if other plugins/anti-viruses/applications use similar solutions (probably not), but this pros and cons of independent development, our approach may have turned out unique.
Example of the “minimizer”:
Source code:
<?php
//$some = 'n'.'o'.'t'
$some = 's'.'o'.'m'.'e'; // String concatenation
$stuff = 'stuff';
$first = 'first';
$func = 'func';
$first_func = $some."$first$func"; // Variable replacement
?>
$some = 'n'.'o'.'t';
<?php
// Variable replacement
$i = 'i';
$c = 'c';
$o = 'o';
$co = $c.
// some obfuscating comment
$o;
$ico = $i/* some obfuscating comment */.$co;
require($some.'_'.$stuff.'.'.$ico);
require($some.'_'.$stuff.'.php');
require($some.'_'.$stuff.'.p'.$ico);
$first_func();
?>
Result:
<?php $some='some';$stuff='stuff';$first='first';$func='func';$first_func='somefirstfunc';$i='i';$c='c';$o='o';$co='co';$ico='ico';require'some_stuff.ico';require'some_stuff.php';require'some_stuff.pico';somefirstfunc();?>
If you bring in a more understandable form:
<?php
$some='some';
$stuff='stuff';
$first='first';
$func='func';
$first_func='somefirstfunc';
$i='i';$c='c';$o='o';
$co='co';
$ico='ico';
require'some_stuff.ico';
require'some_stuff.php';
require'some_stuff.pico';
somefirstfunc();
?>
Some things that it can do: do concatenation, substitute variables, track the origin of variables (let’s say if they use unreliable $ _POST and $ _GET), track and check the file connections (include, require) for various parameters and much more. We can say that this is the basis on which the functional will be added.
Especially I did not like to support WPMS, because for each functional I had to make exceptions taking into account whether the main site is this, whether the user of the secondary site inherits the key from the main site or enters his own access key, whether the secondary site allowed to activate plug-ins and the like. Unfortunately, we had to remove part of the functionality for WPMS and secondary sites due to non-compatibility.
In general, it turned out a beautiful application in places from the point of view of the code, which we will develop in the future.
Outbound links have an effect on your SEO and when search crawls your web pages all of the outbound links may be an important thing for page ranking.
We have added the option “Scan outbound links” in our WordPress Security Plugin.
This option allows you to let know the number of outgoing links from your website and websites on which they linking to. All websites will be checked by our Database and will show results if they were used as links in spam messages. It allows you to check your website and find hidden links or spam links.
You should always remember if you have links to other websites which have a bad reputation, it will be able to have an effect your on visitor’s trust and your SEO.
To launch External Links Check go to your WordPress admin panel -> Settings -> Security by CleanTalk -> General Settings and pick Scan Links option. Next step, go to the tab “Malware Scanner” and press the button “Perform Scan”.
The first step in the scanning is searching for malware in WordPress files, the second step is searching for links in your whole website including theme files, posts, and comments.
The result of the scanning will be the list of each link you have. You can look it through and decide what links are unnecessary and delete them.
