Improvement: Added additional scan options to allow for disabling the blocklist checks while still allowing malware scanning to be enabled. Scan times are now distributed intelligently across servers to provide consistent server performance. Improvement: Introduced light-weight scan that runs frequently to perform checks that do not use any server resources. Improvement: If unable to successfully look up the status of an IP claiming to be Googlebot, the hit is now allowed.
Improvement: Scan issue results for abandoned plugins and unpatched vulnerabilities include more info. Fix: Suppressed PHP notice with time formatting when a microtimestamp is passed.
Fix: Fixed PHP notice in the diff renderer. Fix: Fixed typo in lockout alert. Improvement: Improved the option value entry process for the modified files exclusion list. Fix: Time formatting will now correctly handle and time zone offsets. Fix: Added an option to allow automatic updates to function on Litespeed servers that have the global noabort set rather than site-local.
Fix: Fixed a PHP notice that could occur when running a scan immediately after removing a plugin. It will also indicate if there is a known vulnerability. Improvement: Added a self-check to the scan to detect if it has stalled. Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later.
Improvement: IP-based filtering in Live Traffic can now use wildcards. Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link. Improvement: Better wording for the allowlisting IP range error message. Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page.
Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation. Improvement: Support for exporting a list of all blocked and locked out IP addresses. Improvement: Updated the browscap database. Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found.
Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users. Fix: Better detection for when to use secure cookies. Fix: Fixed a couple issue types that were not able to be permanently ignored. Fix: Adjusted the changelog link in the scan results email to work for the new wordpress. Fix: Fixed some broken links in the activity summary email. Fix: Fixed a typo in the scan summary text. Fix: The increased attack rate emails now correctly identify blocklist blocks.
Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran.
Fix: Brute force records are now coalesced when possible prior to sending. Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value. Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location.
Improvement: The diagnostics page now contains a callback test for the server itself. Improvement: Updated the styling of dashboard notifications for better separation.
Improvement: Added additional constants to the diagnostics page. Change: Changed how administrator accounts are detected to compensate for managed WordPress sites that do not have the standard permissions. Change: The table list on the diagnostics page is now limited in length to avoid being exceedingly large on big multisite installations.
Fix: Improved updating of WAF config values to minimize writing to disk. Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers. Fix: Fixed some incorrect documentation links on the diagnostics page. Fix: Fixed a typo in a constant on the diagnostics page. Improvement: Better page load performance for multisite installations with thousands of tables. Improvement: Integrated blocklist blocking statistics into the dashboard for Premium users.
Fix: Fixed an activation error on multisite installations on very old WordPress versions. Fix: Adjusted the behavior of the blocklist toggle for Free users. Improvement: Optimized the overall scan to make fewer network calls. Improvement: Running an update now automatically dismisses the corresponding scan issue if present. Improvement: Added a time limit to the live activity status so only current messages are shown. Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report.
Improvement: Background pausing for live activity and traffic may now be disabled. Improvement: Added additional WAF support to allow us to more easily address false positives. Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems.
Fix: All external URLs in the tour are now https. Fix: Corrected a typo in the unlock email template. Fix: Fixed the target of a label on the options page. Improvement: Added options to customize which dashboard notifications are shown. Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes.
Improvement: Optimized the country update process in the upgrade handler so it only updates changed records. Improvement: Added our own prefixed version of jQuery. DataTables to avoid conflicts with other plugins. Improvement: Changes to readme. Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite.
Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler. Fix: Made the description in the summary email for blocks resulting from the blocklist more descriptive. Fix: Updated the copyright date on several pages. Fix: Fixed incorrect wrapping of the Group by field on the live traffic page.
Improvement: Dashboard chart data is now updated more frequently. Fix: Fixed database errors on notifications page on multisite installations. Fix: Fixed site URL detection for multisite installations. Fix: Fixed tour popup positioning on multisite.
Improvement: Updated internal GeoIP database. Improvement: Updated internal browscap database. Improvement: Added network data for the top countries blocked list. Improvement: Added a notification when a premium key is installed on one site but registered for another URL. Improvement: Switching tabs in the various pages now updates the page title as well. Improvement: Various styling consistency improvements.
Fix: Improved compatibility with our GeoIP interface. Fix: The updates available notification is refreshed after updates are installed. Fix: The scan notification is refreshed when issues are resolved or ignored.
Improvement: Simplified the UI by revamping menu structure and styling. Fix: Fixed undefined index notices on password audit page. Change: Updated support link on scan page. Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing. Fix: Typo fix in firewall rule 11 name. Improvement: Better error handling when a site is unreachable publicly.
Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation. Fix: Addressed an issue where the scan did not alert about a new WordPress version. Thanks Vladimir Smitka. Improvement: Added vulnerability scanning for themes.
Improvement: Performance improvements for the dashboard widget. Improvement: Added progressive loading of addresses on the blocked IP list. Change: Support for the Falcon cache has been removed. Fix: Better messaging when the WAF rules are manually updated. Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable. Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy.
Thanks Jason Woods. Fix: Typo fix on the options page. Fix: Scan issue for known core file now shows the correct links. Fix: Restricted caching of responses from the Wordfence Security Network. Fix: Fixed a recording issue with Wordfence Security Network statistics. Improvement: Updated signatures for hash-based malware detection. Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
Improvement: Added additional contextual help links. Improvement: Significant performance improvement for determining the connecting IP. Improvement: Better messaging for two-factor recovery codes. Fix: Adjusted message when trying to block an IP in the allowlist. Fix: Error log download links now work on Windows servers. Fix: Avoid running out of memory when viewing very large activity logs. Fix: Fixed warning that could be logged when following an unlock email link.
Fix: Tour popups on options page now scroll into view correctly. Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first. Fix: Country blocking redirects are no longer allowed to be cached. Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.
Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems. Improvement: Extended rate limiting support to the login page. Fix: Fixed a case where files in the site root with issues could have them added multiple times.
The function only ran the sanitization process a single time, so it could be bypassed by sending a filename containing a blocked extension hidden inside another blocked extension.
This also meant that a double extension attack was possible. Regardless of the method used, an attacker able to upload an executable PHP file to a website using this method would be able to infect and completely take over that website, as well as any other sites on the same hosting account. As more WordPress developers focus on security, simple vulnerabilities are becoming less common. For example, a function designed to sanitize input to be used in a database query might not offer sufficient protection against Cross-Site Scripting XSS , while a function designed to remove scripting tags might not offer protection against SQL Injection SQLi.
This vulnerability has been patched in version Premium support With Wordfence premium you get access to our premium support. We aim to respond to all tickets within 24 hours during business hours. Our premium support staff all have a technical background and work closely with Wordfence developers to ensure issues are resolved promptly and accurately.
These Cookies are used to deliver relevant information related to the Services to an identified machine or other device not a named or otherwise identifiable person which has previously been used to visit our Sites.
Some of these types of Cookies on our Sites are operated by third parties with our permission and are used to identify advertising sources that are effectively driving customers to our Sites. Setting Defensive File Permissions The above scenario is common in most shared hosting environments. Securing Your Own Sites This same method of spreading the infection can happen within the same account if there are multiple sites running as our user.
Further Hardening For the paranoid and more hands on approach, you can always prevent the web site from being able to write to its own files. This will effectively disable a number of core functions WordPress offers: Modifying your.
Auto upgrading core and plugins with security updates. Upgrading anything via the web interface. Did you enjoy this post? Share it! Facebook Twitter LinkedIn. How to get rid of that. Please help me? It requires admin level access for any user to setup 2fa.
So if you need 2fa for users that you don't want admin access you can't use this plugin. I learned this the hard way after setting it all up and asking all our users to setup 2fa. Interested in development?
0コメント