During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.
Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed
July 10, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 17, 2023
The author has eliminated the vulnerability and patched his plugin
August 2, 2023
Registered CVE-2023-3720
Discovery of the Vulnerability
During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.
Understanding Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.
Exploiting the Cross-Site Request Forgery (CSRF)vulnerability
By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.
The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:
Stored Cross-Site Scripting (XSS) Attacks:: Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover.
Malware Distribution: Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website.
Unauthorized Content Injection: Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials.
Social Engineering Exploits: Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.
Recommendations for Improved Security
To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:
Immediate Plugin Update: Website administrators should update the Upload Media By URL plugin to the latest version, which includes CSRF protection and patches this vulnerability.
Implement CSRF Protection: Plugin developers should include robust CSRF protection mechanisms when processing sensitive actions, such as file uploads, to prevent unauthorized access.
Regular Security Audits: Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
User Privilege Restriction: Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
User Awareness: Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Protection against brute-force attacks is essential to prevent unauthorized access to systems and accounts. Brute-force attack is a method where attackers sequentially try all possible combinations of account passwords and sometimes gain access to the system. The CleanTalk plugin has options such as: 1.1. Number of unsuccessful authorizations before blocking occurs. 1.2. Lockout time of the visitor which is the time period between login attempts. 1.3. Time period the IP will be blocked for when the limit of unsuccessful authorizations is reached.
User Actions Log is designed to track user actions in the WordPress Dashboard and ensure security. It allows you to record and display user actions in real time, to see which pages of the website backend and at what time they were visited. This tool is useful for detecting and preventing hacking attempts, unauthorized access, and other suspicious activities on the website.
Security Firewall is designed to block access to the site under certain conditions: 3.1. CleanTalk Database of Dangerous IP Addresses is being used to block access to the site for those IP addresses that have already participated in hacking attempts into other sites. 3.2. Your Personal Lists of IP Addresses is being used to block access to the site. You can add custom IP addresses, networks, and countries on your CleanTalk Dashboard. Visitors that were blocked by the Security FireWall will not be able to pass it and get to your site.
Security Report provides a summary of how the plugin works on your websites. The report is being sent once a week to your email address and provides the following statistics: 4.1. Blocked requests in Security FireWall 4.2. Number of brute-force attempts 4.3. Successful admin logins 4.4. Malware scanner statistics
The option “Notifications of administrator users authorizations” sends you a notification by email every time you successfully log in with an administrator account. This allows you to quickly receive information about unauthorized users.
Real-Time Traffic Monitor feature provides you with real-time traffic information on your website. It helps you in tracking visitors activity and detect potentially malicious traffic — these can be password cracking attempts, SQL injections, DDOS attacks, and other threats.
The feature also allows you to see bots activity on your site. Bots can have different intentions, but it’s important to be able to distinguish real users from automated bots. You can view the list of bots and take action to block unwanted activity. You can see data such as IP address, location, country, and other information that will help determine if a visitor is a suspicious or unwanted bot. It will also help you make the appropriate security settings.
The feature works In real time, meaning you can see the activity immediately without a delay. You can view the current users on the site, as well as which pages or sections of the site are currently being viewed.
Malware Scanner is one of the features of the CleanTalk Security Plugin for WordPress that is designed to detect and remove malicious code on your website. Daily automatic site scanning. The plugin scans your site once a day and you will receive up-to-date information about your site cleanness. You can choose the time period for the automatic site scanning — every 12 hours, 24 hours, 3 days, 7 days, 14 days, or every 30 days.
The Malware Scanner feature analyzes all files on your site, including the WordPress core files, themes and plugins. It looks for vulnerabilities, malicious scripts, and other suspicious elements that may be related to malicious code.
When Malware Scanner detects malware or suspicious files, it alerts you instantly via email. You will receive a detailed report of the found threats, including the file names. This will help you quickly respond and take necessary actions to remove malware.
Automatic Malicious Code Removal: The CleanTalk Security Plugin for WordPress provides this feature to automatically remove malicious code. If there is a known signature for the detected malicious code, the file will be disinfected automatically.
The option “Collect and send PHP log” allows you to automate the process of checking your PHP logs for errors that occur while your site is running. Errors could appear for a short period of time and only when one specific function is running, they can’t be spotted in other circumstances so sometimes it’s hard to catch them. The CleanTalk Scanner will check your website backend once per hour. Statistics of errors are available in your CleanTalk Dashboard.
2FA: WordPress Two-Factor Authentication is a tool to provide an additional level of security for the website administrator account. The main purpose of 2FA is to protect user accounts from unauthorized access, even if an attacker knows the user’s password. When a user enters their password to log into their WordPress account, 2FA requires them to provide a second authentication code. The code is being sent to the WordPress account email address.
The CleanTalk Security plugin allows administrators to set up 2FA for various user roles. So they can grant 2FA to certain groups of users. The option “Custom WP-Login URL” in the CleanTalk Security Plugin for WordPress allows you to change the default login URL of your WordPress Dashboard (wp-login.php). This is useful for several reasons:
• Protection against brute-force attacks: Changing the login URL of the admin panel makes it less predictable and harder for attackers to determine. Most brute-force scripts and bots look for the standard URL, so using a custom URL improves security. • Hiding the fact that WordPress is being used: Many hackers and attackers specifically look for sites built on WordPress in order to gain access to them. Changing the login URL makes your site less vulnerable for attacks that are being made by the principle “Default WordPress Login URL Search” . • If you use a custom login URL, this may be more memorable and convenient for you. You can choose an URL that is easy to remember or related to your brand. • Prevent spam and DDoS attacks: Changing your login URL can help you prevent spam bots and DDoS attacks that often target a standard URL. This can significantly reduce the amount of unwanted activity and improve the performance of your site.
The option “Prevent collecting of authors’ logins” in the CleanTalk Security Plugin for WordPress is an additional tool to protect your site from malicious attacks and unauthorized access.
One of the most common ways of attacking websites is by attempting to hijack the accounts of the administrator or content authors. A hacker can use various methods to gain access to usernames and passwords and use them for malicious purposes such as injecting malicious code, modifying website content, and even stealing user data.
The option in the CleanTalk Security Plugin can greatly reduce the risk of such attacks. This feature allows you to hide the names of your authors (logins) from public view on the site, storing them in the database for administrative access only.
Firstly, it will prevent attackers from accessing authors’ data, which will significantly complicate the hacking process. Secondly, the site will look more secure and inaccessible to hackers. Thirdly, using this option reduces the likelihood of data leakage and privacy violations.
The option “Disable XML-RPC” in the CleanTalk Security Plugin is an important step to increase security and prevent potential attacks on your site.
XML-RPC is a protocol that allows you to remotely interact with your WordPress site. It was created to facilitate data transfer and information exchange with other platforms. However, due to several vulnerabilities, XML-RPC can become an entry point for hackers.
One of the main reasons for disabling XML-RPC is the possibility of an attack called brute-force. This attack involves attempts to forcefully input different random passwords for administrative accounts in a rapid succession. XML-RPC, by its very nature, allows attackers to carry out such attacks because it allows iterative validation of multiple passwords without restrictions. Disabling XML-RPC greatly reduces the risk of such attacks and prevents unauthorized access to your site.
In addition, XML-RPC can also be used to carry out DDoS (Distributed Denial of Service) attacks. Attackers can use XML-RPC to send a large number of requests to your site at the same time, which can lead to server overload and temporary site denial of service. Disabling XML-RPC protects your site from such attacks and helps keep it running for your visitors.
Disabling XML-RPC in WordPress is quite simple. You can do this with the CleanTalk Security Plugin and enable the option “Disable XML-RPC”. It is recommended to disable XML-RPC unless you are using it to communicate with other platforms or services.
The option “Disable REST API for non-authenticated users”. The REST API is a set of programming interfaces that allow you to interact with your WordPress site and access data and functionality. However, access to the REST API can become a vulnerability for attackers if the option “Disable REST API for non-authenticated users” is not enabled. Examples: getting a list of all posts, creating a new post or updating an existing one, deleting a post, getting/creating users and comments.
Disabling the REST API for unauthenticated users has several benefits. First, it reduces the risk of an attack on your site. If an attacker gains access to the REST API, they can use this opportunity to obtain sensitive data, change site content, or perform other unwanted actions. Disabling the REST API for unauthenticated users helps in preventing these potential attacks.
Second, disabling the REST API for unauthenticated users helps improve the performance of your site. The REST API can put a load on the server, especially when trying to process many requests from unauthenticated users. Disabling this feature for these users reduces the server load and speeds up your site response.
Enabling the option “Disable REST API for non-authenticated users” in the CleanTalk Security Plugin is very simple. Just activate this option in the plugin settings and save the changes. It is important to note that this option will not affect authenticated users, and they will be able to continue using the REST API without any issues. If you only use the WordPress Dashboard to work with the site and want to increase the security level of your resource, then it is recommended to disable the WP REST API.
The option “Forbid to show your website in <iframe> tags on third-party websites” in CleanTalk Security prevents your site from being embedded in an <iframe> on other websites. An <iframe> is an HTML element that allows you to embed one web page inside another. Technically speaking, <iframe> can be used to display your site on other third-party sites while still maintaining visual and functional content. However, this can also lead to security risks and undesirable consequences.
This has several advantages. First, it protects your site from potential fraudulent activities. Some attackers may create embedded iframe-copies of your website to fraudulently collect personal information from your visitors or malicious targets. Disabling <iframe> prevents this possibility and protects your users.
Second, opting out of showing your site in an <iframe> on third-party websites helps you control content and prevent copyright loss. If your site is embedded in another website’s <iframe> without your consent, this may result in improper display and control of your content. Disabling <iframe> allows you to retain full control over how and where your site is displayed.
Enabling the option “Forbid to show your website in <iframe> tags on third-party websites”in the CleanTalk Security Plugin is very simple. It is enough to activate this option in the plugin settings, and your site will be protected from embedding in <iframe> tags on third-party websites.
The option “Add these headers to the HTTP responses on the public pages: X-Content-Type-Options, X-XSS-Protection” in CleanTalk Security allows you to add the X-Content-Type-Options and X-XSS-Protection security headers to the HTTP responses on your site’s public pages. These headers tell browsers how to process the content of the page and prevent possible XSS-based attacks and malware downloads.
XSS (cross-site scripting) and drive-by download attacks are among the most common and dangerous threats in the online environment. XSS attacks can allow attackers to inject and execute malicious code on your site, while drive-by download attacks attempt to download and install malicious software without the admin’s knowledge.
The X-Content-Type-Options header tells the browser that page content should only be processed according to the specified MIME type (Multipurpose Internet Mail Extensions). This helps prevent possible attacks based on the content type and provides an additional layer of protection.
The X-XSS-Protection header is designed to protect against XSS (cross-site scripting) attacks. It includes built-in protection mechanisms in the browser that allow you to detect and block attempts to execute malicious scripts in a timely manner. Enabling the option “Add these headers to the HTTP responses on the public pages: X-Content-Type-Options, X-XSS-Protection” in the CleanTalk Security Plugin is very simple. Just enable this option in the plugin settings and headers will be automatically added to the HTTP responses on public pages of your site.
In this article we have tried to tell you about the main and most useful options of the CleanTalk Security Plugin for WordPress. You can install the plugin from the official WordPress directory here: https://wordpress.org/plugins/security-malware-firewall
If you have any questions about the CleanTalk Security Plugin functions, feel free to ask them in the comments and we will be happy to assist you.
One of the most important things about protecting your website from hackers is understanding that one-time setting the security settings for your site is not enough. Taking care of your website protection is a permanent process like advertising or helping your clients with their issues.
Security tools for your website become stronger and more progressive every day but so do hacking technologies. The most simple way to find out if your site is in danger is to proceed through a complete WordPress security audit and figure out if your security measures are up-to-date.
If you do not go through a regular WordPress security audit every 3 months this may cause a breach in site security and your business can get a lot of damage.
But this risk can be avoided – just check if your security measures are up-to-date. In this instruction we will describe how to do a complete WordPress security audit to fully protect your website from hackers using standard security tools.
Sometimes the problem of security issues may be caused by missing security patch or update, some plugin vulnerability or a flaw in WordPress core that may result into a hack. Actually, only about 36% of users run up-to-date WordPress versions.
What is a WordPress Security Audit?
A WordPress security audit is a regular procedure that will inspect your website for different security vulnerabilities like weak admin passwords and outdated plugins. This audit also offers some steps for fixing these potential dangers.
Some website owners know how to perform a WordPress security audit but see it only as a one-time thing – it is a very popular mistake that may result in a threat to your site’s security. So it is highly recommended to perform the security audit of your WordPress site regularly to avoid hacker attacks and keep your website safe.
Without regular security audits performed your website becomes much more vulnerable to hacker attacks. You can use special WordPress plugins to automatically analyze and find security breaches for you. But vost security audits are performed manually by following 8 steps. Only several steps to find out how to perform WordPress security audit and fully protect your website from any attacks.
Why do you need a WordPress Security Audit?
Actually there is no magic about the main reasons to perform a WordPress security audit. In case you are a website owner and you don’t look after it’s security – no surprise it is vulnerable and can be hacked. It leads us to an easy conclusion that a security audit is necessary to find security breaches and vulnerabilities in your site until it becomes a problem. Without this procedure hackers may detect this vulnerabilities before your and so they can:
Hack your website;
Sell your and your client’s data via dark web;
Inject spam to your WordPress site pages so that will lead the website to search engine blacklist;
Steal your credit card info from your WordPress site that may result lawsuits and hefty fines against you;
Use your website to infect other users;
Many other bad things.
How to perform a complete WordPress security audit
1. Estimate the efficiency of your Security plugin
It all starts with your website’s security plugin. In case you still don’t use one, be sure to connect it and activate on your site as soon as possible. Security plugin protects all the WordPress sites from bots and hackers. Different security plugins offer various options to protect your site and not all of them guarantee a safe work for your website. When you choose a plugin during WordPress Security Audit, be sure it includes the following features:
Brute-force Protection Adds a delay of a few seconds for any failed attempt to login to the WordPress back-end. It makes your website security tougher and doesn’t waste the server’s resources on these IPs.
Daily Security Report Every day the plugin sends a Security report to your email. The report provides data on the number of incorrect password entries and the IP addresses from which they tried to sign in.
Login Attempts and Password Searching Log Security log keeps online a log of attempts to log in. Security log includes IP / Country / data / time, username and action result, was authorization successful or failed.
User actions log Keeps track of actions in the WP Dashboard to let you know what is happening on your site. With the Security Audit Log is very easy to see user activity in order to understand what changes have been done and who made them. Security Audit Log shows who logged in and when and how much time they spent on each page.
Security FireWall This option may significantly reduce the risk of hacking and reduces the load on your web server. Always use personal BlackList to block IP addresses with suspicious activity to enhance WordPress security. It also allows you to block access to your website by HTTP/HTTPS for individual IP addresses, IP networks, and e-mails.
Compatibility It should be compatible with the most popular VPN services and search engines like Google, Bing, Yahoo, Baidu, MSN, Yandex and etc.
Malware scan Scans WordPress files for hacked files or hacker code. Every day Malware Scanner will launch scanning automatically for files that have been changed from the last scanning or found new files. The scanner works in the background and doesn’t affect performance. All detailed results must be sent to your Security Dashboard so you are able to investigate them and see if those were legitimate changes or some bad code was injected. If any files were changed in your WordPress system you will be able to delete them or restore the original WordPress files.
We recommend using CleanTalk as it covers all these features. It has one of the best malware scanners that can detect any kind of malware. And more of that, you can clean up any malware infection in under a few minutes!
2. Give a test to the WordPress backup solution
In case something goes wrong with your website, having a backup may be very useful. You may get your site back to work with no problem. Any fail in a backup process may be critical and may cause a lot of trouble restoring your website.
That is the main reason you need to give a regular test for your site backup solution. Even if you use host backup it may not always include any test options.
So we recommend some actions to test your backup:
Go to your WordPress plugins page and install BlogVault backup plugin. This plugin automatically initializes a complete backup procedure for your site. If it is the first backup it may take a bit more time as it will copy the whole site to it’s servers. After that every backup will copy only files that were changed from the previous backup process.
After completing the backup, the option “Test Restore” will appear in the BlogVault dashboard.
After it is done the system will notify you about a successful restore.
3. Analyze your administrator setup
WordPress has a smart system of user access options to let them collaborate and work together to be more efficient themselves and WordPress maintenance and development. Though not all WordPress users need to have complete access to your website. For example, a person who writes news, articles, and other materials only needs access to writing and publishing content. They don’t need to have access to other website options like managing plugins and changing WordPress themes.
In order to avoid giving complete access to every website user WordPress has 6 different user roles that can be assigned to them:
Super Admin
Administrator
Editor
Author
Contributor
Subscriber
Each role has different levels of permissions for your website.
While providing your WordPress Security Audit one of the first things you should do is to check all of the users who are added to your WordPress.
Be sure to recognize all of the users on your dashboard. If you don’t recognize any of them – you should immediately delete this user because it may be created by hackers.
Check the number of users who have admin access to your site.
Decide how many of them really need that access level.
Change roles for users and lower permissions for those who doesn’t need that access level.
After that ensure that none of your website administrators uses the “admin” username. This is the most popular username for all of the administrators. Hackers know about this and may obviously try to use it to get access to your website.
If you decide to change the admin name you have to create another user account for that person. After that, you have to grant all the content access to this new user. And finally, just delete the old admin account.
Another important thing for you to protect your admin setup from hackers is hiding your admin’s username. If you leave settings unchanged it may cause some troubles.
All of the hackers know that the only thing that should be done to retrieve your most likely admin username is to add ?author=1 at the end of your URL. It is how easily hackers can brute force a website’s admin panel after they know the admin’s username.
The easiest way to avoid it is to hide all usernames with code in functions.php file:
add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}
If you use the CleanTalk Security plugin it already has a special field that automatically hides all of the usernames on your site.
This may seem a very easy step but it also makes a hacker’s work more difficult.
4. Remove unused plugins installed and active
Different WordPress plugins are one of the most vulnerable places on your website. It may be the main reason for you site to be hacked.
WordPress plugins are always created, maintained, and updated by their developers. But like any other software, these plugins may have vulnerabilities. So developers always fix these vulnerabilities and release updates. When you download this update it removes vulnerability from your website.
But in case you skip or delay downloading the newest update your site may remain vulnerable.
Do you still use these plugins? While performing a complete WordPress Security Audit check the list of plugins that are installed in your WordPress. In case you already don’t use them, they still have access to your website. So, at first, delete the plugins that you don’t use. It should reduce the chance of being hacked using one of them.
Do you recognize all of the plugins? In case you and your colleagues do not recognize some of your plugins it would be better to delete them. It is because when hackers break into your site they may install their own plugins that can cause even more damage as they contain backdoors which actually is a secret access to your website.
Do you have any nulled version or pirated plugins? If yes, then you should delete them at once. Hackers often use pirated software to spread their malware. Any quantity of such malware is contained in these plugins and it may infect your website at the moment you install the plugin.
From the moment you left only the plugins you use, be sure to update them right after developers release updates.
5. Remove any additional themes for WordPress that are Installed
A complete WordPress Security Audit is also about themes. It is no surprise that all the WordPress site owners install different themes in order to find the ones that they like. Favorite themes are used but others are often But most of these users don’t know that just like plugins, themes may contain different vulnerabilities.
Our recommendation is to delete all the themes except the one you already use. Also, be sure you use the most up-to-date version available of your active theme.
6. Estimate the provider of your hosting and current tariff
Nowadays you can create a website without serious money investment. Shared hosting allows you cheaper plans for small WordPress sites. Also hosting is an important part of a proper WordPress Security Audit.
But everything has its pros and cons. Shared hosting means that you share a server with other users and sites. It is out of your vision what happens with other websites on your hosting. If someone other’s website was hacked it may consume a large amount of server’s resources. It may obviously slow down your website and lower its performance.
That is also a slight chance of a malware infection will spread to different websites on the same hosting. So if you can afford to switch to a dedicated server – it will be our recommendation to do so – to evaluate your hosting plan. In case some hosting doesn’t fit you well, you may look through a better one, comparing some of them that cost your attention.
7. Inspect any users with FTP access granted to your site
As you already know FTP is a File Transfer Protocol. It provides your computer to your site on the server. Using FTP you may access all the website folders and files and change them.
As FTP has almost full control of your website you should be very careful and grand that kind of access to only users that you trust the most and only in case they really need that access.
In order to increase the protection of your website we strongly recommend you reset FTP passwords if necessary and check the list of your FTP users. You can make it if you go to your hosting account → cPanel → FTP accounts.
Check all the users in this list and just delete the ones you already do not need.
8. Check out WordPress secure Hardening measures
While providing a WordPress Security Audit there are several recommendations for your WordPress site to become more secure. What are these steps:
Switch off file editor for themes and plugins
Switch off installation of different plugins
Reset salts and keys on your WordPress website
Use stronger password
Set a limit of login attempts available
Enable two-factor authentication
Also we strongly recommend giving these steps a regular test. For example, if you use a two-step authentification or login attempts limit – be sure to use the actual up-to-date plugin. Or if it is not so, just switch to another solution that is updated more often.
Some of these hardening steps need some skill for the appliance. Or in case you use the CleanTalk Security plugin most of these features are enabled in a few seconds.
Conclusion
After reading this article you know how to perform a WordPress Security Audit by yourself. Just be sure to deal with all of these 8 steps and you will prevent most of the bad things that could happen with your website.
For example, if you will regularly check your site backup system and will be sure that it works well, you will avoid a lot of troubles in case of a security breach or something more serious happens to your website.
The process of Security audit involves a lot of steps and takes some skill and time. But some of the most important processes are just about keeping all the components of your website up-to-date, being sure that your login page is well-protected, and using very strong passwords.
So in the cost of a few hours spent for this WordPress Security Audit, you can avoid a lot of security issues and guarantee the best protection for your website.
We are happy to announce CleanTalk Web Application FireWall for WordPress Security Plugin. The main purpose of WAF is to protect the Web application from unauthorized access, even if there are critical vulnerabilities.
It allows you to protect Web applications from known and unknown attacks. Its use is transparent to all visitors to the website and does not require knowing how is HTTP working and allows very accurate filtering, supports both GET and POST methods, requests to dynamic resources.
So, hackers use additional HTTP parameters to use vulnerabilities that allow them to get access to a website or prevent changes on your website.
WAF catches all requests to your website and checks HTTP parameters that include: SQL Injection, Cross Site Scripting (XSS), uploading files from non-authorised users, PHP constructions/code, the presence of malicious code in the downloaded files.
So, if HTTP request contains these parameters then this request will be blocked. The special page and reason for blocking will show for blocked requests.
In addition to effective information security and information security applications are required to know what is quality of protection and CleanTalk is logged all blocked requests that allow you to know and analyze accurate information. You can see your Cleantalk Logs in your Control panel. https://cleantalk.org/my/logs_firewall
CleanTalk Web Application FireWall for WordPress is the proactive defense against known and unknown vulnerabilities to prevent hacks in real-time.
While developing the Anti-Spam service, we often encounter other issues related to the security of websites. The most common questions were about brute force attacks. In addition to problems with the selection of passwords for the administrator account, often brute force attacks cause a high load on the server, and users receive notification from the hosting about exceeding the allowed load values for the processor.
We thought if we are receiving such requests, why don’t we solve them? Since tasks relate to security functions, the decision to launch a separate security service was obvious.
At the moment, the Security service is developed only under WordPress, there are several reasons for this: the greatest demand, a large number of websites use this particular CMS, the complexity of the development of several CMS.
Despite the fact that anti-spam protection is a part of security, we decided to split these two services. There are several reasons for this:
Complication of the plugin, which leads to increased errors, compatibility issues with other plugins/themes
Promotion by search queries
Easier development and independent release of updates
The interface of the plugin is not complicated by a bunch of additional options that are not needed if the user uses only one function
A separate management interface and logging in the control panel CleanTalk
We decided to start with the implementation of protection against brute force attacks and further gradually expand the functionality.
Protection from brute force attacks – implemented by adding delays between incorrect authorization attempts. A delay of 3 seconds is set for the first attempts, for a subsequent one in 10 seconds. If there were 10 unsuccessful attempts of authorization within an hour, the IP address will be added to the FireWall database for 24 hours. To protect against hackers trying to find a password for your account, this is enough, since they significantly increase the time between attempts, and they can be tens or hundreds of thousands. All logs of access attempts are available in the weekly report and in the service control panel, which allows you to quickly add IP addresses to the FireWall blacklist. Protection against brute force attacks extends only to users with administrator rights.
Traffic control – allows you to view information about visitors, such as:
IP
Country
Date/time of the last query
The number of allowed/blocked HTTP requests
Status-banned or allowed
The URL of the page visit
User Agent
Another option in traffic Control — “Block visitor if the number of requests is greater than” – blocks access to the site for any IP that exceeds the number of HTTP requests per hour. The number of requests can be set in the settings, the default is 1000. If the IP is exceeded, the Firewall will be added to the Blacklist for 24 hours.
This will help solve the problem of DoS attacks on the site when a large number of HTTP requests are sent to the site, because of which it stops responding or starts to work very slowly. This situation is possible because of a massive brute force attack.
Audit log – allows you to monitor the actions of users in the admin WordPress, keeps a log of visits to pages with the date/time and length of stay. Allows you to monitor the actions of administrators and unauthorized access and in case of problems to understand where by whom and what changes have been made.
Malware Scanner – scans WordPress files, plugins and themes for malicious code and changes. If the changes in the files were made illegally, it allows you to restore the original files.
Automatic scanning takes place every 24 hours, and you can also start it manually.
Security FireWall – blocks access to the site for POST/GET requests by IP addresses. Base IP addresses for the FireWall is generated from our database of blacklists CleanTalk. It is possible to get IP addresses that have a high spam activity or was seen in attempts brute force attacks. It is possible to use their own blacklists, both for individual IP addresses/subnets and by country. Due to this, it is possible to reduce the load on the website or to block a DOS attack.
Ready to release:
outbound link scanner
checking links against a database of domains that are promoted with spam
protection from XSS and SQL injections
Development notes
Everything was written from scratch, not peeking at other solutions. This was done specifically to not to pick up other people’s mistakes and to develop your own vision for the application.
Further development for other CMS is planned, so it was decided to develop a modular design. Use an object-oriented approach and everything like that. Of course, in the process had to solve various problems that do not fit into this concept and did not do without a workaround.
As a result, there are several classes that without significant improvements can be used on other CMS (including self-recording), using a couple of wraps, for example for the database.
Was written our own class Cron is not dependent on Cron WordPress. Still, the application for security and should not rely on functionality that may or may not work, or which may interfere with the work of third-party developers.
To implement heuristic code analysis, we have written our own code minimizer parser, which will continue to develop. With it, you can track dangerous variables, functions, constructions. Not sure if other plugins/anti-viruses/applications use similar solutions (probably not), but this pros and cons of independent development, our approach may have turned out unique.
Some things that it can do: do concatenation, substitute variables, track the origin of variables (let’s say if they use unreliable $ _POST and $ _GET), track and check the file connections (include, require) for various parameters and much more. We can say that this is the basis on which the functional will be added.
Especially I did not like to support WPMS, because for each functional I had to make exceptions taking into account whether the main site is this, whether the user of the secondary site inherits the key from the main site or enters his own access key, whether the secondary site allowed to activate plug-ins and the like. Unfortunately, we had to remove part of the functionality for WPMS and secondary sites due to non-compatibility.
In general, it turned out a beautiful application in places from the point of view of the code, which we will develop in the future.
WordPress is a very popular open source website creation tool. But this is not only a blogging platform, WordPress is an open source content management system used by millions of people worldwide. It is popular mainly because WordPress is very easy to use and easy to start with. Also, very good support from WordPress itself and different forums are available. According to a research, more than 22.5% of the websites are powered by WordPress in 2017.
Due to its huge popularity and continuous growth as the world’s most used CMS, WordPress is naturally vulnerable to security threats and attacks. WordPress security attacks from the very beginning are handles by WordPress security releases. But there is new type of attacks is coming in the picture every day and everything does not come under WordPress Security Release. Here comes the WordPress Security Plugins.
WordPress Security by CleanTalk is one of the most important security plugins which helps your WordPress site protected and secured from the Brute Force attacks by creating a firewall. Check out what kind of attacks your website may face and how can you secure yourself from these attacks:
Why does a WordPress site is attacked anyway?Why does a WordPress site is attacked anyway?
There is a cut-throat competition in the market in any venture and everyone wants to get the success at the end of the day. Due to the huge pressure, hackers want to access your website to get all the sensitive information, block your access from the site, redirect your users to any other malicious websites, remove or delete your user and all the content from the website or simply use the backlinks from your website. Stealing your backlink information and using it in their website will just improve their page ranks in any search engine.
Most of the popular websites get thousands of attacks every week or even every day.
How does a good security plugin work to prevent a different type of attacks on a WordPress site?
There are several types of security attacks a WordPress website gets every day. A good security plugin applies optimized algorithms to prevent those vulnerabilities and keep the website secure. Following are some form of security threats a WordPress website gets:
1. Malicious Software: After hitting your website, hackers leave some malicious software or script, also known as malware into your website. Your security plugin should scan all the files, contents, data files, database, changes in the DNS, comments or any kind of post to find out the malicious code that could possibly be hidden in the website’s source code, or URL. These malwares are scanned and removed by the WordPress security plugin.
2. Brute Force Attacks: This type of attack is performed using permutation and combination of possible login information. Hackers attempt to log in to the website using thousands of possible username and password combination through automated scripts. Security plugins block the users with the attempt of too many login attempts or clicking on forgot password option. It also prevents WordPress from giving sensitive information like username or password hints etc. or multiple entry point options to the hackers.
3. Zero Day Exploits: There are some obvious vulnerability issues in WordPress websites or any kind of website. Hackers attack those using bots. The security plugins use known algorithms and security firewall for these already published vulnerabilities and stop them.
4. Spear Phishing and Social Engineering: Spear phishing & social engineering are among some techniques through which hackers can crack the most difficult password too. Security plugins provide a two-factor authentication which can neutralize the risk of password cracking. This facility is used by banks, financial institutions or websites with very sensitive data.
5. Rate Based Throttling: This type of attack is the most critical type till date. Hackers overwhelm your website, database, servers and network, all resources using bots or automated scripts. This will prevent your genuine customers from accessing your website and search engine crawlers. Also, script crawlers aggressively crawl the website to overwhelm the website contents and resources. Security plugins provide security through IP blocking. If access request exceeds the accepted threshold of a maximum number of requests from any IP address, security plugin blocks that specific IP address. It also prevents the bot crawlers from aggressive crawling.
6. Country attacks: Hackers using IPs of different countries and networks attack the WordPress websites to find vulnerabilities and overwhelm its resources with aggressive crawling. Security plugins use the same mechanism as rate based throttling, blocks the specific countries from accessing the website.
7. Password Cracking: Security plugins use password auditing to find out the password of your admin account is weak or strong; suggest changing the password or making a rule to change the password monthly etc. This will prevent attackers to use password cracking or brute force attacking using the similar script.
8. Spam Ads: Hackers often use the website they have compromised to post spam ads. These ads include a link to some other malicious website or simply a virus to download. Security Plugins scan your site regularly to check if there is any kind of spam ad that has been posted, identify and remove it.
9. Hacker Reckon: Hackers find vulnerabilities using the information like software version, operating system version, and software installed etc. and security plugin prevents your WordPress website from giving this information anyhow to these hackers.
What is WordPress Security Plugin by CleanTalk?
WordPress Security Plugin by CleanTalk is a premium security plugin for WordPress Site. This is an end to end protection system for a WordPress site which helps to prevent and securing a site from brute force attacks, brute force account counting, blocking IPs and users using a firewall, providing security for WordPress forms and backend filter malicious IPs, networks or countries.
It also sends daily security logs, audit logs and reports through emails to the users so that user can analyze and monitor vulnerabilities to their WordPress Websites.
How to Install Security Plugin by CleanTalk?
Installation of Security Plugin by CleanTalk is very easy both through the automated and manual way. Following are the steps to follow to install WordPress Security by CleanTalk into your WP.
Automated Installation
Go to ‘Plugin’ option at the left panel of your WordPress and click on it.
Search ‘WordPress Security by CleanTalk’.
It will show the plugin on the page.
Click on ‘Install Now’ button.
Now click on the ‘Activate’ button
Click on ‘Get access key Automatically’
This will take you to the ‘Security Log’ page of the plugin.
Zip file with an Installer will be downloaded. Save the installer and login to your site’s WP Admin.
Click on ‘Add New’ button and then click on ‘Upload Plugin’
Select the Zip file from the Dialog Box and click OK.
The plugin will be installed. Then click on Activate
The rest of the steps are similar.
Features of WordPress Security Plugin
Brute force attacks
Brute force attacks are very different from cracks or in layman words ‘hacks’. Brute force attackers try to login into the WP admin using the easiest method of login, i.e., the username and password. They use permutations and combinations of common and most possible username and password to try logging in until they are successful. The easiest attack is the weakest link and username like ‘admin’ and password like’12456′.
Brute force attacks come from different countries and IPs. If you have single access and IP, it is easy to block all the IPs other than your IP using the .htaccess file. But, if you have multiple users, log in from multiple locations, it is very difficult to identify the IP of the attacker and prevent it.
WordPress Security plugin, blacklists all the IPs and users with too many attempts of login, scripts, failed attempts of forgot passwords. It also prevents WordPress from providing users multiple login points and giving away login information to the hackers. WordPress security plugin blocks or locks out any user who is using an invalid username and password.
It sends email to the user as soon as a brute attack attempt is done. It also shows the attacker’s IP, location, and country through the email.
Cleantalk Security Log
Along with the plugin, Cleantalk security log is the additional feature which helps the user keep track on the logs for different events performed on their website.
The security log consists of Date, Status, IP, Country and other details for the Admin Login for the user’s website for events like Login, Logout, Invalid Username, Invalid Email, Authentication Failed and Invalid Email. Logs can be filtered for different services like Anti- Spam, Hosting Anti-Spam, Database API, Site Security or SSL Certificates.
Email Notifications
Email notifications are very important and must have feature for any security firewall to have. Emails are sent to registered admin user’s email whenever an activity is logged in a WordPress site. WordPress Security by Cleantalk sends email for the following activities:
Admin Login:
It sends email to the registered admin user’s email so that the user is aware that an admin login has taken place on his website.
New installation and Signup:
Cleartalk WordPress Security plugin sends a notification to the user’s email when he installs and signs up for the plugin.
Access Key:
Email notification is sent when a user opts to get access key manually.
Daily Security Report:
Daily security Report email notification is sent to admin user which includes information about the SITE Time, Username, IP and Country and a number of brute attacks, failed login and authentication failures have taken place.
CleanTalk Security Firewall
The WordPress Security plugin security firewall works like a fence against the security attacks to a WordPress website. It uses CleanTalk database of bad IP’s and blocks the vulnerabilities from compromised IP’s. Firewall runs even before other codes run including the WordPress site and this prevents the security threats to attack the WordPress site. The firewall shields the site and blocks the threats even before they appear.
And provides the WordPress sites security features like
Personal Blacklist Management
Country and IP blocking
Protection from aggressive users and web crawlers
Traffic Control Analysis
Traffic analysis is one of the important features for any WordPress website, in terms of security and CPU overloading. From which IP, country and location traffic is coming, the users that are online, who is on your page and how much time they have spent, etc. information is easily provided by the WordPress Security Plugin to the admin user.
Unlike other plugins, it enables traffic control analysis to all the visitors even if they have not enabled javascript in their browsers. It gives information about visitors on traffic parameters like:
Date and Time of the visit to the website
Visitor’s spent time on the website
Source Country
Visitor’s IP Address
Browser
Operating System and version
Type of the visitor – Person, Bot, Search Bot or suspicious bot, script etc.
Number of page hits
Cleartalk Traffic control can block the IP addresses from any country or any network from the interface itself. IP addresses will be automatically blocked by the Traffic Control if they exceed the threshold of the average page visit quantity. This helps the monitoring and blocking of the traffic real time.
BlackIP Database
This is the new feature launched by CleanTalk. BlackIP database is the collection of blocked or blacklisted IP addresses. This database helps to analyze which type of IPs, locations or countries from which the most frequent brute attacks come from. You can also manage the blacklisted IPs from your CleanTalk Dashboard-> “Use CleanTalk Database of Dangerous IP Addresses”. If you want to add an exception to your blacklisted IP addresses, you may add any IP to the whitelist IPs and it will not be blocked.
Generic Tips and Tricks to keep your WordPress website safe:
Other than using CleanTalk’s WordPress Security plugin and its advanced features, you can use these simple tricks to keep your WordPress website safe and secure all time:
Use email for login other than username. Usernames are easy to predict but hackers can’t easily guess any unique email ID. WordPress use unique email Id as login identifier for each user.
The default login URL for all the websites are similar. For example: wp-login.PHP, /wp-admin/ etc. You should change them to something your unique and own. This will prevent the hackers to get the admin logged in page’s URL or the dashboard URL.
Password of a WordPress site should consist capital letters, small letters, numeric and all type of symbols. Generally, an eight character password is considered as a strong password. Make it 16, it will be stronger and permutation and combination will be difficult.
Secure the WP-Admin directory from getting accessed by hackers.
SSL should be used to encrypt your sensitive data.
If your site has multiple admins, add them carefully after thorough scanning.
Admin username should not be kept as “Admin”.
Keep backup of your site regularly. You may buy professional services for backup and recovery routine.
Protect your wp-config.php file from hackers by keeping it one step higher than the root directory.
If you have multiple admin access, just do not allow the dashboard to be edited, by changing it in the wp-config.php file.
You should disable the directory listing using .htaccess.
Update your plugins and themes regularly.
Do not download or install any theme from an unknown site or provider. You do not know what is written in their code.
Plugins and WordPress itself should be updated regularly to get all the new security features.
Last but not the least, take precaution before installing any plugin. You should check the documentation, ratings, and reviews before installing them and that should be from a trusted source.
Conclusion
WordPress Security Plugin by CleanTalk is one of the best world-class security plugins for WordPress which facilitates your WordPress Website an end to end security solution and helps to grow your business without getting the headache of being attacked. CleanTalk’s Security Feature plugin is regularly updated with new features to cope with the new type of attacks and threats and to provide you smooth and flawless security services. Follow the tips and tricks and install a good security plugin will provide all round your WordPress website.
CleanTalk continues to develop Security Service and launches new option “BlackIPs Database”.
Our Cloud Service processes millions of requests every day and we know which IPs have suspicious activity in real time.
BlackIPs Database — is the database of the most active IP addresses where massive spam and brute force attacks come from. When IP starts attacking a few websites they are immediately added to the blacklist. IPs that stop attacking are being removed over time and that time is relatively short — usually about 2 weeks.
This option will be a powerful way to improve the Security Service for your websites.
Blocking a bad IP completely is more effective and safer than just blocking its malicious requests because you don’t allow it to gather information about the target website it is about to attack.
BlackIPs Database is included in the standard package of Security Service and does not require any additional payment, just enable this option in your CleanTalk Dashboard -> Settings then mark the option “Use CleanTalk database of dangerous IP addresses”.
If you need to add exceptions for IP addresses or subnets, you can add them to white lists that have higher priority and will not be blocked.
In 2 weeks we will add new parameters to Security Service Log that will show blocked requests and Page URL which the IP address was trying to get access to.
CleanTalk Real-Time BlackIPs Database is one of the greatest security features.
We work every day to continuously improve and evolve our services.
Let us know if you have any suggestions or comments.
As we informed CleanTalk launched its website security project. The service protects administrator control panel from brute-force attacks and records users’ actions.
Since the 29th of November Security by CleanTalk has become the Cloud Service and now all main data will be available in The Service Dashboard. The cost of the service is $20 per year for 1 website.
Switching to Cloud Data Storage allows to show more data and use the information more flexible thanks to different filters in your Dashboard.
In the previous versions all data were being stored in a website database and big amount of information alongside with its operations would affect website speed, all this could give a result of bad website ranking of search engines. Cloud Data Storage is safer than website database. If an intruder could get access to your website then he could delete all data he might be traced with.
Cloud Service provides data storage for the last 45 days including users action log, brute-force attacks statistics and successful backend logins and you can always get to know who and what actions were made if it is necessary.
