Azure Archives - Page 2 of 30 - Appunti dalla rete

How to Restrict Login Access by Whitelisting IP Addresses in WordPress

MARCH 29, 2024
BY PAUL G.

Are you concerned about the security of your WordPress website? Do you want to restrict login access to only trusted IP addresses? Whitelisting IP addresses is an effective way to enhance the security of your WordPress login page. In this article, we’ll be taking a closer look at whitelisting within Shield Security PRO, exploring its dual applications:

Whitelisting your entire site to ensure exclusive access for approved users.
Whitelisting users from Shield Security Pro’s Bad Bot detection system to ensure that specific IP addresses are recognized as legitimate, reducing false positives and preventing these users from being blocked from the site.

While shielding against bad bots protects site access for legitimate users, full-site whitelisting takes security even further. Full-site whitelisting, set up through Shield Security PRO’s full-site lockdown feature, ensures that your site won’t load at all for non-whitelisted users. This is an intense security measure that may serve a vital role for businesses with strict security and access requirements.

We’ll walk you through the pros and cons of both whitelisting approaches and how to set them up, while helping you decide whether they’re necessary and practical for your business.

Let’s get started!

Understanding full-site IP whitelisting and its importance in WordPress security

Although it is too restrictive for public-facing platforms, full-site IP whitelisting is great for contexts where stringent access control is vital. Industries like finance, government, and healthcare, dealing with Sensitive Personal Information (SPI) or Private Personal Information (PPI), benefit from this heightened security. However, these are far from the only sites that can benefit from full-site whitelisting

For instance, although an eCommerce site catering to the public will find full-site IP whitelisting impractical, it could make sense for a wholesale retailer that only works with pre-approved buyers. It can also be useful for corporate intranets, which are limited to employee access only, or websites used to manage private security systems.

The decision to implement a full-site whitelist shouldn’t be taken lightly. Site owners must carefully weigh the pros and cons and remember that the extreme nature of IP whitelisting makes it fully incompatible for general public facing businesses and platforms.

Benefits and drawbacks of full-site whitelisting in WordPress

There are many benefits and drawbacks to full-site whitelisting that users should consider before setting this up on their site. For example, some benefits include that this gives you strict access control, ensuring that only approved users can interact with the site. It’s a highly effective security measure that can easily safeguard sensitive and confidential information.

It’s a great tool for building a secure environment that provides a safe and secure place for authorised individuals to access sensitive data. It’s a good way to balance security and accessibility when working with highly sensitive information, such as for financial transactions or healthcare.

One major drawback to consider, however, is that it’s time-consuming and resource-intensive to get a full-site whitelist set up. It also needs continuous attention and maintenance. It can be inconvenient for users, since it restricts them to a specific computer and location. There are workarounds like virtual machines, but they introduce additional complexities as well.

Lastly, no single measure, even whitelisting your whole site, is a foolproof solution against cyber attacks, as it does not provide complete protection. For example, you still have basic cybersecurity measures to keep in mind, such as the risks associated with remote workers logging in on shared family devices. However, the whitelisting itself can lull users into a false sense of security, which may lead to lapses in other vital security practices.

Step-by-Step guide to implementing full-site lockdown in WordPress

Shield Security PRO provides an advanced Site Lockdown feature that transforms your website into a whitelist-only accessible domain. When activated, this setting renders your site inaccessible to everyone except those IP addresses listed on your site’s bypass/whitelist list.

🚨Warning! Before enabling this feature, it’s crucial to add your own IP address to the bypass list to prevent locking yourself out.

Understanding the Site Lockdown Feature

In Shield Security PRO, the Site Lockdown feature simplifies the process of creating a whitelist-only site. It is also a useful solution to deploy during attacks, helping to limit access t the site until the situation can be fully assessed.

Shield Security Pro streamlines the process by doing all the heavy lifting for you, leaving little room for error. To enable the Site Lockdown feature, you need to:

Access your WordPress dashboard.
Navigate to ShieldPRO from the left-hand menu.
Go to Tools → Site Lockdown.
Check the box to whitelist your own IP address, if you haven’t already done so. Do not skip this – otherwise you will be locked out of your own site.
Review and confirm you understand the warnings and risks associated with this process.
Select “Lockdown The Site”

Shield Security PRO’s Site Lockdown feature limits site access to only approved IP addresses.

With this setting turned on, your site will only be accessible to users you have whitelisted using Shield Security PRO IP bypass rules, referenced earlier in the article.

Although the Shield Security PRO Site Lockdown feature makes full-site whitelisting a breeze, you can alternatively restrict access to your website by supplying access rules within your .htaccess file (for Apache servers). This method is totally different from Shield Security PRO’s Lockdown capability and requires technical expertise. So, if you’re in any doubt, we recommend hiring a developer to help with the manual approach.

Here is how to manually restrict access to your WordPress site:

Back up your WordPress site:

Use a plugin like UpdraftPlus or your hosting control panel to back up files and databases.

Accessing the .htaccess file:

Connect to the server using an FTP client (like FileZilla) or through the hosting control panel.

Navigate to the root directory (usually public_html, www, htdocs, etc.).

Modify the .htaccess file:

Locate and download the .htaccess file.
Open it in a text editor.
Add the following lines at the top to restrict access to specific IP addresses:

Order deny,allow
Deny from all
# whitelist Your First IP address
Allow from xxx.xxx.xxx.xxx
# whitelist Your Second IP address (if any)
Allow from xxx.xxx.xxx.xxx

📝Note on code: Replace xxx.xxx.xxx.xxx with the actual IP addresses.

If you are using Apache 2.4 or newer, it’s recommended to use the new Require directive for access control, which is more flexible and straightforward.

# whitelist Your First IP address
Require ip xxx.xxx.xxx.xxx
# whitelist Your Second IP address
Require ip xxx.xxx.xxx.xxx

📝Note on code: Replace xxx.xxx.xxx.xxx with the actual IP addresses. The Require directive is part of Apache’s authorisation features, allowing you to specify which users or systems can access your site.

Once you have done this, the changes should be saved and uploaded again to the server (replacing the old .htaccess file).

Whitelisting IP addresses in the Shield Security PRO plugin

When using Shield Security PRO, safeguarding your website involves understanding and managing the ADE, which detects bad bot signals, defending your site from malicious entities.

However, this system, while effective, can occasionally result in false positives – legitimate users being mistakenly flagged as bots.

To prevent the accidental blocking of known users, you can whitelist IP addresses with Shield Security PRO. By adding these trusted users to the IP Bypass list, you ensure uninterrupted access while maintaining a robust defence against malicious bots. Here’s how to do this:

Identify the IP address of the user you want to whitelist. Online tools, like Shield Security PRO’s IP address finder, can help users find this information.
Go to your WordPress dashboard and select ShieldPRO from the left-hand menu to open the Shield Security PRO dashboard.

Within Shield Security Pro’s dashboard, go to IP Rules and select the gear icon in the top right-hand corner.

Choose Create new IP rule to initiate the whitelisting process.

Enter the IP address or range you want to whitelist.

Provide a clear and memorable label, such as “Whitelist”, for easy identification.
Select Add to bypass list to confirm the whitelisting.

Once an IP address is whitelisted, the ADE will bypass it completely. However, exercising caution is important as this practice may pose security risks, particularly if the whitelisted IP address becomes compromised. It’s wise to periodically review your IP whitelists and remove any entries that are no longer required.

Maintaining your whitelist: Regular reviews and updates

One of the most important things to remember is that whitelisted addresses, once approved, are never blocked, regardless of their onsite activity.

Unlike Shield’s Automatic IP Blocking system which keeps your IP rules list lean for performance purposes, there is no automated pruning of whitelisted IP addresses.

The potential risks associated with outdated whitelist entries shouldn’t be overlooked.

Unauthorised access through excessive permissions could pose significant security threats. That’s why due diligence in the form of regular security audits are crucial to ensure authorised users retain the necessary access and unauthorised entities are promptly removed.

Here is our recommended approach to whitelist maintenance:

Review: Periodically review the existing whitelist to identify any outdated or unnecessary entries. Always verify the legitimacy of each whitelisted IP address.
Deleting out-of-date IPs: Always remove outdated entries promptly.
Periodic checks: Conduct periodic checks, aligning with your usual website security audit schedule. Ensure that the whitelist aligns with the current needs of your website.

Shield Security Pro’s IP management and analysis features facilitate the whitelist maintenance process – allowing you to specify individual IPs, IP ranges, or removing addresses as needed.

Secure your WordPress site with Site Lockdown today

While Site Lockdown may not suit every website, it’s invaluable for security sensitive industries like finance, government, and healthcare, where stringent cybersecurity measures are vital.

IP whitelisting helps streamline access for some users, and it can be complex without a plugin to manage it for you, but Shield Security PRO simplifies the process.

Don’t compromise on cybersecurity. Download the Shield Security PRO plugin today for peace of mind and fortify your WordPress site!

Source :
https://getshieldsecurity.com/blog/how-to-restrict-login-access-by-whitelisting-ip-addresses-in-wordpress/

How to Rectify the WordPress Timthumb Hack: A DIY Guide

FEBRUARY 29, 2024
BY PAUL G.

WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites. However, its popularity makes it a target for hackers. One common vulnerability that hackers exploit is the TimThumb vulnerability.

In this post, we will discuss what the TimThumb hack is, how it affects your WordPress site, and provide a step-by-step guide on how to rectify the hack yourself.

Understanding the TimThumb vulnerability in WordPress

TimThumb was a PHP code snippet used in WordPress themes and plugins to dynamically resize images to predefined dimensions to simplify the process of generating thumbnails on the fly. Before WordPress introduced this functionality into Core, TimThumb was an extremely popular script and included with many WordPress themes. Unfortunately, this script became a focal point for a significant cybersecurity concern within the WordPress community.

In 2011, a significant security incident unfolded as hackers exploited a vulnerability in TimThumb, a widely-used script at the time for dynamic image resizing in WordPress. This issue became particularly widespread due to several unique circumstances:

Lack of dynamic image resizing in WordPress

Early versions of WordPress couldn’t resize images dynamically on its own. But when mobile-responsive design gained popularity in the early 2010s, TimThumb came to the rescue. It allowed users to upload an image once and automatically get properly sized images for different screen sizes, even on mobile devices. As a result, TimThumb became a widely used solution in themes.

Prevalence in paid themes

Many premium WordPress themes incorporated TimThumb, bundling the script with their designs. Given that automatic theme updates were not yet widely adopted, users were required to manually update their themes. This posed a challenge as users often neglected updates, leaving vulnerable versions of TimThumb in use for extended periods.

Delayed awareness and remediation

The security issue with TimThumb allowed hackers to upload malicious PHP files, injecting harmful code into websites. Due to the lack of awareness, delayed updates, and the absence of automated security solutions like Shield (which wasn’t available in 2011!), the impact of the hack persisted for years, affecting a substantial number of WordPress sites.

Improved automatic updates

Notably, such a widespread and prolonged vulnerability would be less likely to occur in the present day. Modern WordPress versions benefit from improved automatic update mechanisms. If a security issue were to arise, updates are promptly issued, enabling site owners to quickly secure their websites.

The widespread effect was enhanced by the lack of updates made by website owners. This vulnerability shows us the importance of robust cybersecurity measures for the broader WordPress user base.

Though modern cybersecurity measures have substantially mitigated the TimThumb vulnerability’s impact, it remains an active threat. In fact, at least 56,606 websites are still using TimThumb to this day, including government websites.

💭Did you know? The most exploited plugin on this list, responsible for a huge 36% of WordPress hacks, was Contact Form 7.

The TimThumb script is no longer officially maintained or supported. Yet, it continues to persist on users’ sites, especially if they use outdated plugins and themes. This poses a threat, as TimThumb might unknowingly find its way onto your page, leaving you vulnerable.

Why did this happen in the first place?

Bugs are found in code all the time. When Ben Gillbanks, who initially wrote the TimTumb script, became aware of it, a fix was issued. This is, generally speaking, normal. The issue was that the update didn’t reach end-users because of how developers distributed WordPress themes at the time (as there were no automatic updates), so un-updated sites are still around now.

Ben told us:

When TimThumb was developed, WordPress lacked image thumbnails, prompting its creation to enhance website aesthetics, initially intended for premium WordPress themes. Unexpectedly, its popularity grew as other theme shops adopted the image resizing script.

The first indication that something was wrong was when my own site was defaced. Someone had changed my footer to link somewhere else. Unsure of the cause, I reverted it and ensured everything was up to date. Fortunately, this was before hackers started introducing backdoors, so it didn’t happen again.

A couple of days later, reports emerged that TimThumb was hacked, and my heart sank. I felt super guilty and spent a lot of time over the next few days trying to make it more secure.

Ben hosted TimThumb on Google Code, as GitHub wasn’t an option at the time. TimThumb was open source, and WordPress co-founder Matt Mullenweg got personally involved, introducing Ben and developer Mark Maunder. A fixed version was released, but without automatic updates in WordPress, it didn’t reach end-users with the scale as you’d see now.

Ben shared some insight into the root of the issue:

The vulnerability arose from a few different factors:

I had allowed resizing of external images, which meant files from other websites could be loaded.
I enabled data caching for those external files without performing any file type checks to ensure they were images, not code.

Detecting the hack: Tools and techniques

The TimThumb exploit from 2011 is still an issue today. As discussed above, over 50,000 sites still use the script. One can assume that a smaller share of these are using the vulnerable version, but with TimThumb no longer maintained and WordPress offering dynamic image resizing, there’s little need for using it in 2024 or beyond.

For those with older websites or looking for absolute certainty about their site’s security, certain steps can be taken to assess and address any lingering use of TimThumb:

Access files.

Use your FTP client, Secure Shell, or your hosting provider to access your website’s files.

Backup.

Before proceeding, create a backup of your site files to avoid data loss.

Search for TimThumb files.

Thoroughly check every file in your root directory. Look specifically for files labelled timthumb.php or thumb.php.

📝Please note: Manual file inspection is time-consuming and liable to human error. We recommend exploring alternative methods, such as using vulnerability scanner plugins.

While there are several plugin options on the market, Shield Security PRO is a great choice due to its extensive suite of customisable features, particularly the Anti-Bot Detection Engine.

Using Shield Security PRO for early detection and prevention

Using Shield Security PRO is a great way to detect and prevent TimThumb hacks on WordPress sites. It has a vulnerability scanner that identifies known vulnerabilities, including the TimThumb script, allowing users to remove potential threats. The scan is also powered by artificial intelligence and machine learning. Dubbed MAL{ai}, the scanner can identify threats it’s never even seen before with 80-90% accuracy.

Automatic file scanning is a key feature that compares your website to the default WordPress install to pinpoint files that shouldn’t be present. Shield Security PRO also takes charge of updating themes and plugins while flagging any out-of-date plugins, ensuring your site stays fortified against potential exploits.

The faster vulnerabilities – like the use of the TimThumb script – are detected, the less opportunity hackers have to exploit and insert malicious code. Shield Security PRO provides a defence mechanism, enhancing your website’s resilience against emerging threats.

Steps to recover your WordPress site post-hack

Discovering a TimThumb vulnerability – or worse, an exploit – can be stressful. To help you with recovery, follow these steps:

Assessing the damage

Compare your site files and databases to the original versions to identify any discrepancies. Use tools like Shield Security PRO’s Malware Scanner to detect malicious code. Look for signs of unauthorised access, unexpected content changes, or alterations to your website’s structure.

Here’s how to scan on Shield Security PRO:

Go to your WordPress dashboard and press ShieldPRO.

Run scans in the ShieldPRO section of WordPress.

Click Scans.

Click the settings icon in the right-hand corner.

The Run Manual Scan button will appear once cog has been pressed

Press Run Manual Scan.

Press Run Scans Now.

The results of your scan in Shield Security PRO.

From here, you will be notified if anything suspicious is occurring.

Cleaning up the infection

Change all passwords associated with your WordPress site, including admin, FTP, and database passwords. This helps secure your site and prevent further unauthorised access.

Ensure all elements of your WordPress site are up-to-date. This includes the core software, themes, and plugins. Regular updates patch security vulnerabilities, reducing the risk of future attacks.

Remove malicious injections from your databases and files. While technical details can be complex, it’s crucial to ensure your site is entirely free from compromised code. Note that manual cleanup may be risky for non-technical users; consider using specialised tools for a safer and more efficient cleanup.

For example, Shield Security PRO’s automated scanning and malware removal feature can remove all traces of malicious scripts, including those related to TimThumb vulnerabilities.

Recovering from backups

If available, restore your WordPress site from a clean backup. It is vital to regularly back up your site as a precautionary measure. There are a variety of WordPress backup plugins available to automate this process.

Communicating the incident

If user data might have been compromised, inform your site users about the breach. We recommend creating a draft communication statement in advance to save time and minimise stress. Include information like the type of attack, compromised data, impact on performance, and assurances about resolving the issue.

🔎 An example email for communicating a breach:

⚠️ You may want to consult legal professionals when drafting and releasing such communications, to ensure compliance with laws like GDPR.

Subject: Important notice regarding recent security incident on [Your Website Name]

Dear [Website Users],

I hope this message finds you well. We are writing to inform you about a recent security incident that has come to our attention. Your trust in our website’s security is of utmost importance to us, and we want to be transparent about the steps we are taking to address the situation.

What happened?
Our website recently experienced a security breach, and we believe it is our responsibility to notify you. The breach involved [brief description of the type of attack, e.g., unauthorised access or a specific vulnerability]. We want to assure you that we are taking immediate action to rectify the situation.

Was there any compromised data?
While we are still conducting a thorough investigation, it is possible that some user data may have been compromised. This may include [specify the type of data that might have been affected, e.g., usernames, email addresses, etc.]. We want to be transparent with you about the extent of the incident and assure you that we are doing everything in our power to safeguard your information.

Will this impact performance?
We understand the importance of secure data. The breach may have had some impact on the performance of our website. We are actively working to address any performance issues and enhance our security measures to prevent future incidents.
We want to assure you that our team is working diligently to resolve the issue. We have taken immediate steps to secure our website and are implementing additional security measures to prevent similar incidents in the future. Your security and privacy are our top priorities.

What can you do?
As a precautionary measure, we recommend changing your password on our website. Additionally, if you use the same password on other sites, consider updating it there as well – and to avoid using the same password across multiple sites in the future. We also advise monitoring your accounts for any suspicious activity.

We are committed to keeping you informed about the progress of our investigation and the actions we are taking. If you have any questions or concerns, please do not hesitate to contact us at [provide a contact email or phone number].

We sincerely apologise for any inconvenience this incident may have caused. Your understanding and cooperation during this time are greatly appreciated.

Thank you for being a valued member of our community.

Sincerely,
[Your Company/Organisation Name][Contact Information]

Assessing and learning

After the recovery, take time to analyse how the hack occurred. Understanding the vulnerability can help you prevent future attacks.

Securing your WordPress website against TimThumb and other vulnerability attacks

While TimThumb is no longer actively used in WordPress themes or plugins, it could be lingering in out-of-date sections of your site’s code. Regularly updating and removing previous instances of TimThumb in your WordPress site significantly reduces the risk of its exploits.

Paul Goodchild, creator of Shield Security PRO, says, “If you’re performing regular maintenance on your WordPress sites, the likelihood that you’ll be susceptible to a vulnerability is slim-to-almost-none. You’ll have updated the affected plugin or theme, so you’re already protected.”

Recognising that technology evolves, relying on the right protection is important. A cybersecurity plugin like Shield Security PRO offers security with vulnerability detection, malware scanning, and bad-bot blocking.

Stay ahead of potential threats by downloading the Shield Security PRO plugin today – your proactive defense against evolving cybersecurity challenges!

Source :
https://getshieldsecurity.com/blog/rectify-wordpress-timthumb-hack-guide/

Database Cleanup and Optimisation: A Quick Guide for WordPress Users

FEBRUARY 23, 2024
BY PAUL G.

Much like a well-oiled machine, your WordPress requires regular maintenance to ensure peak performance and security. Without it, you can end up with a disorganised and bloated database, which can affect your site’s speed and leave it vulnerable to online threats.

But fear not! The solution lies in a simple yet often overlooked aspect of website management – database cleanup and optimisation.

In this comprehensive guide, we’ll show you how a little housekeeping can not only give your site the speed boost it desperately needs, but also strengthen its security against lurking threats. From manual tweaks to security plugins like Shield Security Pro, you’ll learn how to cleanse your digital space efficiently!

Understanding WordPress database health: Why it matters

Over time, a WordPress database accumulates old and unused data. Think of this as digital clutter – rows upon rows of data that are no longer in use but still take up space. This includes old post revisions, trashed items, spam comments, and data left by uninstalled plugins.

This clutter doesn’t just take up digital space. Every time your website performs a task, your server has to sift through everything. This creates an unnecessary workload that slows down your site, affecting user experience and potentially harming your SEO rankings.

Regular database maintenance ensures seamless website performance and significantly lowers the risk of malware infection. Since malware often hides in the clutter, a clean and optimised database is less vulnerable to attacks.

Here’s what to do to make sure your database is well-maintained:

Regular backups: Before any cleanup, ensure you have a recent backup. It’s your safety net in case something goes wrong.
Routine scanning for malware: Use reliable tools like the Shield Security Pro plugin for regular scans. Catching and removing malware early can prevent more significant issues down the line.
Removing unused themes and plugins: Inactive themes and plugins are not just dead weight; they’re potential security risks. Regularly clean them out.
Spam comment cleanup: Spam comments bloat your database and can harm your site’s credibility. Regularly purging them is crucial.

Optimising database tables

Table optimisation, or defragmentation, is about removing excess data from your site’s data tables. Think of it like organising a messy bookshelf so you can find books faster. It rearranges the data to use space more efficiently, improving performance. This process is important for larger websites, where data operations can become significantly slower over time.

Popular plugins like WP-Optimize, WP-DBManager, and Advanced Database Cleaner offer a user-friendly way to handle database optimisation without needing deep technical expertise. They help automate the cleanup process, ensuring your WordPress site remains speedy and efficient.

Backing up your site before initiating cleanup

Before you dive into the nitty-gritty of database cleanup, you must always back up your site first.

While database cleanup aims to remove only redundant data, the process isn’t infallible. There’s always a risk, however small, that something might go wrong. In such cases, a backup is your quick ticket to recovery, allowing you to restore your site to its pre-cleanup state with minimal fuss.

Here are some scenarios where backups save the day:

User error: Sometimes, the biggest threat to your website can be accidental mishaps, like deleting important files or making erroneous changes.
Platform and plugin updates: Updates are essential for security and performance, but they can occasionally lead to compatibility issues or data loss.
Security breaches: In the unfortunate event of a hack or malware infection, a backup can be vital in restoring your site to a secure state.

The good news is that backing up your WordPress site can be made easy via backup plugins like WP-Staging, UpdraftPlus, BackupBuddy, and VaultPress (Jetpack Backup). These tools automate the process, ensuring that your site is regularly backed up without requiring manual intervention every time.

How often should you back up?

The frequency of backups should reflect how often your site is updated. For a dynamic site with daily changes, a daily backup is ideal. However, for smaller sites with less frequent updates, weekly or even monthly backups might suffice.

The key is to never skip backups altogether. It’s a small effort that can save a lot of time and stress in the long run.

Manual cleanup vs. plugin-assisted optimisation

When it comes to optimising your WordPress database, you have two primary approaches: manual cleanup or using plugins. While manual cleanup requires more technical know-how, it also gives you more precise control over the optimisation process.

Manual cleanup

Before any changes, ensure you have a recent backup of your WordPress site, including the database. This step is non-negotiable and serves as your safety net.
Log in to your database using phpMyAdmin, which is typically available through your web hosting control panel.
In phpMyAdmin, select your WordPress database from the list on the left.

Accessing the WordPress database via phpMyAdmin.

You’ll see a list of all the tables in your database. Check the tables you want to optimise (or select all).
From the drop-down menu, select Optimize table. This will defragment the selected tables and can improve performance.

Defragmenting (optimising) the WordPress database table via phpMyAdmin.

Navigate to the SQL tab.

Opening the SQL window in phpMyAdmin to run SQL queries.

WordPress saves every change you make in the posts as revisions. This can lead to a bloated database. To delete these post revisions, run this command:

DELETE FROM wp_posts WHERE post_type = "revision";

Make sure to change the wp_ table prefix to the prefix you or your hosting provider set up during installation.

To delete spam comments, run the following SQL command:

DELETE FROM wp_comments WHERE comment_approved = 'spam';

In WordPress, ‘trash’ is a post status used for content that has been moved to the trash but not yet permanently deleted. To empty the trash and permanently delete what’s in it, run this query:

DELETE FROM wp_posts WHERE post_status = 'trash';

Transients are used to speed up WordPress by caching data that is expensive to compute or retrieve. They are typically temporary and can be safely removed:

DELETE FROM wp_options WHERE option_name LIKE ('%\_transient\_%');

Unused tags can be removed with a query like:

DELETE FROM wp_terms wt INNER JOIN wp_term_taxonomy wtt ON wt.term_id = wtt.term_id WHERE wtt.taxonomy = 'post_tag' AND wtt.count = 0;

This command deletes all tags (from both wp_terms and wp_term_taxonomy tables) that are not assigned to any posts on your WordPress website.

After cleaning up, it’s a good idea to check the database for any errors. Select your database and use the Check table or Repair table options if needed.

Checking and repairing database tables via phpMyadmin.

You might have tables from old plugins that are no longer used – many will leave tables behind even when the plugin itself have been removed from the site. Review these tables and delete them if they’re not needed. Be very careful with this step, as deleting the wrong table can cause issues with your site. If you’re in doubt, you can always reach out to the plugin developers to ensure you’re deleting the right items.

For plugin-assisted optimisation

For WordPress users who prefer a more straightforward, less technical approach to database optimisation, plugin-assisted methods are a game-changer. These tools offer:

Ease of use: Plugins provide a simple interface for tasks that would otherwise require technical expertise. They’re designed to be intuitive and accessible, even for those with minimal technical background.
Automation: Many WordPress plugins can operate in the background, performing routine cleanups and optimisations without your constant oversight. This automation saves time and ensures regular maintenance is carried out.
Less technical involvement: By automating database optimisation, you free up valuable time and resources to focus on other areas of your business, like content creation, marketing, and customer engagement.

Among the most notable plugins for database optimisation include:

WP-Optimize: This popular plugin cleans your database, compresses images, and caches your site, making it a comprehensive tool for site optimisation.

WP-DBManager: Known for its database backup, repair, and optimisation features, WP-DBManager is a solid choice for those looking to maintain their database’s health.

WP-DBManger download page

Advanced Database Cleaner: If you’re looking for a plugin that goes beyond basic cleanup, this tool helps you get rid of orphaned items and old revisions with ease.

Advanced Database Cleaner download page.

If you want even more plugin options, check out our post on the best backup plugins for WordPress websites.

Setting up and using database optimisation plugins

For the sake of this tutorial, we’re going to be using the WP-Optimize plugin:

From your WordPress admin dashboard, go to Plugins > Add New Plugin.

Search for the WP-Optimize plugin and click on Install Now, then Active.

A new icon for WP-Optimize will appear in your WordPress left-hand side menu. Click on it and go through the plugin settings to configure the optimisation tasks you want to automate, like spam comment cleanup, post-revision removal, and database table optimisation.

Configuring the WP-Optimize plugin settings.

Many plugins offer the option to schedule regular cleanups. Setting this up ensures your database remains optimised without manual intervention.

Setting up automatic database cleanup using WP-Optimize.

Choosing the right plugin

When selecting a plugin, especially those designed to modify or remove data, it’s necessary to pick one that is well-reviewed and regularly updated. Check the plugin’s ratings, user reviews, and update history to ensure reliability and compatibility with your version of WordPress.

By choosing the right plugin, you can significantly reduce the effort required in database maintenance, ensuring your WordPress site remains optimised, fast, and secure with minimal hassle.

Using Shield Security Pro for malware removal

When it comes to safeguarding your WordPress site against malware, Shield Security PRO stands out as a robust solution. Its advanced malware scanning and removal tool is specifically designed to protect your website by detecting and eliminating malicious code.

Features of Shield Security PRO’s malware scanner

Comprehensive scanning: The malware scanner in Shield Security PRO thoroughly examines your files, looking for patterns that indicate malware infiltration. This proactive approach ensures that even the most cunningly hidden malware is identified.
Detailed reporting: When it detects malware, the plugin creates a detailed report alerting you to the affected files. This feature allows you to download and inspect these files closely, giving you a clear understanding of the nature and extent of the malware.
Automatic repair option: For those seeking a hands-off approach, Shield Security PRO offers an automatic repair feature. This functionality enables the plugin to edit and remove suspicious code autonomously, saving you the time and effort of manual intervention.
Customisable repair settings: You have the flexibility to set automatic repairs for core files, plugin files, theme files, or all three, depending on your preference and website structure.

While automatic repair is a convenient feature, it’s essential to use it wisely, especially if you regularly modify your WordPress files. In such cases, automatic repairs might unintentionally alter your customisations. Therefore, if you often tweak your WordPress code, manual inspection and repair might be more suitable.

Regardless of whether you choose automatic repairs or prefer to handle file fixes manually, the key advantage of Shield Security PRO’s malware scanning lies in its prompt detection. Fast identification of malicious data is crucial in preventing it from causing significant damage to your site.

Enhance your WordPress site’s performance & security with Shield Security PRO

Regular WordPress database cleanups and optimisations are necessary for maintaining a high-performing, secure website.

While manual database maintenance is certainly an option, it can be time-consuming and requires a certain level of technical expertise. This is where plugins come into play, offering a simpler, more efficient solution. By automating key aspects of the maintenance process, these tools significantly reduce the workload on website owners.

Shield Security PRO is designed to address both the performance and security needs of your WordPress site. It features advanced vulnerability and malware scanning capabilities, which play a vital role in identifying and removing unused data and potentially dangerous elements from your site.

Don’t let the health and security of your WordPress site take a backseat. With Shield Security PRO, you have a powerful tool at your disposal to keep your site running smoothly and securely.

Download Shield Security PRO today, and take the first step towards a faster, safer, and more efficient WordPress experience!

Source :
https://getshieldsecurity.com/blog/clean-wordpress-database/

SQL Injection Vulnerability Patched in Tutor LMS WordPress Plugin

István Márton
March 19, 2024

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On February 15th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Injection vulnerability in Tutor LMS, a WordPress plugin with more than 80,000+ active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Muhammad Hassham Nagori who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

We contacted Themeum on February 22, 2024, and received a response on February 23, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Themeum for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Tutor LMS, which is version 2.6.2, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Tutor LMS – eLearning and online course solution <= 2.6.1 – Authenticated (Subscriber+) SQL Injection
Affected Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Affected Versions: <= 2.6.1
CVE ID: CVE-2024-1751
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Muhammad Hassham Nagori
Fully Patched Version: 2.6.2
Bounty Award: $625.00

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Technical Analysis

Tutor LMS is a WordPress plugin which includes many features, such as a course builder, quiz and assignment types, dashboard, payment and WooCommerce integration, and a lot of other add-ons.

Unfortunately, insecure implementation of the plugin’s Q&A questions query functionality allows for SQL injection. Examining the code reveals that the plugin uses the get_qa_questions() function in the Utils class to query Q&A questions, where the id can be specified with the ‘question_id’ parameter.

This function is called in several view files. In some cases, the ‘question_id’ GET input value is sanitized in the view file:

1	`$question_id= Input::get(` `'question_id', 0, Input::TYPE_INT );`

However, there are also cases where it is not sanitized:

1	`$question_id= Input::get(` `'question_id');`

The get_qa_questions() function contains the following code:

4451	`$question_clause=` `$question_id?` `' AND _question.comment_ID='.` `$question_id:` `'';`

Here we can see that no sanitization function is being used on the question id in the get_qa_questions() function although this id is always meant to be an integer.

45554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577 $query= $wpdb->prepare( "SELECT {$columns_select} FROM {$wpdb->comments} _question INNER JOIN {$wpdb->posts} _course ON _question.comment_post_ID = _course.ID INNER JOIN {$wpdb->users} _user ON _question.user_id = _user.ID LEFT JOIN {$wpdb->commentmeta} _meta ON _question.comment_ID = _meta.comment_id LEFT JOIN {$wpdb->commentmeta} _meta_archive ON _question.comment_ID = _meta_archive.comment_id WHERE _question.comment_type = 'tutor_q_and_a' AND _question.comment_parent = 0 AND _question.comment_content LIKE %s {$in_course_id_query} {$question_clause} {$meta_clause} {$qna_types_caluse} {$filter_clause} {$order_condition} {$limit_offset}", $search_term);

Typically, the prepare() function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks. But, in this instance, the $question_clause value is not used as a parameter, it is just appended to the query as a string. This means that prepare() will not actually escape the data being passed to the SQL query, thus making it possible to break out of the current SQL query and inject new queries to extract data.

Union-Based SQL injection is not possible due to the structure of the query, which means an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious SQL query and blocks the request.

Disclosure Timeline

February 15, 2024 – We receive the submission of the SQL Injection vulnerability in Tutor LMS via the Wordfence Bug Bounty Program.
February 22, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 22, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
February 23, 2024 – The vendor confirms the inbox for handling the discussion.
February 24, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
March 11, 2024 – The fully patched version of the plugin, 2.6.2, is released.

Conclusion

In this blog post, we detailed a SQL Injection vulnerability within the Tutor LMS plugin affecting versions 2.6.1 and earlier. This vulnerability allows authenticated threat actors to inject malicious SQL queries to steal sensitive information from the database. The vulnerability has been fully addressed in version 2.6.2 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Tutor LMS.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2024/03/sql-injection-vulnerability-patched-in-tutor-lms-wordpress-plugin/

Sonicwall How can I setup CFS policies with LDAP and SSO to restrict Internet access on CFS?

02/20/2024

Description

This article explains about how to integrate Content Filtering Service with LDAP (With Single Sign On) by using SonicOS 7.0.1 or older.

Restricted user group on the active directory is imported to SonicWall and give restricted web access to those users in that group.

Where in the Full Access User group has full access or partial access to websites.

Resolution

Enable Content Filtering Service from Policy | Security Services | Content Filter
Navigate to Profile Objects| Content Filter and access the Profile Objects tab. Create the new Content Filter Profile and Allow/Block for each category according with your need.
Make sure to Enable HTTPS content Filtering. This option is disabled by default.

4. Create another Content Filter Profile as Restricted Access CFS Policy for Restricted User Group.Click on Add, Add a Policy for Restricted Group with most of the categories enabled (Depends on what should be Blocked)

5. Creating a Full Access CFS Policy for Full Access User Group.Add second Policy for the Full Access Group with certain category enabled or all categories enabled (Depends on what should be allowed).

Configuring LDAP on SonicWall

For more information about how to enable LDAP on Sonicwall, please reach below link.

https://www.sonicwall.com/support/knowledge-base/how-to-integrate-ldap-active-directory-user-authentication/170707170351983/

Navigate to Users | Settings page, in the Authentication method for login drop-down list, select LDAP + Local Users and click Configure.
On the Settings tab of the LDAP Configuration window, configure the following fields.

Name or IP address: IP address of the LDAP serverPort Number: 389 (Default LDAP Port)Server timeout (seconds): 10 Seconds (Default)Overall operation timeout (minutes): 5(Default)Select Give login name/location in tree
On the Login/Bind, Give login name/loction in three. Set the admin user and password to access on your LDAP server.
On the Schema tab, configure the following fields: LDAP Schema:Microsoft Active Directory.
On the Directory tab, configure the following fields.
- Primary domain:The user domain used by your LDAP implementation.
- User tree for login to server:The location of where the tree is that the user specified in the settings tab.
- Click Auto-configure. (This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.)
On the LDAP Test tab, Test LDAP connectivity to make sure that the communication is successful.

Importing Groups from LDAP to the SonicWall unit

Navigate to Users | Local Groups.
Click Import from LDAP
Click Configure for the Group that is imported from LDAP.
Go to CFS Policy tab , Select the appropriate CFS Policy from the drop down and Click OK.

Configuring Single Sign-On Method on SonicWall

For more information about how to enable SSO Agent and Enable SSO on Sonicwall, please reach below link.

https://www.sonicwall.com/support/knowledge-base/how-can-i-install-single-sign-on-sso-software-and-configure-the-sso-feature/170505740046553/

Navigate to Users | Settings.
In the Single-sign-on method , select SonicWall SSO Agent and Configure
Click Configure button. The SSO configuration page is displayed.
Under the Settings tab, Click Add button to add the IP address of the work station that has SSO agent running.
- Click on the ADD button: settings window is displayed
- In the Host Name or IP Address field, enter the name or IP Address of the workstation on which SonicWall SSO Agent is installed
- In Port Number, enter the port number of the workstation on which SonicWall SSO Agent is installed. The default port is 2258
- In the Shared Key field, enter the shared key that you created or generated in the SonicWall SSO Agent.
  The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field.
  Click Apply.
Once the SSO Agent is successfully added, under the Authentication Agent Settings a green light is shown for status.
Click Test tab. The Test Authentication Agent Settings page displays.
Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

NOTE: Performing tests on this page applies any changes that have been made.
TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.
When you are finished, click OK.

Enabling CFS for the LAN Zone and applying Imported LDAP Group

CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Navigate to Network | Zones, click Configure Button for LAN Zone.
Check the box Enforce Content Filtering Service, select the Default CFS Policy from the drop down.

How to TEST

Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.

Windows 11 KB5034765 won’t install, taskbar issues, and explorer.exe crashes

By Mayank Parmar -February 19, 2024

You’re not alone if you have issues with the Windows 11 KB5034765. February 2024 security update for Windows 11 causes File Explorer to crash when rebooting the system, and some have found it’s causing the taskbar to disappear. Additionally, many users are having problems installing the Windows 11 February 2024 update.

Microsoft sources have confirmed to Windows Latest that the company is aware of an issue that causes the taskbar to crash or disappear briefly after installing KB5034765. I’m told the company has already rolled out a fix. This means some of you should be able to see the taskbar again after reinstalling the patch (remove and install it again).

But that’s not all. The February 2024 update has other problems, too. In our tests, we observed that the Windows 11 KB5034765 update repeatedly fails to install with 0x800f0922, 0x800f0982, and 0x80070002.

Multiple users told me that when they tried to install the security patch, everything seemed fine at first. The update downloads and asks for a restart. But during the installation, Windows Update stopped and confirmed there was a problem. It tries a few more times and then goes back to the desktop without updating.

KB5034765 is not installing, but there’s a fix

Windows 11 KB5034765 won't install — Windows 11 January 2024 Update fails with 0x80070002 | Image Courtesy: WindowsLatest.com

Our device also attempted the “rollback” after successfully downloading the February 2024 cumulative update, but the process was stuck on the following screen for ten minutes:

Something didn’t go as planned. No need to worry—undoing changes. Please keep your computer on.

I tried tried a few things to fix it. For example, I removed programs that didn’t come with Windows, cleared the Windows Update cache and used the Windows Update troubleshooter. None of these solutions have worked.

However, there’s some good news. It looks like we can successfully install KB5034765 by deleting a hidden folder named $WinREAgent. There are multiple ways to locate and delete this folder from Windows 11 installation, and you choose your preferred one:

Method 1: Run Disk Cleanup as an administrator, select the system drive, and check the boxes for “Temporary files” and other relevant options. Finally, click “OK” to remove the system files, including Windows Update files. This will delete unnecessary files within $WinREAgent.
Method 2: Open File Explorer and open the system drive, but make sure you’ve turned on view hidden items from folder settings. Locate $WinREAgent and remove it from the system.
Method 3: Open Command Prompt as Administrator, and run the following command: rmdir /S /Q C:\$WinREAgent

Windows 11 0x800f0922 0x800f0982 and 0x80070002

Windows Update causes File Explorer to crash on reboot

Some PC owners are also running into another problem that causes the File Explorer to crash when rebooting or shutting down the system.

This issue was previously observed in Windows 11’s January 2024 optional update, and it seems to have slipped into the mandatory security patch.

The error message indicates an application error with explorer.exe, mentioning a specific memory address and stating, “The memory could not be written”.

“The instruction at 0x00007FFB20563ACa referenced memory at 0x0000000000000024. The memory could not be written. Click on OK to terminate the program,” the error message titled “explorer.exe – Application Error” reads.

KB5034765 crashes explorer — explorer.exe crashes with a referenced memory error when rebooting

This issue seems to persist regardless of various troubleshooting efforts. Users have tried numerous fixes, including running the System File Checker tool (sfc /scannow), testing their RAM with Windows’ built-in tool and memtest86+, and even performing a clean installation of the latest Windows 11 version.

Despite these efforts, the error remains.

Interestingly, a common factor among affected users is the presence of a controller accessory, such as an Xbox 360 controller for Windows, connected to the PC. This connection has been observed, but it’s unclear if it directly contributes to the problem.

Microsoft’s release notes for the KB5034765 update mentioned a fix for an issue where explorer.exe could stop responding when a PC with a controller accessory attached is restarted or shut down.

However, despite this so-called official fix, users report that the problem still occurs, and it’s not possible to manually fix it.

Windows 11 taskbar crashes or disappears after the patch

As mentioned at the outset, the Windows 11 KB5034765 update causes the taskbar to disappear or crash when you reboot or turn on the device.

KB5034765 taskbar disappears — Taskbar is missing/disappeared in Windows 11 virtual machine after new update | Image Courtesy: WindowsLatest.com

According to my sources, Microsoft has already patched the issue via server-side update, but if your taskbar or quick settings like Wi-Fi still disappear, try the following steps:

Open Settings, go to the Windows Update section and click Update History. On the Windows Update history page, click Uninstall updates, locate KB5034765 and click Uninstall.
Confirm your decision, click Uninstall again, and reboot the system.
Go to Settings > Windows Update and check for updates to reinstall the security patch.

The above steps are unnecessary, as the server-side update will automatically apply to your device.

About The Author

Mayank Parmar

Mayank Parmar is Windows Latest’s owner, Editor-in-Chief and entrepreneur. Mayank has been in tech journalism for over seven years and has written on various topics, but he is mostly known for his well-researched work on Microsoft’s Windows. His articles and research works have been referred to by CNN, Business Insiders, Forbes, Fortune, CBS Interactive, Microsoft and many others over the years.

Source :
https://www.windowslatest.com/2024/02/19/windows-11-kb5034765-wont-install-and-causes-other-issues-but-theres-a-fix/

How to Set Up Google Postmaster Tools

Updated: Jan 31, 2024, 13:03 PM
By Claire Broadley Content Manager
REVIEWED By Jared Atchison Co-owner

Do you want to set up Postmaster Tools… but you’re not sure where to start?

Postmaster Tools lets you to monitor your spam complaints and domain reputation. That’s super important now that Gmail is blocking emails more aggressively.

Thankfully, Postmaster Tools is free and easy to configure. If you’ve already used a Google service like Analytics, it’ll take just a couple of minutes to set up.

In This Article

Who Needs Postmaster Tools?

You should set up Postmaster Tools if you meet any of the following criteria:

1. You Regularly Send Emails to Gmail Recipients

Postmaster Tools is a tool that Google provides to monitor emails to Gmail users.

Realistically, most of your email lists are likely to include a large number of Gmail mailboxes unless you’re sending to a very specific group of people, like an internal company mailing list. (According to Techjury, Gmail had a 75.8% share of the email market in 2023.)

Keep in mind that Gmail recipients aren’t always using Gmail email addresses. The people who use custom domains or Google Workspace are ‘hidden’, so it’s not always clear who’s using Gmail and who isn’t. To be on the safe side, it’s best to use it (it’s free).

2. You Send Marketing Emails (or Have a Large Website)

Postmaster Tools works best for bulk email senders, which Google defines as a domain that sends more than 5,000 emails a day.

If you’re sending email newsletters on a regular basis, having Postmaster Tools is going to help.

Likewise, if you use WooCommerce or a similar platform, you likely send a high number of transactional emails: password reset emails, receipts, and so on.

If you don’t send a large number of emails right now, you can still set up Postmaster Tools so you’re prepared for the time you might.

Just note that you may see the following message:

No data to display at present. Please come back later. Postmaster Tools requires your domain to satisfy certain conditions before data is visible for this chart.

This usually means you’re not sending enough emails for Google to be able to calculate meaningful statistics.

It’s up to you if you want to set it up anyway, or skip it until your business grows a little more.

How to Add a Domain to Postmaster Tools

Adding a domain to Postmaster Tools is simple and should take less than 10 minutes.

To get started, head to the Postmaster Tools site and log in. If you’re already using Google Analytics, sign in using the email address you use for your Analytics account.

The welcome popup will already be open. Click on Get Started to begin.

Next, enter the domain name that your emails come from.

This should be the domain you use as the sender, or the ‘from email’, when you’re sending emails from your domain. It will normally be your main website.

If your domain name is already verified for another Google service, that’s all you need to do! You’ll see confirmation that your domain is set up.

If you haven’t used this domain with Google services before, you’ll need to verify it. Google will ask you to add a TXT record to your DNS.

To complete this, head to the control panel for the company you bought your domain from. It’ll likely be your domain name registrar or your web host. If you’re using a service like Cloudflare, you’ll want to open up your DNS records there instead.

Locate the part of the control panel that handles your DNS (which might be called a DNS Zone) and add a new TXT record. Copy the record provided into the fields.

Note: Most providers will ask you to enter a Name, which isn’t shown in Google’s instructions. If your provider doesn’t fill this out by default, you can safely enter @ in the Name field.

Verify domain by adding TXT record for Google Postmaster Tools

Now save your record and wait a few minutes. Changes in Cloudflare can be near-instant, but other registrars or hosts may take longer.

After waiting for your change to take effect, switch back to Postmaster Tools and hit Verify to continue.

And that’s it! Now your domain has been added to Postmaster Tools.

How to Read the Charts in Google Postmaster Tools

Google is now tracking various aspects of your email deliverability. It’ll display the data in a series of charts in your account.

Here’s a quick overview of what you can see.

As I mentioned, keep in mind that the data here is only counted from Gmail accounts. It’s not a domain-wide measurement of everything you send.

Spam Rate

Your spam rate is the number of emails sent vs the number of spam complaints received each day. You should aim to keep this below 0.1%.

You can do that by making it easy for people to unsubscribe from marketing emails and using double optins rather than single optins.

Example of a Postmaster Tools report for Gmail recipients

It’s normal for spam complaint rates to spike occasionally because Google measures each day in isolation.

If you’re seeing a spam rate that is consistently above 0.3%, it’s worth looking into why that’s happening. You might be sending emails to people who don’t want to receive them.

IP Reputation

IP reputation is the trustworthiness of the IP address your emails come from. Google may mark emails as spam if your IP reputation is poor.

Keep in mind that IP reputation is tied to your email marketing provider. It’s a measure of their IP as well as yours.

If you see a downward trend, check in with the platform you’re using to ask if they’re seeing the same thing.

Domain Reputation

Domain reputation is the trustworthiness of the domain name you’ve verified in Postmaster Tools. This can be factored into Google’s spam scoring, along with other measurements.

The ideal scenario is a consistent rating of High, as shown in our screenshot above.

Wait: What is IP Reputation vs Domain Reputation?

You’ll now see that Google has separate options for IP reputation and domain reputation. Here’s the difference:

IP reputation measures the reputation of the server that actually sends your emails out. This might be a service like Constant Contact, ConvertKit, or Drip. Other people who use the service will share the same IP, so you’re a little more vulnerable to the impact of other users’ actions.
Domain reputation is a measure of the emails that are sent from your domain name as a whole.

Feedback Loop

High-volume or bulk senders can activate this feature to track spam complaints in more detail. You’ll need a special email header called Feedback-ID if you want to use this. Most likely, you won’t need to look at this report.

Authentication

This chart shows you how many emails cleared security checks.

In more technical terms, it shows how many emails attempted to authenticate using DMARC, SPF, and DKIM vs. how many actually did.

Encryption

This chart looks very similar to the domain reputation chart we already showed. It should sit at 100%.

If you’re seeing a lower percentage, you may be using outdated connection details for your email provider.

Check the websites or platforms that are sending emails from your domain and update them from an SSL connection to a TLS connection.

Delivery Errors

Last but not least, the final chart is the most useful. The Delivery Errors report will show you whether emails were rejected or temporarily delayed. A temporary delay is labeled as a TempFail in this report.

This chart is going to tell you whether Gmail is blocking your emails, and if so, why.

If you see any jumps, click on the point in the chart and the reason for the failures will be displayed below it.

Small jumps here and there are not a huge cause for concern. However, very large error rates are a definite red flag. You may have received a 550 error or a 421 error that gives you more clues as to why they’re happening.

Here are the 3 most important error messages related to blocked emails in Gmail:

421-4.7.0 unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.

550-5.7.1 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.

550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for example.com did not pass with ip: 192.186.0.1.

If you’re seeing these errors, check that your domain name has the correct DNS records for authenticating email. It’s also a good idea to examine your emails to ensure you have the right unsubscribe links in them.

Note: WP Mail SMTP preserves the list-unsubscribe headers that your email provider adds. That means that your emails will have a one-click unsubscribe option at the top.

If you’re using a different SMTP plugin, make sure it’s preserving that crucial list-unsubscribe header. If it’s not there, If not, you may want to consider switching to WP Mail SMTP for the best possible protection against spam complaints and failed emails.

Fix Your WordPress Emails Now

Next, Authenticate Emails from WordPress

Are your emails from WordPress disappearing or landing in the spam folder? You’re definitely not alone. Learn how to authenticate WordPress emails and ensure they always land in your inbox.

Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.

If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.

Source :
https://wpmailsmtp.com/how-to-set-up-google-postmaster-tools/

Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin

István Márton
February 5, 2024

On December 18, 2023, right before the end of Holiday Bug Extravaganza, we received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.

Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

We contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.

We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion
Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Security
Plugin Slug: wp-simple-firewall
Affected Versions: <= 18.5.9
CVE ID: CVE-2023-6989
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: hir0ot
Fully Patched Version: 18.5.10
Bounty Awarded: $938.00

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Technical Analysis

Shield Security is a WordPress website security plugin that offers several features to stop attackers, protect and monitor the website, including a firewall, malware scanner and also logs activities.

The plugin includes a template management system that renders .twig, .php or .html files. Unfortunately, the insecure implementation of the plugin’s file template including and rendering functionality allows for arbitrary file inclusion in vulnerable versions. The template path is set with the setTemplate() function.

242243244245246247248 publicfunctionsetTemplate( $templatePath) { $this->template = $templatePath; if( property_exists( $this, 'sTemplate') ) { $this->sTemplate = $templatePath; } return$this;}

The renderPhp() function in the Render class uses the path_join() function to join the template file. It then checks that the template file is an existing file and includes it.

8182838485868788899091929394959697 privatefunctionrenderPhp() :string { if( \count( $this->getRenderVars() ) > 0 ) { \extract( $this->getRenderVars() ); } $template= path_join( $this->getTemplateRoot(), $this->getTemplate() ); if( Services::WpFs()->isFile( $template) ) { \ob_start(); include( $template); $contents= \ob_get_clean(); } else{ $contents= 'Error: Template file not found: '.$template; } return(string)$contents;}

Examining the code reveals that there is no file path sanitization anywhere in these functions. This makes it possible to include arbitrary PHP files from the server.

The file inclusion is limited to PHP files in the vulnerability. This means that threat actors cannot exploit one of the most popular remote code execution methods via a log file poisoning attack. Since the plugin also uses isFile() function to file checking, the other popular remote code execution method using wrappers attack is also not possible. Nevertheless, the attacker has several options to include and exploit a malicious PHP file and execute on the server. This can be achieved by chaining the attack and exploiting vulnerabilities in other plugins. However, it’s worth mentioning that the attack possibilities are limited. This would likely be leveraged in an instance where an attacker has access to upload a PHP file, but does not have direct access to the file to execute it.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious file path and blocks the request.

Disclosure Timeline

December 18, 2023 – We receive the submission of the Local File Inclusion vulnerability in Shield Security via the Wordfence Bug Bounty Program.
December 20, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 21, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
December 23, 2023 – The vendor confirms the inbox for handling the discussion.
December 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
December 23, 2023 – The fully patched version of the plugin, 18.5.10, is released.

Conclusion

In this blog post, we detailed a Local File Inclusion vulnerability within the Shield Security plugin affecting versions 18.5.9 and earlier. This vulnerability allows unauthenticated threat actors to include and execute PHP files on the server, allowing the execution of any PHP code in those files, which can be used for complete site compromise. The vulnerability has been fully addressed in version 18.5.10 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Shield Security.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2024/02/local-file-inclusion-vulnerability-patched-in-shield-security-wordpress-plugin/

Reflecting on the GDPR to celebrate Privacy Day 2024

26/01/2024
Emily Hancock

10 min read

This post is also available in Deutsch, Français, 日本語 and Nederlands.

Reflecting on the GDPR to celebrate Privacy Day 2024

Just in time for Data Privacy Day 2024 on January 28, the EU Commission is calling for evidence to understand how the EU’s General Data Protection Regulation (GDPR) has been functioning now that we’re nearing the 6th anniversary of the regulation coming into force.

We’re so glad they asked, because we have some thoughts. And what better way to celebrate privacy day than by discussing whether the application of the GDPR has actually done anything to improve people’s privacy?

The answer is, mostly yes, but in a couple of significant ways – no.

Overall, the GDPR is rightly seen as the global gold standard for privacy protection. It has served as a model for what data protection practices should look like globally, it enshrines data subject rights that have been copied across jurisdictions, and when it took effect, it created a standard for the kinds of privacy protections people worldwide should be able to expect and demand from the entities that handle their personal data. On balance, the GDPR has definitely moved the needle in the right direction for giving people more control over their personal data and in protecting their privacy.

In a couple of key areas, however, we believe the way the GDPR has been applied to data flowing across the Internet has done nothing for privacy and in fact may even jeopardize the protection of personal data. The first area where we see this is with respect to cross-border data transfers. Location has become a proxy for privacy in the minds of many EU data protection regulators, and we think that is the wrong result. The second area is an overly broad interpretation of what constitutes “personal data” by some regulators with respect to Internet Protocol or “IP” addresses. We contend that IP addresses should not always count as personal data, especially when the entities handling IP addresses have no ability on their own to tie those IP addresses to individuals. This is important because the ability to implement a number of industry-leading cybersecurity measures relies on the ability to do threat intelligence on Internet traffic metadata, including IP addresses.

Location should not be a proxy for privacy

Fundamentally, good data security and privacy practices should be able to protect personal data regardless of where that processing or storage occurs. Nevertheless, the GDPR is based on the idea that legal protections should attach to personal data based on the location of the data – where it is generated, processed, or stored. Articles 44 to 49 establish the conditions that must be in place in order for data to be transferred to a jurisdiction outside the EU, with the idea that even if the data is in a different location, the privacy protections established by the GDPR should follow the data. No doubt this approach was influenced by political developments around government surveillance practices, such as the revelations in 2013 of secret documents describing the relationship between the US NSA (and its Five Eyes partners) and large Internet companies, and that intelligence agencies were scooping up data from choke points on the Internet. And once the GDPR took effect, many data regulators in the EU were of the view that as a result of the GDPR’s restrictions on cross-border data transfers, European personal data simply could not be processed in the United States in a way that would be consistent with the GDPR.

This issue came to a head in July 2020, when the European Court of Justice (CJEU), in its “Schrems II” decision¹, invalidated the EU-US Privacy Shield adequacy standard and questioned the suitability of the EU standard contractual clauses (a mechanism entities can use to ensure that GDPR protections are applied to EU personal data even if it is processed outside the EU). The ruling in some respects left data protection regulators with little room to maneuver on questions of transatlantic data flows. But while some regulators were able to view the Schrems II ruling in a way that would still allow for EU personal data to be processed in the United States, other data protection regulators saw the decision as an opportunity to double down on their view that EU personal data cannot be processed in the US consistent with the GDPR, therefore promoting the misconception that data localization should be a proxy for data protection.

In fact, we would argue that the opposite is the case. From our own experience and according to recent research², we know that data localization threatens an organization’s ability to achieve integrated management of cybersecurity risk and limits an entity’s ability to employ state-of-the-art cybersecurity measures that rely on cross-border data transfers to make them as effective as possible. For example, Cloudflare’s Bot Management product only increases in accuracy with continued use on the global network: it detects and blocks traffic coming from likely bots before feeding back learnings to the models backing the product. A diversity of signal and scale of data on a global platform is critical to help us continue to evolve our bot detection tools. If the Internet were fragmented – preventing data from one jurisdiction being used in another – more and more signals would be missed. We wouldn’t be able to apply learnings from bot trends in Asia to bot mitigation efforts in Europe, for example. And if the ability to identify bot traffic is hampered, so is the ability to block those harmful bots from services that process personal data.

The need for industry-leading cybersecurity measures is self-evident, and it is not as if data protection authorities don’t realize this. If you look at any enforcement action brought against an entity that suffered a data breach, you see data protection regulators insisting that the impacted entities implement ever more robust cybersecurity measures in line with the obligation GDPR Article 32 places on data controllers and processors to “develop appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, “taking into account the state of the art”. In addition, data localization undermines information sharing within industry and with government agencies for cybersecurity purposes, which is generally recognized as vital to effective cybersecurity.

In this way, while the GDPR itself lays out a solid framework for securing personal data to ensure its privacy, the application of the GDPR’s cross-border data transfer provisions has twisted and contorted the purpose of the GDPR. It’s a classic example of not being able to see the forest for the trees. If the GDPR is applied in such a way as to elevate the priority of data localization over the priority of keeping data private and secure, then the protection of ordinary people’s data suffers.

Applying data transfer rules to IP addresses could lead to balkanization of the Internet

The other key way in which the application of the GDPR has been detrimental to the actual privacy of personal data is related to the way the term “personal data” has been defined in the Internet context – specifically with respect to Internet Protocol or “IP” addresses. A world where IP addresses are always treated as personal data and therefore subject to the GDPR’s data transfer rules is a world that could come perilously close to requiring a walled-off European Internet. And as noted above, this could have serious consequences for data privacy, not to mention that it likely would cut the EU off from any number of global marketplaces, information exchanges, and social media platforms.

This is a bit of a complicated argument, so let’s break it down. As most of us know, IP addresses are the addressing system for the Internet. When you send a request to a website, send an email, or communicate online in any way, IP addresses connect your request to the destination you’re trying to access. These IP addresses are the key to making sure Internet traffic gets delivered to where it needs to go. As the Internet is a global network, this means it’s entirely possible that Internet traffic – which necessarily contains IP addresses – will cross national borders. Indeed, the destination you are trying to access may well be located in a different jurisdiction altogether. That’s just the way the global Internet works. So far, so good.

But if IP addresses are considered personal data, then they are subject to data transfer restrictions under the GDPR. And with the way those provisions have been applied in recent years, some data regulators were getting perilously close to saying that IP addresses cannot transit jurisdictional boundaries if it meant the data might go to the US. The EU’s recent approval of the EU-US Data Privacy Framework established adequacy for US entities that certify to the framework, so these cross-border data transfers are not currently an issue. But if the Data Privacy Framework were to be invalidated as the EU-US Privacy Shield was in the Schrems II decision, then we could find ourselves in a place where the GDPR is applied to mean that IP addresses ostensibly linked to EU residents can’t be processed in the US, or potentially not even leave the EU.

If this were the case, then providers would have to start developing Europe-only networks to ensure IP addresses never cross jurisdictional boundaries. But how would people in the EU and US communicate if EU IP addresses can’t go to the US? Would EU citizens be restricted from accessing content stored in the US? It’s an application of the GDPR that would lead to the absurd result – one surely not intended by its drafters. And yet, in light of the Schrems II case and the way the GDPR has been applied, here we are.

A possible solution would be to consider that IP addresses are not always “personal data” subject to the GDPR. In 2016 – even before the GDPR took effect – the Court of Justice of the European Union (CJEU) established the view in Breyer v. Bundesrepublik Deutschland that even dynamic IP addresses, which change with every new connection to the Internet, constituted personal data if an entity processing the IP address could link the IP addresses to an individual. While the court’s decision did not say that dynamic IP addresses are always personal data under European data protection law, that’s exactly what EU data regulators took from the decision, without considering whether an entity actually has a way to tie the IP address to a real person³.

The question of when an identifier qualifies as “personal data” is again before the CJEU: In April 2023, the lower EU General Court ruled in SRB v EDPS⁴ that transmitted data can be considered anonymised and therefore not personal data if the data recipient does not have any additional information reasonably likely to allow it to re-identify the data subjects and has no legal means available to access such information. The appellant – the European Data Protection Supervisor (EDPS) – disagrees. The EDPS, who mainly oversees the privacy compliance of EU institutions and bodies, is appealing the decision and arguing that a unique identifier should qualify as personal data if that identifier could ever be linked to an individual, regardless of whether the entity holding the identifier actually had the means to make such a link.

If the lower court’s common-sense ruling holds, one could argue that IP addresses are not personal data when those IP addresses are processed by entities like Cloudflare, which have no means of connecting an IP address to an individual. If IP addresses are then not always personal data, then IP addresses will not always be subject to the GDPR’s rules on cross-border data transfers.

Although it may seem counterintuitive, having a standard whereby an IP address is not necessarily “personal data” would actually be a positive development for privacy. If IP addresses can flow freely across the Internet, then entities in the EU can use non-EU cybersecurity providers to help them secure their personal data. Advanced Machine Learning/predictive AI techniques that look at IP addresses to protect against DDoS attacks, prevent bots, or otherwise guard against personal data breaches will be able to draw on attack patterns and threat intelligence from around the world to the benefit of EU entities and residents. But none of these benefits can be realized in a world where IP addresses are always personal data under the GDPR and where the GDPR’s data transfer rules are interpreted to mean IP addresses linked to EU residents can never flow to the United States.

Keeping privacy in focus

On this Data Privacy Day, we urge EU policy makers to look closely at how the GDPR is working in practice, and to take note of the instances where the GDPR is applied in ways that place privacy protections above all other considerations – even appropriate security measures mandated by the GDPR’s Article 32 that take into account the state of the art of technology. When this happens, it can actually be detrimental to privacy. If taken to the extreme, this formulaic approach would not only negatively impact cybersecurity and data protection, but even put into question the functioning of the global Internet infrastructure as a whole, which depends on cross-border data flows. So what can be done to avert this?

First, we believe EU policymakers could adopt guidelines (if not legal clarification) for regulators that IP addresses should not be considered personal data when they cannot be linked by an entity to a real person. Second, policymakers should clarify that the GDPR’s application should be considered with the cybersecurity benefits of data processing in mind. Building on the GDPR’s existing recital 49, which rightly recognizes cybersecurity as a legitimate interest for processing, personal data that needs to be processed outside the EU for cybersecurity purposes should be exempted from GDPR restrictions to international data transfers. This would avoid some of the worst effects of the mindset that currently views data localization as a proxy for data privacy. Such a shift would be a truly pro-privacy application of the GDPR.

¹ Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.
² Swire, Peter and Kennedy-Mayo, DeBrae and Bagley, Andrew and Modak, Avani and Krasser, Sven and Bausewein, Christoph, Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures (2023).
³ Different decisions by the European data protection authorities, namely the Austrian DSB (December 2021), the French CNIL (February 2022) and the Italian Garante (June 2022), while analyzing the use of Google Analytics, have rejected the relative approach used by the Breyer case and considered that an IP address should always be considered as personal data. Only the decision issued by the Spanish AEPD (December 2022) followed the same interpretation of the Breyer case. In addition, see paragraphs 109 and 136 in Guidelines by Supervisory Authorities for Tele-Media Providers, DSK (2021).
⁴ Single Resolution Board v EDPS, Court of Justice of the European Union, April 2023.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

Source :
https://blog.cloudflare.com/reflecting-on-the-gdpr-to-celebrate-privacy-day-2024/

Thanksgiving 2023 security incident

01/02/2024
Matthew Prince John Graham-Cumming Grant Bourzikas

11 min read

On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis.

Yesterday, CrowdStrike completed its investigation, and we are publishing this blog post to talk about the details of this security incident.

We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event. Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor’s ability to move laterally was limited. No services were implicated, and no changes were made to our global network systems or configuration. This is the promise of a Zero Trust architecture: it’s like bulkheads in a ship where a compromise in one system is limited from compromising the whole organization.

From November 14 to 17, a threat actor did reconnaissance and then accessed our internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira). On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity.

They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.

They did this by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023. All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44.

(Throughout this blog post all dates and times are UTC.)

Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code. Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.

“Code Red” Remediation and Hardening Effort

On November 24, after the threat actor was removed from our environment, our security team pulled in all the people they needed across the company to investigate the intrusion and ensure that the threat actor had been completely denied access to our systems, and to ensure we understood the full extent of what they accessed or tried to access.

Then, from November 27, we redirected the efforts of a large part of the Cloudflare technical staff (inside and outside the security team) to work on a single project dubbed “Code Red”. The focus was strengthening, validating, and remediating any control in our environment to ensure we are secure against future intrusion and to validate that the threat actor could not gain access to our environment. Additionally, we continued to investigate every system, account and log to make sure the threat actor did not have persistent access and that we fully understood what systems they had touched and which they had attempted to access.

CrowdStrike performed an independent assessment of the scope and extent of the threat actor’s activity, including a search for any evidence that they still persisted in our systems. CrowdStrike’s investigation provided helpful corroboration and support for our investigation, but did not bring to light any activities that we had missed. This blog post outlines in detail everything we and CrowdStrike uncovered about the activity of the threat actor.

The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network; no doubt with an eye on gaining a deeper foothold. Because of that, we decided a huge effort was needed to further harden our security protocols to prevent the threat actor from being able to get that foothold had we overlooked something from our log files.

Our aim was to prevent the attacker from using the technical information about the operations of our network as a way to get back in. Even though we believed, and later confirmed, the attacker had limited access, we undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket).

The threat actor also attempted to access a console server in our new, and not yet in production, data center in São Paulo. All attempts to gain access were unsuccessful. To ensure these systems are 100% secure, equipment in the Brazil data center was returned to the manufacturers. The manufacturers’ forensic teams examined all of our systems to ensure that no access or persistence was gained. Nothing was found, but we replaced the hardware anyway.

We also looked for software packages that hadn’t been updated, user accounts that might have been created, and unused active employee accounts; we went searching for secrets that might have been left in Jira tickets or source code, examined and deleted all HAR files uploaded to the wiki in case they contained tokens of any sort. Whenever in doubt, we assumed the worst and made changes to ensure anything the threat actor was able to access would no longer be in use and therefore no longer be valuable to them.

Every member of the team was encouraged to point out areas the threat actor might have touched, so we could examine log files and determine the extent of the threat actor’s access. By including such a large number of people across the company, we aimed to leave no stone unturned looking for evidence of access or changes that needed to be made to improve security.

The immediate “Code Red” effort ended on January 5, but work continues across the company around credential management, software hardening, vulnerability management, additional alerting, and more.

Attack timeline

The attack started in October with the compromise of Okta, but the threat actor only began targeting our systems using those credentials from the Okta compromise in mid-November.

The following timeline shows the major events:

October 18 – Okta compromise

We’ve written about this before but, in summary, we were (for the second time) the victim of a compromise of Okta’s systems which resulted in a threat actor gaining access to a set of credentials. These credentials were meant to all be rotated.

Unfortunately, we failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise.

One was a Moveworks service token that granted remote access into our Atlassian system. The second credential was a service account used by the SaaS-based Smartsheet application that had administrative access to our Atlassian Jira instance, the third account was a Bitbucket service account which was used to access our source code management system, and the fourth was an AWS environment that had no access to the global network and no customer or sensitive data.

The one service token and three accounts were not rotated because mistakenly it was believed they were unused. This was incorrect and was how the threat actor first got into our systems and gained persistence to our Atlassian products. Note that this was in no way an error on the part of Atlassian, AWS, Moveworks or Smartsheet. These were merely credentials which we failed to rotate.

November 14 09:22:49 – threat actor starts probing

Our logs show that the threat actor started probing and performing reconnaissance of our systems beginning on November 14, looking for a way to use the credentials and what systems were accessible. They attempted to log into our Okta instance and were denied access. They attempted access to the Cloudflare Dashboard and were denied access.

Additionally, the threat actor accessed an AWS environment that is used to power the Cloudflare Apps marketplace. This environment was segmented with no access to global network or customer data. The service account to access this environment was revoked, and we validated the integrity of the environment.

November 15 16:28:38 – threat actor gains access to Atlassian services

The threat actor successfully accessed Atlassian Jira and Confluence on November 15 using the Moveworks service token to authenticate through our gateway, and then they used the Smartsheet service account to gain access to the Atlassian suite. The next day they began looking for information about the configuration and management of our global network, and accessed various Jira tickets.

The threat actor searched the wiki for things like remote access, secret, client-secret, openconnect, cloudflared, and token. They accessed 36 Jira tickets (out of a total of 2,059,357 tickets) and 202 wiki pages (out of a total of 194,100 pages).

The threat actor accessed Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself.

The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.

November 16 14:36:37 – threat actor creates an Atlassian user account

The threat actor used the Smartsheet credential to create an Atlassian account that looked like a normal Cloudflare user. They added this user to a number of groups within Atlassian so that they’d have persistent access to the Atlassian environment should the Smartsheet service account be removed.

November 17 14:33:52 to November 20 09:26:53 – threat actor takes a break from accessing Cloudflare systems

During this period, the attacker took a break from accessing our systems (apart from apparently briefly testing that they still had access) and returned just before Thanksgiving.

November 22 14:18:22 – threat actor gains persistence

Since the Smartsheet service account had administrative access to Atlassian Jira, the threat actor was able to install the Sliver Adversary Emulation Framework, which is a widely used tool and framework that red teams and attackers use to enable “C2” (command and control), connectivity gaining persistent and stealthy access to a computer on which it is installed. Sliver was installed using the ScriptRunner for Jira plugin.

This allowed them continuous access to the Atlassian server, and they used this to attempt lateral movement. With this access the Threat Actor attempted to gain access to a non-production console server in our São Paulo, Brazil data center due to a non-enforced ACL. The access was denied, and they were not able to access any of the global network.

Over the next day, the threat actor viewed 120 code repositories (out of a total of 11,904 repositories). Of the 120, the threat actor used the Atlassian Bitbucket git archive feature on 76 repositories to download them to the Atlassian server, and even though we were not able to confirm whether or not they had been exfiltrated, we decided to treat them as having been exfiltrated.

The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes. A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.

We focused particularly on these 76 source code repositories to look for embedded secrets, (secrets stored in the code were rotated), vulnerabilities and ways in which an attacker could use them to mount a subsequent attack. This work was done as a priority by engineering teams across the company as part of “Code Red”.

As a SaaS company, we’ve long believed that our source code itself is not as precious as the source code of software companies that distribute software to end users. In fact, we’ve open sourced a large amount of our source code and speak openly through our blog about algorithms and techniques we use. So our focus was not on someone having access to the source code, but whether that source code contained embedded secrets (such as a key or token) and vulnerabilities.

November 23 – Discovery and threat actor access termination begins

Our security team was alerted to the threat actor’s presence at 16:00 and deactivated the Smartsheet service account 35 minutes later. 48 minutes later the user account created by the threat actor was found and deactivated. Here’s the detailed timeline for the major actions taken to block the threat actor once the first alert was raised.

15:58 – The threat actor adds the Smartsheet service account to an administrator group.
16:00 – Automated alert about the change at 15:58 to our security team.
16:12 – Cloudflare SOC starts investigating the alert.
16:35 – Smartsheet service account deactivated by Cloudflare SOC.
17:23 – The threat actor-created Atlassian user account is found and deactivated.
17:43 – Internal Cloudflare incident declared.
21:31 – Firewall rules put in place to block the threat actor’s known IP addresses.

November 24 – Sliver removed; all threat actor access terminated

10:44 – Last known threat actor activity.
11:59 – Sliver removed.

Throughout this timeline, the threat actor tried to access a myriad of other systems at Cloudflare but failed because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools.

To be clear, we saw no evidence whatsoever that the threat actor got access to our global network, data centers, SSL keys, customer databases or configuration information, Cloudflare Workers deployed by us or customers, AI models, network infrastructure, or any of our datastores like Workers KV, R2 or Quicksilver. Their access was limited to the Atlassian suite and the server on which our Atlassian runs.

A large part of our “Code Red” effort was understanding what the threat actor got access to and what they tried to access. By looking at logging across systems we were able to track attempted access to our internal metrics, network configuration, build system, alerting systems, and release management system. Based on our review, none of their attempts to access these systems were successful. Independently, CrowdStrike performed an assessment of the scope and extent of the threat actor’s activity, which did not bring to light activities that we had missed and concluded that the last evidence of threat activity was on November 24 at 10:44.

We are confident that between our investigation and CrowdStrike’s, we fully understand the threat actor’s actions and that they were limited to the systems on which we saw their activity.

Conclusion

This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future. This required the efforts of a significant number of Cloudflare’s engineering staff, and, for over a month, this was the highest priority at Cloudflare. The entire Cloudflare team worked to ensure that our systems were secure, the threat actor’s access was understood, to remediate immediate priorities (such as mass credential rotation), and to build a plan of long-running work to improve our overall security based on areas for improvement discovered during this process.

We are incredibly grateful to everyone at Cloudflare who responded quickly over the Thanksgiving holiday to conduct an initial analysis and lock out the threat actor, and all those who contributed to this effort. It would be impossible to name everyone involved, but their long hours and dedicated work made it possible to undertake an essential review and change of Cloudflare’s security while keeping our global network running and our customers’ service running.

We are grateful to CrowdStrike for having been available immediately to conduct an independent assessment. Now that their final report is complete, we are confident in our internal analysis and remediation of the intrusion and are making this blog post available.

IOCs
Below are the Indications of Compromise (IOCs) that we saw from this threat actor. We are publishing them so that other organizations, and especially those that may have been impacted by the Okta breach, can search their logs to confirm the same threat actor did not access their systems.

Indicator	Indicator Type	SHA256	Description
193.142.58[.]126	IPv4	N/A	Primary threat actor Infrastructure, owned by M247 Europe SRL (Bucharest, Romania)
198.244.174[.]214	IPv4	N/A	Sliver C2 server, owned by OVH SAS (London, England)
idowall[.]com	Domain	N/A	Infrastructure serving Sliver payload
jvm-agent	Filename	bdd1a085d651082ad567b03e5186d1d4 6d822bb7794157ab8cce95d850a3caaf	Sliver payload

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

Source :
https://blog.cloudflare.com/thanksgiving-2023-security-incident

Understanding full-site IP whitelisting and its importance in WordPress security

Benefits and drawbacks of full-site whitelisting in WordPress

Step-by-Step guide to implementing full-site lockdown in WordPress

Understanding the Site Lockdown Feature

Whitelisting IP addresses in the Shield Security PRO plugin

Maintaining your whitelist: Regular reviews and updates

Secure your WordPress site with Site Lockdown today

Understanding the TimThumb vulnerability in WordPress

Lack of dynamic image resizing in WordPress

Prevalence in paid themes

Delayed awareness and remediation

Improved automatic updates

Why did this happen in the first place?

Detecting the hack: Tools and techniques

Using Shield Security PRO for early detection and prevention

Steps to recover your WordPress site post-hack

Assessing the damage

Cleaning up the infection

Recovering from backups

Communicating the incident

🔎 An example email for communicating a breach:

Assessing and learning

Securing your WordPress website against TimThumb and other vulnerability attacks

Understanding WordPress database health: Why it matters

Optimising database tables

Backing up your site before initiating cleanup

How often should you back up?

Manual cleanup vs. plugin-assisted optimisation

Manual cleanup

For plugin-assisted optimisation

Setting up and using database optimisation plugins

Choosing the right plugin

Using Shield Security Pro for malware removal

Features of Shield Security PRO’s malware scanner

Enhance your WordPress site’s performance & security with Shield Security PRO

Vulnerability Summary from Wordfence Intelligence

Technical Analysis

Wordfence Firewall

Disclosure Timeline

Conclusion

Description

Resolution

Related Articles

Categories

KB5034765 is not installing, but there’s a fix

Windows Update causes File Explorer to crash on reboot

Windows 11 taskbar crashes or disappears after the patch

Who Needs Postmaster Tools?

1. You Regularly Send Emails to Gmail Recipients

2. You Send Marketing Emails (or Have a Large Website)

How to Add a Domain to Postmaster Tools

How to Read the Charts in Google Postmaster Tools

Spam Rate

IP Reputation

Domain Reputation

Wait: What is IP Reputation vs Domain Reputation?

Feedback Loop

Authentication

Encryption

Delivery Errors

Next, Authenticate Emails from WordPress

Vulnerability Summary from Wordfence Intelligence

Technical Analysis

Wordfence Firewall

Disclosure Timeline

Conclusion

Location should not be a proxy for privacy

Applying data transfer rules to IP addresses could lead to balkanization of the Internet

Keeping privacy in focus

“Code Red” Remediation and Hardening Effort

Attack timeline

October 18 – Okta compromise

November 14 09:22:49 – threat actor starts probing

November 15 16:28:38 – threat actor gains access to Atlassian services

November 16 14:36:37 – threat actor creates an Atlassian user account

November 17 14:33:52 to November 20 09:26:53 – threat actor takes a break from accessing Cloudflare systems

November 22 14:18:22 – threat actor gains persistence

November 23 – Discovery and threat actor access termination begins

November 24 – Sliver removed; all threat actor access terminated

Conclusion