Version Description
- Updated GeoIP database for country blocking security.
- Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it's a non-static method. Thanks Juliette.
- Removed characters that are invalid in an IP address or domain from the Whois facility to improve security.
- Prevent users from creating 1 character passwords to improve security.
- Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P.
- Fixed issue that caused IP to output as integer in status msg. Not security related but display issue.
- Declared Wordfence Security reverseLookup function as static to remove warning.
- Fixed returnARr syntax error in Wordfence Security class.
Download this release
Release Info
Developer | mmaunder |
Plugin | Wordfence Security – Firewall & Malware Scan |
Version | 3.8.2 |
Comparing to | |
See all releases |
Code changes from version 3.8.1 to 3.8.2
- lib/GeoIP.dat +0 -0
- lib/wfConfig.php +8 -4
- lib/wfLog.php +2 -2
- lib/wfUtils.php +1 -1
- lib/whois/whois.gtld.php +1 -1
- lib/wordfenceClass.php +3 -2
- readme.txt +157 -147
lib/GeoIP.dat
CHANGED
Binary file
|
lib/wfConfig.php
CHANGED
@@ -447,7 +447,8 @@ class wfConfig {
|
|
447 |
$tempFilename = 'wordfence_tmpfile_' . $key . '.php';
|
448 |
if((strlen($serialized) * 1.1) > self::getDB()->getMaxAllowedPacketBytes()){ //If it's greater than max_allowed_packet + 10% for escaping and SQL
|
449 |
if($canUseDisk){
|
450 |
-
$dir = self::getTempDir();
|
|
|
451 |
if($dir){
|
452 |
$fh = false;
|
453 |
$fullFile = $dir . $tempFilename;
|
@@ -456,7 +457,7 @@ class wfConfig {
|
|
456 |
if($fh){
|
457 |
wordfence::status(4, 'info', "Serialized data for $key is " . strlen($serialized) . " bytes and is greater than max_allowed packet so writing it to disk file: " . $fullFile);
|
458 |
} else {
|
459 |
-
wordfence::status(1, 'error', "Your database doesn't allow big packets so we have to use files to store temporary data and Wordfence can't find a place to write them. Either ask your admin to increase max_allowed_packet on your MySQL database, or make one of the following directories writable by your web server: " . implode(', ', $
|
460 |
return false;
|
461 |
}
|
462 |
fwrite($fh, self::$tmpFileHeader);
|
@@ -464,7 +465,7 @@ class wfConfig {
|
|
464 |
fclose($fh);
|
465 |
return true;
|
466 |
} else {
|
467 |
-
wordfence::status(1, 'error', "
|
468 |
return false;
|
469 |
}
|
470 |
|
@@ -495,7 +496,7 @@ class wfConfig {
|
|
495 |
}
|
496 |
private static function getTempDir(){
|
497 |
if(! self::$tmpDirCache){
|
498 |
-
$dirs =
|
499 |
$finalDir = 'notmp';
|
500 |
wfUtils::errorsOff();
|
501 |
foreach($dirs as $dir){
|
@@ -518,6 +519,9 @@ class wfConfig {
|
|
518 |
return self::$tmpDirCache;
|
519 |
}
|
520 |
}
|
|
|
|
|
|
|
521 |
public static function f($key){
|
522 |
echo esc_attr(self::get($key));
|
523 |
}
|
447 |
$tempFilename = 'wordfence_tmpfile_' . $key . '.php';
|
448 |
if((strlen($serialized) * 1.1) > self::getDB()->getMaxAllowedPacketBytes()){ //If it's greater than max_allowed_packet + 10% for escaping and SQL
|
449 |
if($canUseDisk){
|
450 |
+
$dir = self::getTempDir();
|
451 |
+
$potentialDirs = self::getPotentialTempDirs();
|
452 |
if($dir){
|
453 |
$fh = false;
|
454 |
$fullFile = $dir . $tempFilename;
|
457 |
if($fh){
|
458 |
wordfence::status(4, 'info', "Serialized data for $key is " . strlen($serialized) . " bytes and is greater than max_allowed packet so writing it to disk file: " . $fullFile);
|
459 |
} else {
|
460 |
+
wordfence::status(1, 'error', "Your database doesn't allow big packets so we have to use files to store temporary data and Wordfence can't find a place to write them. Either ask your admin to increase max_allowed_packet on your MySQL database, or make one of the following directories writable by your web server: " . implode(', ', $potentialDirs));
|
461 |
return false;
|
462 |
}
|
463 |
fwrite($fh, self::$tmpFileHeader);
|
465 |
fclose($fh);
|
466 |
return true;
|
467 |
} else {
|
468 |
+
wordfence::status(1, 'error', "Your database doesn't allow big packets so we have to use files to store temporary data and Wordfence can't find a place to write them. Either ask your admin to increase max_allowed_packet on your MySQL database, or make one of the following directories writable by your web server: " . implode(', ', $potentialDirs));
|
469 |
return false;
|
470 |
}
|
471 |
|
496 |
}
|
497 |
private static function getTempDir(){
|
498 |
if(! self::$tmpDirCache){
|
499 |
+
$dirs = self::getPotentialTempDirs();
|
500 |
$finalDir = 'notmp';
|
501 |
wfUtils::errorsOff();
|
502 |
foreach($dirs as $dir){
|
519 |
return self::$tmpDirCache;
|
520 |
}
|
521 |
}
|
522 |
+
private static function getPotentialTempDirs() {
|
523 |
+
return array(wfUtils::getPluginBaseDir() . 'wordfence/tmp/', sys_get_temp_dir(), ABSPATH . 'wp-content/uploads/');
|
524 |
+
}
|
525 |
public static function f($key){
|
526 |
echo esc_attr(self::get($key));
|
527 |
}
|
lib/wfLog.php
CHANGED
@@ -662,8 +662,8 @@ class wfLog {
|
|
662 |
$this->blockIP($IP, $reason);
|
663 |
$secsToGo = wfConfig::get('blockedTime');
|
664 |
} else if($action == 'throttle'){
|
665 |
-
$IP = wfUtils::
|
666 |
-
$this->getDB()->queryWrite("insert into " . $this->throttleTable . " (IP, startTime, endTime, timesThrottled, lastReason) values (%s, unix_timestamp(), unix_timestamp(), 1, '%s') ON DUPLICATE KEY UPDATE endTime=unix_timestamp(), timesThrottled = timesThrottled + 1, lastReason='%s'", $IP, $reason, $reason);
|
667 |
wordfence::status(2, 'info', "Throttling IP $IP. $reason");
|
668 |
$secsToGo = 60;
|
669 |
}
|
662 |
$this->blockIP($IP, $reason);
|
663 |
$secsToGo = wfConfig::get('blockedTime');
|
664 |
} else if($action == 'throttle'){
|
665 |
+
$IP = wfUtils::getIP();
|
666 |
+
$this->getDB()->queryWrite("insert into " . $this->throttleTable . " (IP, startTime, endTime, timesThrottled, lastReason) values (%s, unix_timestamp(), unix_timestamp(), 1, '%s') ON DUPLICATE KEY UPDATE endTime=unix_timestamp(), timesThrottled = timesThrottled + 1, lastReason='%s'", wfUtils::inet_aton($IP), $reason, $reason);
|
667 |
wordfence::status(2, 'info', "Throttling IP $IP. $reason");
|
668 |
$secsToGo = 60;
|
669 |
}
|
lib/wfUtils.php
CHANGED
@@ -392,7 +392,7 @@ class wfUtils {
|
|
392 |
}
|
393 |
return $IPLocs;
|
394 |
}
|
395 |
-
public function reverseLookup($IP){
|
396 |
$db = new wfDB();
|
397 |
global $wpdb;
|
398 |
$reverseTable = $wpdb->base_prefix . 'wfReverseCache';
|
392 |
}
|
393 |
return $IPLocs;
|
394 |
}
|
395 |
+
public static function reverseLookup($IP){
|
396 |
$db = new wfDB();
|
397 |
global $wpdb;
|
398 |
$reverseTable = $wpdb->base_prefix . 'wfReverseCache';
|
lib/whois/whois.gtld.php
CHANGED
@@ -78,4 +78,4 @@ class gtld_handler extends WhoisClient
|
|
78 |
return $this->result;
|
79 |
}
|
80 |
}
|
81 |
-
?>
|
78 |
return $this->result;
|
79 |
}
|
80 |
}
|
81 |
+
?>
|
lib/wordfenceClass.php
CHANGED
@@ -337,7 +337,7 @@ class wordfence {
|
|
337 |
error_log("Function $func did not return an array and did not generate an error.");
|
338 |
$returnArr = array();
|
339 |
}
|
340 |
-
if(isset($
|
341 |
error_log("Wordfence ajax function return an array with 'nonce' already set. This could be a bug.");
|
342 |
}
|
343 |
$returnArr['nonce'] = wp_create_nonce('wp-ajax');
|
@@ -376,7 +376,7 @@ class wordfence {
|
|
376 |
}
|
377 |
function isStrongPasswd($passwd, $username ) {
|
378 |
$strength = 0;
|
379 |
-
if(strlen( $passwd ) < 5)
|
380 |
return false;
|
381 |
if(strtolower( $passwd ) == strtolower( $username ) )
|
382 |
return false;
|
@@ -1218,6 +1218,7 @@ class wordfence {
|
|
1218 |
public static function ajax_whois_callback(){
|
1219 |
require_once('whois/whois.main.php');
|
1220 |
$val = trim($_POST['val']);
|
|
|
1221 |
$whois = new Whois();
|
1222 |
$result = $whois->Lookup($val);
|
1223 |
return array('ok' => 1, 'result' => $result);
|
337 |
error_log("Function $func did not return an array and did not generate an error.");
|
338 |
$returnArr = array();
|
339 |
}
|
340 |
+
if(isset($returnArr['nonce'])){
|
341 |
error_log("Wordfence ajax function return an array with 'nonce' already set. This could be a bug.");
|
342 |
}
|
343 |
$returnArr['nonce'] = wp_create_nonce('wp-ajax');
|
376 |
}
|
377 |
function isStrongPasswd($passwd, $username ) {
|
378 |
$strength = 0;
|
379 |
+
if(strlen( trim( $passwd ) ) < 5)
|
380 |
return false;
|
381 |
if(strtolower( $passwd ) == strtolower( $username ) )
|
382 |
return false;
|
1218 |
public static function ajax_whois_callback(){
|
1219 |
require_once('whois/whois.main.php');
|
1220 |
$val = trim($_POST['val']);
|
1221 |
+
$val = preg_replace('/[^a-zA-Z0-9\.\-]+/', '', $val);
|
1222 |
$whois = new Whois();
|
1223 |
$result = $whois->Lookup($val);
|
1224 |
return array('ok' => 1, 'result' => $result);
|
readme.txt
CHANGED
@@ -1,32 +1,32 @@
|
|
1 |
=== Wordfence Security ===
|
2 |
Contributors: mmaunder
|
3 |
-
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor
|
4 |
Requires at least: 3.3.1
|
5 |
-
Tested up to: 3.
|
6 |
-
Stable tag: 3.8.
|
7 |
|
8 |
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
|
9 |
|
10 |
== Description ==
|
11 |
|
12 |
-
|
13 |
|
14 |
-
Wordfence is
|
15 |
|
16 |
-
|
17 |
|
18 |
-
Wordfence is
|
19 |
|
20 |
-
Wordfence:
|
21 |
|
22 |
-
* Sign-in using your password and your cellphone. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide.
|
23 |
-
* Enforce strong passwords among your administrators, publishers and users.
|
24 |
-
* Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
|
25 |
* Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
|
26 |
-
* Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall.
|
27 |
* See how files have changed. Optionally repair changed files that are security threats.
|
28 |
* Scans for signatures of over 44,000 known malware variants that are known security threats.
|
29 |
-
* Scans for many known backdoors including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
|
30 |
* Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats.
|
31 |
* Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
|
32 |
* Checks the strength of all user and admin passwords to enhance login security.
|
@@ -54,19 +54,19 @@ To install Wordfence Security and start protecting your WordPress website:
|
|
54 |
|
55 |
1. Install Wordfence Security automatically or by uploading the ZIP file.
|
56 |
1. Activate the security plugin through the 'Plugins' menu in WordPress.
|
57 |
-
1. Wordfence is now activated. Go to the scan menu and start your first security scan. Scheduled security scanning will also be enabled.
|
58 |
1. Once your first scan has completed a list of security threats will appear. Go through them one by one to secure your site.
|
59 |
-
1. Visit the Wordfence options page to enter your email address so that you can receive email security alerts.
|
60 |
1. Optionally change your security level or adjust the advanced options to set individual security scanning and protection options for your site.
|
61 |
1. Click the "Live Traffic" menu option to watch your site activity in real-time. Situational awareness is an important part of website security.
|
62 |
|
63 |
-
To install Wordfence on WordPress Multi-Site installations (support is currently in Beta):
|
64 |
|
65 |
1. Install Wordfence Security via the plugin directory or by uploading the ZIP file.
|
66 |
1. Network Activate Wordfence Security. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissapears.
|
67 |
-
1. Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence will not appear on any individual site's menu.
|
68 |
1. Go to the "Scan" menu and start your first security scan.
|
69 |
-
1. Wordfence will do a security scan all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
|
70 |
1. Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
|
71 |
1. Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you're accessing the system.
|
72 |
|
@@ -76,48 +76,48 @@ To install Wordfence on WordPress Multi-Site installations (support is currently
|
|
76 |
|
77 |
= What does Wordfence Security do that other WordPress security plugins don't do? =
|
78 |
|
79 |
-
* Wordfence
|
80 |
-
*
|
81 |
-
* Wordfence scans
|
82 |
-
* Wordfence
|
83 |
-
* Wordfence
|
84 |
|
85 |
-
= Does Wordfence support Multi-Site installations? =
|
86 |
|
87 |
-
Yes. WordPress MU or Multi-Site as it's called now is fully supported. Using Wordfence you can security scan every blog in your network with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will tell you within a maximum of one hour which is how often scans occur.
|
88 |
|
89 |
-
= Will Wordfence slow my site down? =
|
90 |
|
91 |
-
We have spent a lot of time making sure Wordfence runs very quickly and securely. Wordfence uses its own database
|
92 |
-
tables and advanced mysql features to ensure it runs as fast as possible. The creators of Wordfence
|
93 |
also run Feedjit, a large scale real-time analytics product and ad network and much of the technology and knowledge from
|
94 |
-
our real-time analytics products is built into Wordfence.
|
95 |
|
96 |
-
= How often is Wordfence updated? =
|
97 |
|
98 |
-
The Wordfence
|
99 |
more frequently. Our cloud servers are continually updated with the latest known security threats and vulnerabilities so
|
100 |
that we can blog any security threat as soon as it emerges in the wild.
|
101 |
|
102 |
= What if I need support? =
|
103 |
|
104 |
All our paid customers receive priority support. Excellent customer service is a key part
|
105 |
-
of being a Wordfence member. You can also [visit our support forums where we provide free support for all Wordfence users](http://wordfence.com/forums/) and answer any security releated questions you may have.
|
106 |
|
107 |
-
= Can I disable certain security features of Wordfence? =
|
108 |
|
109 |
Yes! Simply visit the Options page, click on advanced options and enable or disable the security features you want.
|
110 |
|
111 |
= What if my site security has already been compromised by a hacker? =
|
112 |
|
113 |
-
Wordfence is the only security plugin that is able to repair core files, themes and plugins on sites where security is already compromised.
|
114 |
However, please note that site security can not be assured unless you do a full reinstall if your site has been hacked. We recommend you only
|
115 |
-
use Wordfence to get your site into a running state in order to recover the data you need to do a full reinstall. A full reinstall is the only
|
116 |
way to ensure site security once you have been hacked.
|
117 |
|
118 |
= How will I be alerted that my site has a security problem? =
|
119 |
|
120 |
-
Wordfence sends security alerts via email. Once you install Wordfence, you will configure a list of email addresses where security alerts will be sent.
|
121 |
When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.
|
122 |
|
123 |
= My WordPress site is behind a firewall. Doesn't that make it secure? =
|
@@ -132,71 +132,81 @@ a way of fooling your site into allowing an upload. That is usually when securit
|
|
132 |
though your site is behind a commercial firewall, it still accepts web requests that include uploads and executes PHP code
|
133 |
and as long as it does that, it may become face a security vulnerability at some point.
|
134 |
|
135 |
-
= Will Wordfence protect me against the Timthumb security problem? =
|
136 |
|
137 |
The timthumb security exploit occurred in 2011 and all good plugins and themes now use an updated
|
138 |
-
version of timthumb (which the creator of Wordfence wrote and donated to the timthumb author) which closes the security hole that
|
139 |
caused the problem. However we do scan for old version of timthumb for good measure to make sure they don't
|
140 |
cause a security hole on your site.
|
141 |
|
142 |
|
143 |
== Screenshots ==
|
144 |
|
145 |
-
1. The home screen of Wordfence where you can see a summary, manage security issues and do a manual security scan.
|
146 |
-
2. The Live Traffic view of Wordfence where you can see real-time activity on your site.
|
147 |
3. The "Blocked IPs" page where you can manage blocked IP's, locked out IP's and see recently throttled IPs that violated security rules.
|
148 |
-
4. The basic view of Wordfence options. There is very little to configure other than your alert email address and security level.
|
149 |
-
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
|
150 |
|
151 |
== Changelog ==
|
152 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
153 |
= 3.8.1 =
|
154 |
-
* Added Cellphone Sign-in (Two Factor Authentication) for paid members. Stop brute-force attacks permanently! See new "Cellphone Sign-in" menu option.
|
155 |
-
* Added ability to enforce strong passwords when accounts are created or users change their password. See Wordfence 'options' page under 'Login Security Options'.
|
156 |
-
* Added new backdoor/malware signatures including detection for spamming scripts, youtube spam scripts and a new attack shell.
|
157 |
-
* Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a scan.
|
158 |
-
* Fixes from Juliette R. F. Remove warnings for unset variables. Fix options 'save' spinner spinning infinitely on some platforms. Removed redundant error handling code.
|
159 |
-
* Added ability to downgrade a paid license to free.
|
160 |
|
161 |
= 3.7.2 =
|
162 |
* Fixed issue that caused locked out IP's to not appear, or to appear with incorrect "locked out until" time.
|
163 |
|
164 |
= 3.7.1 =
|
165 |
* Moved global firewall, login security and live traffic options to top of options page.
|
166 |
-
* Made it clear that if you have firewall disabled, IP's won't be blocked, country blocking won't work and advanced blocking won't work with warnings on each page.
|
167 |
|
168 |
= 3.6.9 =
|
169 |
-
* Fixed JS error that occurs occasionally when users are viewing activity log in real-time.
|
170 |
-
* New Feature: Prevent users registering 'admin' username if it doesn't exist. Recommended if you've deleted 'admin'. Enable on 'options' page.
|
171 |
-
* Check if GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name.
|
172 |
-
* Fixed a compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don't get blocked. Added two HTTP no-cache and Expires headers.
|
173 |
-
* Fixed bug when using Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier
|
174 |
-
* Vastly improved speed of Advanced User-Agent blocking. No longer using regex but still support wildcards using fnmatch()
|
175 |
* We now support usernames with spaces in the list of users to ignore in the live traffic config on 'options' page.
|
176 |
* Improved language in status messages to avoid confusion. Changed "unrecognized files" to "additional files" to describe non-core/theme/plugin files.
|
177 |
|
178 |
= 3.6.8 =
|
179 |
-
* Fixed bug that caused IP range blocking to not block.
|
180 |
* Fixed bug that caused unblocking a permanently blocked IP to work, but not refresh the list.
|
181 |
* Added usernames to the email you receive when a user is locked out.
|
182 |
-
* Added a few more status messages for URL malware scanning.
|
183 |
* Removed the sockets function call from connection testing because some hosts don't allow calls to socket_create()
|
184 |
-
* Added detection in the Whois page to check if the server has the fsockopen() function available with helpful message if it's disabled.
|
185 |
-
* Whitelisted IP's now override country blocking and range blocking.
|
186 |
* Removed Bluehost affiliate links for free customers
|
187 |
* Fixed issue that caused scans to crash when checking URLs for malware.
|
188 |
* Fixed issue that caused scans with large numbers of posts that contain the same URL to crash.
|
189 |
-
* Updated the GeoIP database for country blocking to newest version.
|
190 |
|
191 |
= 3.6.7 =
|
192 |
* Improved security for Cloudflare customers to prevent spoofing attacks and protect when a hacker bypasses Cloudflare proxies.
|
193 |
* Added clear explanation of what increasing AJAX polling time does on options page.
|
194 |
-
* Fixed issue with Wordfence detecting itself as malware. We messed up the version number in previous release.
|
195 |
|
196 |
= 3.6.6 =
|
197 |
* Added option to change AJAX polling frequency
|
198 |
* Fixed issue that caused whitelisted IP's to not be whitelisted.
|
199 |
-
* Added code that prevents blocking of Wordfence's API server (or Wordfence will cease to function)
|
200 |
* Added link at bottom of 'options' page to test connectivity to our API servers.
|
201 |
* Include any CURL error numbers in error reporting.
|
202 |
* Fixed issue that caused IP range blocking to not block access to login page.
|
@@ -212,36 +222,36 @@ cause a security hole on your site.
|
|
212 |
|
213 |
= 3.6.3 =
|
214 |
* Fixed 'max_user_connections' issue.
|
215 |
-
* Wordfence now uses WordPress's WPDB and this halves the number of DB connections Wordfence establishes to your DB.
|
216 |
-
* Wordfence is now HyperDB compatible.
|
217 |
* Advanced blocking i.e. Browser and IP Range blocking is now a free feature.
|
218 |
* We no longer disable Live Traffic if we detect a caching plugin. Based on user feedback, apparently live traffic actually works with those plugins.
|
219 |
* Fixed issue that causes site to crash if a conflicting GeoIP library is installed.
|
220 |
* Changed logHuman routine to do a LOW_PRIORITY MySQL update to speed things up.
|
221 |
* Login failure counter is now reset if you send yourself an unlock email so you're not locked out again after 1 failure.
|
222 |
-
* The free version of Wordfence is now supported with ads at the top of the admin pages. Please visit our sponsors and help keep Wordfence free!
|
223 |
* Fixed issue that may cause scans to not be scheduled using the default schedule for new users.
|
224 |
* There was no 3.6.2 release, in case you're wondering about the version skip.
|
225 |
|
226 |
= 3.6.1 =
|
227 |
* Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking.
|
228 |
-
* Added feature: WHOIS for IP's and Domains. Supports all registries and local rWhois
|
229 |
-
* Added feature: Advanced Blocking to block IP ranges and browser patterns.
|
230 |
-
* Added feature: WHOIS on live traffic pages.
|
231 |
-
* Added feature: network blocking links on live traffic pages.
|
232 |
-
* Fixed bug where W3 Total Cache and WP Super Cache cache blocked pages.
|
233 |
* Added explanation of how caching affects live traffic logging if we detect a caching plugin.
|
234 |
* Fixed AJAX loading to deal with multiple parallel ajax requests.
|
235 |
* Updated tour to include info on new WHOIS and Advanced Blocking features.
|
236 |
* Changed manual IP blocks to be permanent by default.
|
237 |
-
* Fixed issue that caused live traffic page not to reload when IP is unblocked.
|
238 |
* Modified "How does your site get IP's" config to avoid confusing new users.
|
239 |
* Changed 503 block message to be more helpful with link to FAQ on how to unblock.
|
240 |
* Removed redundant code in wfAPI.php
|
241 |
* Optimized code by moving firewall specific code to execute only if firewall is enabled.
|
242 |
* Fixed issue that caused "last attempted access" to show over 500 months ago.
|
243 |
* Fixed issue that was causing warning in getIP() code.
|
244 |
-
* Upgraded to Wordfence API version 2.6.
|
245 |
|
246 |
= 3.5.3 =
|
247 |
* This is the dev version. Stable is 3.5.2.
|
@@ -260,7 +270,7 @@ cause a security hole on your site.
|
|
260 |
* Fixed issue of files containing "silence is golden" showing up as being changed with no executable content.
|
261 |
|
262 |
= 3.4.5 =
|
263 |
-
* Fixed security issue of being able to list wordfence's own virtual dir on some server configurations.
|
264 |
* Fixed issue of WF using deprecated function which caused warnings or errors on install.
|
265 |
* Added link to security alert mailing list on "Scan" page next to manual start scan button and in tour.
|
266 |
|
@@ -268,7 +278,7 @@ cause a security hole on your site.
|
|
268 |
* Fixed issue that caused scans to not complete.
|
269 |
* Fixed issue that caused scans to launch a large number of child processes due to very short scan timeout.
|
270 |
* Fixed issue that caused websites that don't know their own hostname to not be able to scan.
|
271 |
-
* Added workaround for a bug in Better WP Security breaking Wordfence due to their code overwriting the WP version.
|
272 |
* Optimized the way we calculate max execution time for each process while scanning.
|
273 |
|
274 |
= 3.4.1 =
|
@@ -278,12 +288,12 @@ cause a security hole on your site.
|
|
278 |
* Fixed issue that caused API calls to fail on MultiSite installs.
|
279 |
* Fixed issue that caused comments to break on MultiSite installs under certain conditions.
|
280 |
* Fixed issue that caused incorrect domain to be shown in live traffic view on multi-site installs.
|
281 |
-
* Fixed issue where some proxies/firewalls send space delimited IP addresses in HTTP headers and Wordfence now handles that.
|
282 |
-
* Fixed issue that caused Wordfence to capture activation errors of other plugins.
|
283 |
* Geo IP database update to November 7th edition.
|
284 |
|
285 |
= 3.3.7 =
|
286 |
-
* Upgrade immediately. Fixes possible XSS vulnerability in Wordfence "firewall unlock" form.
|
287 |
* Also added rate limiting to max of 10 requests per second to the unlock form.
|
288 |
|
289 |
= 3.3.5 =
|
@@ -298,16 +308,16 @@ cause a security hole on your site.
|
|
298 |
* Fixed errors caused by ini_set being disabled on certain servers.
|
299 |
* Removed error logging messages in certain cases because some badly configured hosts write these errors to the web browser.
|
300 |
* Fixed getIP code that was evaluating arrays as strings in some cases.
|
301 |
-
* Added error logging so that if there is an activation error, the Wordfence will display the actual error to you.
|
302 |
* Fixed issue that caused scan to output "Could not get the administrator's user ID." when a user has changed their table prefixes under certain conditions.
|
303 |
|
304 |
= 3.3.2 =
|
305 |
-
* A complete rearchitecture of Wordfence scanning to massively improve performance.
|
306 |
* Our free customers are now 100% back in business. Apologies for the delay, but this was worth the wait.
|
307 |
-
* Wordfence is now 4X faster for both free and paid customers.
|
308 |
* Significantly reduced CPU and memory overhead.
|
309 |
-
* Significantly reduced network througput when communicating with Wordfence scanning servers.
|
310 |
-
* Big performance improvement on our own scanning servers which allows us to continue to provide Wordfence free for the forseeable future.
|
311 |
* Upgraded scanning API to version 2.4
|
312 |
* Upgraded Geo IP database to October version.
|
313 |
* Moved core, theme, plugin and malware scanning into hashing recursive routine for big performance gain.
|
@@ -328,7 +338,7 @@ cause a security hole on your site.
|
|
328 |
* Paid feature: Remote site vulnerability and infection scanning.
|
329 |
|
330 |
= 3.2.5 =
|
331 |
-
* Moved all attack signatures out of the plugin to prevent Wordfence being detected as malicious in a false positive.
|
332 |
|
333 |
= 3.2.4 =
|
334 |
* Improved country blocking to make bulk adding/deleting of countries much easier.
|
@@ -341,15 +351,15 @@ cause a security hole on your site.
|
|
341 |
|
342 |
= 3.2.1 =
|
343 |
* Theme and plugin scanning is now free. Woohoo!
|
344 |
-
* Added introductory tour for Wordfence.
|
345 |
-
* Upgraded to Wordfence scanning API version 2.0 to allow free theme and plugin scanning.
|
346 |
* Fixed two issue with scheduled scanning for premium users that would cause scans to not run or run at wrong times under certain conditions.
|
347 |
* Added feature to view unknown files on system to help clean badly infected systems. See on scanning page in "Tools" under yellow box.
|
348 |
* Fixed blocked countries overflowing their container in the user interface.
|
349 |
* Fixed case where if user is using MySQL >= 5.1.16 and doesn't have the "drop" privilege, they can't truncate the wfFileQueue table and it could grow uncontrollably.
|
350 |
* Updated to the new Libyan flag.
|
351 |
* Fixed mysql_ping() reconnection to DB generating warnings.
|
352 |
-
* Fixed issue that caused scans to hang. Wordfence now processes smaller batches of files before checking if it needs to fork.
|
353 |
* Security scan for backdoors: "s72 Shell", "r57 kartal", "r57shell", "rootshell", "r57", "r57 Mohajer22", "r57 iFX", "php backdoor", "phpRemoteView"
|
354 |
* Security scan for backdoors: "nstview", "nshell", "mysql tool", "nsTView", "matamu", "mysql shell", "load shell", "ironshell", "lamashell", "hiddens shell"
|
355 |
* Security scan for backdoors: "h4ntu shell", "go shell", "dC3 Shell", "gfs sh", "cybershell", "c99 w4cking", "ctt sh"
|
@@ -377,30 +387,30 @@ cause a security hole on your site.
|
|
377 |
* Fixed permanent IP blocking bug which caused permanently blocked IP's to no longer display in the list after some time, even though there were still blocked. (Incorrect SQL query)
|
378 |
* Fixed "Can't get admin ID" on scan starts for both MU and single site installs.
|
379 |
* Improved status messages for sites with very large numbers of comments.
|
380 |
-
* Fixed bug that caused sites in subdirectories to not be able to view site config or run the memory test on the Wordfence "options" page.
|
381 |
* Fixed database disconnect bug (mysql server has gone away). An additional fix was required to finally squash this bug.
|
382 |
-
* Removed the code that prevented you from installing Wordfence on Windows. Sorry Windows customers!
|
383 |
* Improved scheduling so that it is now more reliable.
|
384 |
-
* Fixed bug that caused a loop for customers who could not contact the Wordfence servers on install.
|
385 |
* Added helpful message if you get the "can't connect to itself" error message with some additional documentation to help solve this issue.
|
386 |
-
* Improved error reporting when Wordfence can't connect to the scanning servers. Now features a helpful explanation rather than a generic message.
|
387 |
* Added Country Geo-Blocking feature for paid customers.
|
388 |
* Added Scan Scheduling feature for paid customers.
|
389 |
|
390 |
= 3.1.1 =
|
391 |
-
* Added another fix for "mysql server has gone away" error. Wordfence now makes sure the DB is still connected and reconnects if not.
|
392 |
* Added new detection for encoded malicious code in files.
|
393 |
* Fixed bug introduced yesterday that prevented permanent blocking of IP's.
|
394 |
* Improved ability to detect if we're running on Windows (but we don't support Windows yet).
|
395 |
-
* Issue intelligent warning if Wordfence can't read base WordPress directory.
|
396 |
-
* Don't activate Wordfence if user is running Windows.
|
397 |
* Cleaned up errors if a file can't be scanned due to permission restrictions.
|
398 |
* Improved reporting of which user scan is running as and how we determined who the admin user is.
|
399 |
|
400 |
= 3.1.0 =
|
401 |
* Changed the way we monitor disk space from % to warning on 20 megs and critical on 5 megs remaining. This deals with very large disks in a more rational way. (Thanks Yael M. and Ola A.)
|
402 |
* We now deal with cases where the $_SERVER variable contains an array instead of string for IP address. It seems that some installations modify the value into an array. (Thanks S.S.)
|
403 |
-
* The Wordfence DB connection now more reliably changes the mysql timeout for the session to prevent "mysql server has gone away" errors. (Thanks Peter A.)
|
404 |
|
405 |
= 3.0.9 =
|
406 |
* Fixed problem where scan process can't get admin ID.
|
@@ -422,12 +432,12 @@ cause a security hole on your site.
|
|
422 |
* Fix bug that caused scan to not start on sites with thousands (over 20,000 in one case) users.
|
423 |
* Scan start is now faster for sites with large numbers of users.
|
424 |
* Fix bug that caused scan to get killed when checking passwords on sites with thousands of users.
|
425 |
-
* Wordfence now intelligently determines how to do a loopback request to kick off a scan.
|
426 |
* Scan is no longer called with a cron key in HTTP header but uses a query string value to authenticate itself which is more reliable.
|
427 |
|
428 |
= 3.0.6 =
|
429 |
* Improved malware and phishing URL detection.
|
430 |
-
* Upgraded to Wordfence API version 1.9
|
431 |
* Fixed issue that caused large files to slow or crash a scan.
|
432 |
* Added workaround for PHP's broken filesize() function on 32 bit systems.
|
433 |
* Added an improved test mode for URL scanner for better unit testing on our end.
|
@@ -444,7 +454,7 @@ cause a security hole on your site.
|
|
444 |
* Changed wfscan.php message when accessed directly to be more helpful.
|
445 |
|
446 |
= 3.0.4 =
|
447 |
-
* Detects if the Wordfence app (not scanner) is short on memory and requests more
|
448 |
* Fixes an issue where scan breaks if all scanning options are disabled
|
449 |
|
450 |
= 3.0.3 =
|
@@ -464,21 +474,21 @@ cause a security hole on your site.
|
|
464 |
* Made scan locking much more reliable to avoid multiple concurrent scans hogging resources.
|
465 |
* Debug status messages are no longer written to the DB in non-debug mode.
|
466 |
* Modified the list of unknown files we receive back from the WF scanning servers to be a packed string rather than an array which is more memory efficient.
|
467 |
-
* Added summary at the end of scans to show the peak memory that Wordfence used along with server peak memory.
|
468 |
-
* Hashes are now progressively sent to Wordfence servers during scan to drastically reduce memory usage.
|
469 |
-
* Upgraded to Wordfence server API version 1.8
|
470 |
-
* List of hosts that Wordfence URL scanner compiles now uses wfArray which is a very memory efficient packed binary structure.
|
471 |
* Writes that WF URL scanner makes to the DB are now batched into bulk inserts to reduce load on DB.
|
472 |
* Fixed bug in wfscan.php (scanning script) that could have caused scans to loop or pick up old data.
|
473 |
* Massively reduced the number of status messages we log, but kept very verbose logging for debug mode with a warning about DB load.
|
474 |
* Added summary messages instead of individual file scanning status messages which show files scanned and scan rate.
|
475 |
* Removed bin2hex and hex2bin conversions for scanning data which were slow, memory heavy and unneeded.
|
476 |
-
* Wordfence database class will now reuse the WordPress database handle from $wpdb if it can to reduce DB connections.
|
477 |
|
478 |
= 2.1.5 =
|
479 |
* Fixed bug that caused WF to not work when certain DB caching plugins are used and override wpdb object.
|
480 |
-
* Fixed Wordfence so activity log only shows our own errors unless in debug mode.
|
481 |
-
* Wordfence now deletes all it's tables and deletes all saved options when you deactivate the plugin.
|
482 |
* Removed all exit() on error statements. Critical errors are handled more gracefully by writing to the log instead.
|
483 |
* Fixed a bug that would cause a database loop until running out of memory under certain error conditions.
|
484 |
* Suppressed useless warnings that occur in environments with basedir set or where functions are disabled for security reasons.
|
@@ -498,7 +508,7 @@ cause a security hole on your site.
|
|
498 |
* Fixed registered users not appearing in live traffic.
|
499 |
* Fixed temp file deletion bug that caused warnings and loops.
|
500 |
* Fixed issue that caused warning about WORDFENCE_VERSION
|
501 |
-
* Fixed Wordfence admin area not working under SSL
|
502 |
* Fixed bug that caused IP addresses of clients to be misinterpreted if there are multiple addresses from chained proxies.
|
503 |
* Now stripping port numbers from IP's which we weren't doing before.
|
504 |
* Added check for validity of IP's and report fatal error if it fails because this could lock users out.
|
@@ -517,35 +527,35 @@ cause a security hole on your site.
|
|
517 |
= 2.1.1 =
|
518 |
* Added ability to permanently block IP's
|
519 |
* Added ability to manually block IP's
|
520 |
-
* Made Wordfence more memory efficient, particularly the forking process.
|
521 |
* Fixed issue that caused WF to not work on databases with blank passwords.
|
522 |
-
* Wordfence now stops execution of a DB connection error is encountered.
|
523 |
-
* Clear cron jobs if Wordfence is uninstalled.
|
524 |
* Enabled hourly cron for Wordfence security network.
|
525 |
-
* Wordfence now works if your server doesn't have openssl installed
|
526 |
-
* Wordfence now works even if you don't have CURL
|
527 |
* Fixed visitor logging so it works with HTTPS websites.
|
528 |
* Alert emails now contain filenames in each alert description.
|
529 |
* Users with weak passwords alerts now contain the username in the email.
|
530 |
* Upgraded API to 1.7.
|
531 |
* Fixed issue that caused DISALLOW_FILE_MODS to make WF menu disappear.
|
532 |
* Modified wfDB to deal with very large queries without exceeding max_allowed_packet
|
533 |
-
* Fixed issue that broke ability to see file changes and repair files.
|
534 |
|
535 |
= 2.1.0 =
|
536 |
* Fixed scans hanging on Dreamhost and other hosts.
|
537 |
-
* Made Wordfence more memory efficient.
|
538 |
-
* Wordfence scans are now broken into steps so we can scan a huge number of files, posts and comments.
|
539 |
* Alert emails now include IP address, hostname lookup and geographic location (city if available).
|
540 |
-
* Improved scan locking. No longer time based but uses flock() if on unix or time on Windows.
|
541 |
* Suppressed warnings that WF was generating.
|
542 |
* Improve handling of non-standard wp-content directories.
|
543 |
* Fix restored files were still showing as changed if they contained international characters.
|
544 |
* Improve permission denied message if attempting to repair a file.
|
545 |
* Fixed problem that caused scans to not start because some hosts take too long to look up their own name.
|
546 |
-
* Fixed issue with Wordfence menu that caused it to not appear or conflict with other menus under certain conditions.
|
547 |
-
* Upgraded to API version 1.6
|
548 |
-
* Improved geo lookup code for IP's.
|
549 |
* Fixed debug mode output in live status box - coloring was wrong.
|
550 |
* Added ajax status message to WF admin pages.
|
551 |
* Fixed colorbox popup so that it doesn't jump around on refresh.
|
@@ -554,19 +564,19 @@ cause a security hole on your site.
|
|
554 |
* Fixed CSS bug that changed plugins page layout in admin area
|
555 |
* Added memory benchmark utility.
|
556 |
* Added process runtime benchmark utility.
|
557 |
-
* Added ability to scan in debug mode which accesses the scan app directly.
|
558 |
|
559 |
= 2.0.6 =
|
560 |
* Added IP whitelisting including ability to whitelist ranges that are excluded from firewall and login security measures.
|
561 |
* RFC1918 private networks and loopback address is automatically whitelisted to prevent firewall or login security blocking internal routers and proxy servers, internal firewalls and internal users.
|
562 |
* Added WORDFENCE_VERSION constant to improve version lookup performance.
|
563 |
-
* Fixed issue that caused security scans to not start and humans to not be logged in live traffic. Wordfence makes security scan script and visitors script executable on install or upgrade now.
|
564 |
* Fixed bug that caused disk space scanning to still show an issue found in security scan summary even when user chooses to ignore the security issue.
|
565 |
* Made disk space thresholds 1 and 1.5% space remaining because many hosts have very large disks where 1% is gigabytes.
|
566 |
-
* Made wordfence database handle cache deal with concurrent connections to different databases.
|
567 |
-
* Improved Wordfence database library's error reporting.
|
568 |
-
* Improved performance when Wordfence looks up it's own version during security scans and other operations.
|
569 |
-
* Removed three rules in base wordfence htaccess that could cause 500 errors on servers that don't allow these options to be overridden. Does not affect htaccess security because we inherit the base htaccess and still protect our lib/ directory with our own htaccess.
|
570 |
|
571 |
= 2.0.5 =
|
572 |
* If your plugin PHP files are viewable by the world, we now give you a detailed warning on the seriousness of this security threat with ability to view the offending .htaccess files.
|
@@ -578,18 +588,18 @@ cause a security hole on your site.
|
|
578 |
* Fixed bug that would cause security scanning of PHP files with base64 content to stop.
|
579 |
|
580 |
= 2.0.4 =
|
581 |
-
* Now security scanning all comments, posts and pages on multi-site installation for malware and phishing URL's.
|
582 |
* Improved messages on multisite when a bad comment or post is found.
|
583 |
* Fixed bug that caused paid users to not be able to activate their premium key.
|
584 |
* Made upgrade process much friendlier.
|
585 |
* Got rid of GeSHi syntax highlighting because it segfaults and is resource intensive. Using built in PHP highlighting instead.
|
586 |
* Message asking you to configure an alert email address only appears for 3 pageviews after plugin activation so it's less irritating.
|
587 |
* Fixed bug for MU users that caused WF to tell you that your WF schema is missing and you need to reactivate.
|
588 |
-
* Fixed bug that caused malware URL scanner to not work for MU users.
|
589 |
|
590 |
= 2.0.3 =
|
591 |
* Removed unbuffered queries and switched to conventional queries that are memory efficient for better stability.
|
592 |
-
* Made scanning large numbers of URL's contained in things like awstats log files extremely memory efficient and way faster.
|
593 |
* Removed alerts about unknown files in core directory if they belong to an older wordpress version and are unchanged.
|
594 |
* Other performance improvements like using strpos instead of strstr.
|
595 |
* Moved "scan files outside base dir" option to be in correct place on config page.
|
@@ -598,19 +608,19 @@ cause a security hole on your site.
|
|
598 |
* Fixed plugin upgrades so that css and scripts are not cached across versions.
|
599 |
|
600 |
= 2.0.1 =
|
601 |
-
* Improved scanning for specific attacks being used in the PHP-CGI vulnerability ( CVE-2012-1823)
|
602 |
* API keys no longer required. WF fetches a temporary anonymous API key for you on activation.
|
603 |
* Added real-time activity log on scan page.
|
604 |
* Added real-time summary updates on scan page.
|
605 |
* Fixed ability to view files that have symlinks in path.
|
606 |
* Added message to configure alert email address for multi-site and single site installs on activation.
|
607 |
-
* Disabled firewall rules by default because most sites don't need them.
|
608 |
* Disabled blocking of fake googlebots except for high security levels to prevent users who like to pretend they're googlebot from blocking themselves.
|
609 |
* Geshi the syntax highlighter now asks for more memory before running.
|
610 |
* Fixed bug that caused scan to hang on very large files.
|
611 |
* Added an index to wfStatus to make it faster for summary statuses
|
612 |
* Removed multisite pre-activation check to make activation more reliable on multisite installs.
|
613 |
-
* Better problem reporting if you trashed your Wordfence schema but the plugin is still installed.
|
614 |
|
615 |
= 1.5.6 =
|
616 |
* Removed use of nonces and purely using 30 minute key for unlocking emails.
|
@@ -620,16 +630,16 @@ cause a security hole on your site.
|
|
620 |
= 1.5.5 =
|
621 |
* Added ability for admin's to unlock login and unblock their IP addresses if they're accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse.
|
622 |
* Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency.
|
623 |
-
* Made advanced options visible so you know they exist.
|
624 |
* Fixed dns_get_record() function not existing bug on Windows sytems pre PHP 5.3.0. Was causing scans to hang.
|
625 |
* Increased login lockout defaults to be much higher which still protects against brute force hacks.
|
626 |
* Removed CURLOPT_MAXREDIRS in curl to avoid safe mode warnings.
|
627 |
* Fixed ability to view and diff files on blogs installed in subdirectories.
|
628 |
* Fixed ability to see individual IP hits on subdir sites.
|
629 |
* Plugin and theme update messages now include links to the upgrade page.
|
630 |
-
* Removed the link on the login form that mentions the site is protected by Wordfence.
|
631 |
* Changed lockout defaults to be much higher.
|
632 |
-
* Added options for higher number of failures before lockout in options page.
|
633 |
* Now including plugin version in the activity log when the admin chooses to email it to us for debugging.
|
634 |
|
635 |
= 1.5.4 =
|
@@ -655,11 +665,11 @@ cause a security hole on your site.
|
|
655 |
* Syntax fixes (various)
|
656 |
|
657 |
= 1.4.6 =
|
658 |
-
* Increased memory available to Wordfence to 256M during security scans, configurable in wordfenceConstants.php
|
659 |
* Improved memory logging during security scans. Current memory usage is now shown on the far right of filenames while scans occur.
|
660 |
|
661 |
= 1.4.5 =
|
662 |
-
* Bugfix - fixed bug that caused Wordfence menu to dissapear.
|
663 |
|
664 |
= 1.4.4 =
|
665 |
* WordPress Multi-site support added. Currently in Beta. Tested with subdomains, not subdirectories, but it should work great on both.
|
@@ -679,13 +689,13 @@ cause a security hole on your site.
|
|
679 |
* Increased API curl timeout to 300 for slower hosts that seem affected during URL security scans.
|
680 |
|
681 |
= 1.4.1 =
|
682 |
-
* This is a major release, please upgrade immediately.
|
683 |
* Only scan files in the WordPress ABSPATH root directory and known WordPress subdirectories. Prevents potentially massive scans on hosts that have large dirs off their wordpress root.
|
684 |
* Don't generate plain SHA hashes anymore because we don't currently use them on the server side for scanning. (Still generates md5's and SHAC)
|
685 |
* No longer do change tracking on files before scans because the change tracking does almost the same amount of work when generating hashes as the actual scan. So just do the scan, which is now faster.
|
686 |
* Updated internal version to 1.2 to use new code on the server side which sends back a list of unknown files rather than known files, which is usually smaller and more network efficient.
|
687 |
* Improved logging in activity log.
|
688 |
-
* Removed SSL peer verification because some hosts have bad cert config. Connection to our servers is still via SSL.
|
689 |
* Fixed a few minor issues. Overall you should notice that scans are much faster now.
|
690 |
|
691 |
= 1.3.3 =
|
@@ -694,42 +704,42 @@ cause a security hole on your site.
|
|
694 |
* Link to forums added for free customer support.
|
695 |
|
696 |
= 1.3.2 =
|
697 |
-
* Reduced the number of database connections that Wordfence makes to one.
|
698 |
* Modified the memory efficient unbuffered queries we use to only use a single DB connection.
|
699 |
* Removed status updates during post and comment scans which prevents interference with unbuffered queries and makes the scans even faster.
|
700 |
|
701 |
= 1.3.1 =
|
702 |
-
* Fixed a bug where if you have the plugin "secure-wordpress" installed, you can't do a Wordfence scan because it says you have the wrong version. This is because secure-wordpress trashes the $wp_version global variable to hide your version rather than using the filters provided by WordPress. So coded a workaround so that your Wordfence scans will work with that plugin installed.
|
703 |
|
704 |
= 1.3 =
|
705 |
-
* Minor fix to point to the correct binary API URL on the Wordfence cloud servers.
|
706 |
|
707 |
= 1.2 =
|
708 |
-
* It is now free to get a Wordfence API key.
|
709 |
-
* Premium keys include theme and plugin file verification which consumes resources on the Wordfence servers.
|
710 |
* Various bugfixes and performance enhancements.
|
711 |
|
712 |
= 1.1 =
|
713 |
-
* Initial public release of Wordfence.
|
714 |
|
715 |
== Upgrade Notice ==
|
716 |
= 3.1.1 =
|
717 |
Upgrade immediately. Fixes bug introduced in last release that broke permenent IP blocking.
|
718 |
|
719 |
= 3.0.9 =
|
720 |
-
Upgrade immediately. Fixes two critical bugs: Could not get admin ID bug and permanent IP blocks not staying permanent.
|
721 |
|
722 |
= 3.0.6 =
|
723 |
-
Upgrade immediately. Improves malware URL detection by 20% or more.
|
724 |
|
725 |
= 3.0.3 =
|
726 |
-
Upgrade immediately. This release fixes an issue that caused Wordfence to show all your core files
|
727 |
missing under certain conditions. It was usually caused by high load on our scanning server and the
|
728 |
plugin not handling an error condition halfway through the scan correctly.
|
729 |
|
730 |
= 3.0.2 =
|
731 |
Upgrade immediately. This release drastically reduces memory, reduces new DB connections created by
|
732 |
-
Wordfence to zero (we simply reuse the WordPress DB handle), reduces the number of DB queries to
|
733 |
about 1% of the previous version by removing unneeded status messages and fixes a bug that
|
734 |
-
could cause Wordfence to launch multiple concurrent scans that can put high load on your system.
|
735 |
This is a critical release. Upgrade immediately.
|
1 |
=== Wordfence Security ===
|
2 |
Contributors: mmaunder
|
3 |
+
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security
|
4 |
Requires at least: 3.3.1
|
5 |
+
Tested up to: 3.6
|
6 |
+
Stable tag: 3.8.2
|
7 |
|
8 |
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
|
9 |
|
10 |
== Description ==
|
11 |
|
12 |
+
[For a Video Introduction to Wordfence Security, Click Here to visit www.wordfence.com now](http://www.wordfence.com/)
|
13 |
|
14 |
+
Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, cellphone sign-in (two factor authentication), malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.
|
15 |
|
16 |
+
Wordfence Security is 100% free. We also offer a Premium API key that gives you Cellphone Sign-in via SMS, lets you block countries and schedule scans for specific times.
|
17 |
|
18 |
+
Wordfence Security is now Multi-Site compatible and includes Cellphone Sign-in which permanently secures your website from brute force hacks.
|
19 |
|
20 |
+
Wordfence Security:
|
21 |
|
22 |
+
* Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
|
23 |
+
* Enforce strong passwords among your administrators, publishers and users. Improve login security.
|
24 |
+
* Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
|
25 |
* Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
|
26 |
+
* Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall. Report security threats to network owner.
|
27 |
* See how files have changed. Optionally repair changed files that are security threats.
|
28 |
* Scans for signatures of over 44,000 known malware variants that are known security threats.
|
29 |
+
* Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
|
30 |
* Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats.
|
31 |
* Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
|
32 |
* Checks the strength of all user and admin passwords to enhance login security.
|
54 |
|
55 |
1. Install Wordfence Security automatically or by uploading the ZIP file.
|
56 |
1. Activate the security plugin through the 'Plugins' menu in WordPress.
|
57 |
+
1. Wordfence Security is now activated. Go to the scan menu and start your first security scan. Scheduled security scanning will also be enabled.
|
58 |
1. Once your first scan has completed a list of security threats will appear. Go through them one by one to secure your site.
|
59 |
+
1. Visit the Wordfence Security options page to enter your email address so that you can receive email security alerts.
|
60 |
1. Optionally change your security level or adjust the advanced options to set individual security scanning and protection options for your site.
|
61 |
1. Click the "Live Traffic" menu option to watch your site activity in real-time. Situational awareness is an important part of website security.
|
62 |
|
63 |
+
To install Wordfence Security on WordPress Multi-Site installations (support is currently in Beta):
|
64 |
|
65 |
1. Install Wordfence Security via the plugin directory or by uploading the ZIP file.
|
66 |
1. Network Activate Wordfence Security. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissapears.
|
67 |
+
1. Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence Security will not appear on any individual site's menu.
|
68 |
1. Go to the "Scan" menu and start your first security scan.
|
69 |
+
1. Wordfence Security will do a security scan all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
|
70 |
1. Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
|
71 |
1. Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you're accessing the system.
|
72 |
|
76 |
|
77 |
= What does Wordfence Security do that other WordPress security plugins don't do? =
|
78 |
|
79 |
+
* Wordfence Security actually verifies your website source code integrity against the official WordPress repository and shows you the changes. We are the only plugin to do this.
|
80 |
+
* Wordfence Security provides two-factor authentication (Cellphone Sign-in) for paid members. We're the only plugin to offer this.
|
81 |
+
* Wordfence Security scans check all your files, comments and posts for URL's in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement.
|
82 |
+
* Wordfence Security scans do not consume large amounts of your precious bandwidth because all security scans happen on your web server which makes them very fast.
|
83 |
+
* Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
|
84 |
|
85 |
+
= Does Wordfence Security support Multi-Site installations? =
|
86 |
|
87 |
+
Yes. WordPress MU or Multi-Site as it's called now is fully supported. Using Wordfence Security you can security scan every blog in your network with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will tell you within a maximum of one hour which is how often scans occur.
|
88 |
|
89 |
+
= Will Wordfence Security slow my site down? =
|
90 |
|
91 |
+
We have spent a lot of time making sure Wordfence Security runs very quickly and securely. Wordfence Security uses its own database
|
92 |
+
tables and advanced mysql features to ensure it runs as fast as possible. The creators of Wordfence Security
|
93 |
also run Feedjit, a large scale real-time analytics product and ad network and much of the technology and knowledge from
|
94 |
+
our real-time analytics products is built into Wordfence Security.
|
95 |
|
96 |
+
= How often is Wordfence Security updated? =
|
97 |
|
98 |
+
The Wordfence Security plugin is frequently updated and we update the code on our security scanning servers
|
99 |
more frequently. Our cloud servers are continually updated with the latest known security threats and vulnerabilities so
|
100 |
that we can blog any security threat as soon as it emerges in the wild.
|
101 |
|
102 |
= What if I need support? =
|
103 |
|
104 |
All our paid customers receive priority support. Excellent customer service is a key part
|
105 |
+
of being a Wordfence Security member. You can also [visit our support forums where we provide free support for all Wordfence Security users](http://wordfence.com/forums/) and answer any security releated questions you may have.
|
106 |
|
107 |
+
= Can I disable certain security features of Wordfence Security? =
|
108 |
|
109 |
Yes! Simply visit the Options page, click on advanced options and enable or disable the security features you want.
|
110 |
|
111 |
= What if my site security has already been compromised by a hacker? =
|
112 |
|
113 |
+
Wordfence Security is the only security plugin that is able to repair core files, themes and plugins on sites where security is already compromised.
|
114 |
However, please note that site security can not be assured unless you do a full reinstall if your site has been hacked. We recommend you only
|
115 |
+
use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. A full reinstall is the only
|
116 |
way to ensure site security once you have been hacked.
|
117 |
|
118 |
= How will I be alerted that my site has a security problem? =
|
119 |
|
120 |
+
Wordfence Security sends security alerts via email. Once you install Wordfence Security, you will configure a list of email addresses where security alerts will be sent.
|
121 |
When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.
|
122 |
|
123 |
= My WordPress site is behind a firewall. Doesn't that make it secure? =
|
132 |
though your site is behind a commercial firewall, it still accepts web requests that include uploads and executes PHP code
|
133 |
and as long as it does that, it may become face a security vulnerability at some point.
|
134 |
|
135 |
+
= Will Wordfence Security protect me against the Timthumb security problem? =
|
136 |
|
137 |
The timthumb security exploit occurred in 2011 and all good plugins and themes now use an updated
|
138 |
+
version of timthumb (which the creator of Wordfence Security wrote and donated to the timthumb author) which closes the security hole that
|
139 |
caused the problem. However we do scan for old version of timthumb for good measure to make sure they don't
|
140 |
cause a security hole on your site.
|
141 |
|
142 |
|
143 |
== Screenshots ==
|
144 |
|
145 |
+
1. The home screen of Wordfence Security where you can see a summary, manage security issues and do a manual security scan.
|
146 |
+
2. The Live Traffic view of Wordfence Security where you can see real-time activity on your site.
|
147 |
3. The "Blocked IPs" page where you can manage blocked IP's, locked out IP's and see recently throttled IPs that violated security rules.
|
148 |
+
4. The basic view of Wordfence Security options. There is very little to configure other than your alert email address and security level.
|
149 |
+
5. If you're technically minded, this is the under-the-hood view of Wordfence Security options where you can fine-tune your security settings.
|
150 |
|
151 |
== Changelog ==
|
152 |
|
153 |
+
= 3.8.2 =
|
154 |
+
* Updated GeoIP database for country blocking security.
|
155 |
+
* Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it's a non-static method. Thanks Juliette.
|
156 |
+
* Removed characters that are invalid in an IP address or domain from the Whois facility to improve security.
|
157 |
+
* Prevent users from creating 1 character passwords to improve security.
|
158 |
+
* Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P.
|
159 |
+
* Fixed issue that caused IP to output as integer in status msg. Not security related but display issue.
|
160 |
+
* Declared Wordfence Security reverseLookup function as static to remove warning.
|
161 |
+
* Fixed returnARr syntax error in Wordfence Security class.
|
162 |
+
|
163 |
= 3.8.1 =
|
164 |
+
* Added Cellphone Sign-in (Two Factor Authentication) for paid Wordfence Security members. Stop brute-force attacks permanently! See new "Cellphone Sign-in" menu option.
|
165 |
+
* Added ability to enforce strong passwords using Wordfence Security when accounts are created or users change their password. See Wordfence Security 'options' page under 'Login Security Options'.
|
166 |
+
* Added new backdoor/malware signatures to Wordfence Security scanning including detection for spamming scripts, youtube spam scripts and a new attack shell.
|
167 |
+
* Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a Wordfence Security scan.
|
168 |
+
* Fixes from Juliette R. F. Remove warnings for unset variables. Fix options 'save' spinner spinning infinitely on some platforms. Removed redundant error handling code in Wordfence Security.
|
169 |
+
* Added ability to downgrade a paid Wordfence Security license to free.
|
170 |
|
171 |
= 3.7.2 =
|
172 |
* Fixed issue that caused locked out IP's to not appear, or to appear with incorrect "locked out until" time.
|
173 |
|
174 |
= 3.7.1 =
|
175 |
* Moved global firewall, login security and live traffic options to top of options page.
|
176 |
+
* Made it clear that if you have Wordfence Security firewall disabled, IP's won't be blocked, country blocking won't work and advanced blocking won't work with warnings on each page.
|
177 |
|
178 |
= 3.6.9 =
|
179 |
+
* Fixed JS error in Wordfence Security that occurs occasionally when users are viewing Wordfence Security activity log in real-time.
|
180 |
+
* New Feature: Prevent users registering 'admin' username if it doesn't exist to improve security. Recommended if you've deleted 'admin'. Enable on 'options' page.
|
181 |
+
* Check if Wordfence Security GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name.
|
182 |
+
* Fixed a Wordfence Security compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don't get blocked. Added two HTTP no-cache and Expires headers.
|
183 |
+
* Fixed bug when using Wordfence Security Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier
|
184 |
+
* Vastly improved speed of Wordfence Security Advanced User-Agent blocking security feature. No longer using regex but still support wildcards using fnmatch()
|
185 |
* We now support usernames with spaces in the list of users to ignore in the live traffic config on 'options' page.
|
186 |
* Improved language in status messages to avoid confusion. Changed "unrecognized files" to "additional files" to describe non-core/theme/plugin files.
|
187 |
|
188 |
= 3.6.8 =
|
189 |
+
* Fixed bug in Wordfence Security that caused IP range blocking to not block.
|
190 |
* Fixed bug that caused unblocking a permanently blocked IP to work, but not refresh the list.
|
191 |
* Added usernames to the email you receive when a user is locked out.
|
192 |
+
* Added a few more status messages for Wordfence Security URL malware scanning.
|
193 |
* Removed the sockets function call from connection testing because some hosts don't allow calls to socket_create()
|
194 |
+
* Added detection in the Wordfence Security Whois page to check if the server has the fsockopen() function available with helpful message if it's disabled.
|
195 |
+
* Whitelisted IP's now override Wordfence Security country blocking and range blocking.
|
196 |
* Removed Bluehost affiliate links for free customers
|
197 |
* Fixed issue that caused scans to crash when checking URLs for malware.
|
198 |
* Fixed issue that caused scans with large numbers of posts that contain the same URL to crash.
|
199 |
+
* Updated the Wordfence Security GeoIP database for country blocking to newest version.
|
200 |
|
201 |
= 3.6.7 =
|
202 |
* Improved security for Cloudflare customers to prevent spoofing attacks and protect when a hacker bypasses Cloudflare proxies.
|
203 |
* Added clear explanation of what increasing AJAX polling time does on options page.
|
204 |
+
* Fixed issue with Wordfence Security detecting itself as malware. We messed up the version number in previous release.
|
205 |
|
206 |
= 3.6.6 =
|
207 |
* Added option to change AJAX polling frequency
|
208 |
* Fixed issue that caused whitelisted IP's to not be whitelisted.
|
209 |
+
* Added code that prevents blocking of Wordfence's API server (or Wordfence Security will cease to function)
|
210 |
* Added link at bottom of 'options' page to test connectivity to our API servers.
|
211 |
* Include any CURL error numbers in error reporting.
|
212 |
* Fixed issue that caused IP range blocking to not block access to login page.
|
222 |
|
223 |
= 3.6.3 =
|
224 |
* Fixed 'max_user_connections' issue.
|
225 |
+
* Wordfence Security now uses WordPress's WPDB and this halves the number of DB connections Wordfence Security establishes to your DB.
|
226 |
+
* Wordfence Security is now HyperDB compatible.
|
227 |
* Advanced blocking i.e. Browser and IP Range blocking is now a free feature.
|
228 |
* We no longer disable Live Traffic if we detect a caching plugin. Based on user feedback, apparently live traffic actually works with those plugins.
|
229 |
* Fixed issue that causes site to crash if a conflicting GeoIP library is installed.
|
230 |
* Changed logHuman routine to do a LOW_PRIORITY MySQL update to speed things up.
|
231 |
* Login failure counter is now reset if you send yourself an unlock email so you're not locked out again after 1 failure.
|
232 |
+
* The free version of Wordfence Security is now supported with ads at the top of the admin pages. Please visit our sponsors and help keep Wordfence Security free!
|
233 |
* Fixed issue that may cause scans to not be scheduled using the default schedule for new users.
|
234 |
* There was no 3.6.2 release, in case you're wondering about the version skip.
|
235 |
|
236 |
= 3.6.1 =
|
237 |
* Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking.
|
238 |
+
* Added Wordfence Security feature: WHOIS for IP's and Domains. Supports all registries and local rWhois
|
239 |
+
* Added Wordfence Security feature: Advanced Blocking to block IP ranges and browser patterns.
|
240 |
+
* Added Wordfence Security feature: WHOIS on live traffic pages.
|
241 |
+
* Added Wordfence Security feature: network blocking links on live traffic pages.
|
242 |
+
* Fixed bug where W3 Total Cache and WP Super Cache cache blocked Wordfence Security pages.
|
243 |
* Added explanation of how caching affects live traffic logging if we detect a caching plugin.
|
244 |
* Fixed AJAX loading to deal with multiple parallel ajax requests.
|
245 |
* Updated tour to include info on new WHOIS and Advanced Blocking features.
|
246 |
* Changed manual IP blocks to be permanent by default.
|
247 |
+
* Fixed issue in Wordfence Security that caused live traffic page not to reload when IP is unblocked.
|
248 |
* Modified "How does your site get IP's" config to avoid confusing new users.
|
249 |
* Changed 503 block message to be more helpful with link to FAQ on how to unblock.
|
250 |
* Removed redundant code in wfAPI.php
|
251 |
* Optimized code by moving firewall specific code to execute only if firewall is enabled.
|
252 |
* Fixed issue that caused "last attempted access" to show over 500 months ago.
|
253 |
* Fixed issue that was causing warning in getIP() code.
|
254 |
+
* Upgraded to Wordfence Security API version 2.6.
|
255 |
|
256 |
= 3.5.3 =
|
257 |
* This is the dev version. Stable is 3.5.2.
|
270 |
* Fixed issue of files containing "silence is golden" showing up as being changed with no executable content.
|
271 |
|
272 |
= 3.4.5 =
|
273 |
+
* Fixed security issue of being able to list wordfence Security's own virtual dir on some server configurations.
|
274 |
* Fixed issue of WF using deprecated function which caused warnings or errors on install.
|
275 |
* Added link to security alert mailing list on "Scan" page next to manual start scan button and in tour.
|
276 |
|
278 |
* Fixed issue that caused scans to not complete.
|
279 |
* Fixed issue that caused scans to launch a large number of child processes due to very short scan timeout.
|
280 |
* Fixed issue that caused websites that don't know their own hostname to not be able to scan.
|
281 |
+
* Added workaround for a bug in Better WP Security breaking Wordfence Security due to their code overwriting the WP version.
|
282 |
* Optimized the way we calculate max execution time for each process while scanning.
|
283 |
|
284 |
= 3.4.1 =
|
288 |
* Fixed issue that caused API calls to fail on MultiSite installs.
|
289 |
* Fixed issue that caused comments to break on MultiSite installs under certain conditions.
|
290 |
* Fixed issue that caused incorrect domain to be shown in live traffic view on multi-site installs.
|
291 |
+
* Fixed issue where some proxies/firewalls send space delimited IP addresses in HTTP headers and Wordfence Security now handles that.
|
292 |
+
* Fixed issue that caused Wordfence Security to capture activation errors of other plugins.
|
293 |
* Geo IP database update to November 7th edition.
|
294 |
|
295 |
= 3.3.7 =
|
296 |
+
* Upgrade immediately. Fixes possible XSS vulnerability in Wordfence Security "firewall unlock" form.
|
297 |
* Also added rate limiting to max of 10 requests per second to the unlock form.
|
298 |
|
299 |
= 3.3.5 =
|
308 |
* Fixed errors caused by ini_set being disabled on certain servers.
|
309 |
* Removed error logging messages in certain cases because some badly configured hosts write these errors to the web browser.
|
310 |
* Fixed getIP code that was evaluating arrays as strings in some cases.
|
311 |
+
* Added error logging so that if there is an activation error, the Wordfence Security will display the actual error to you.
|
312 |
* Fixed issue that caused scan to output "Could not get the administrator's user ID." when a user has changed their table prefixes under certain conditions.
|
313 |
|
314 |
= 3.3.2 =
|
315 |
+
* A complete rearchitecture of Wordfence Security scanning to massively improve performance.
|
316 |
* Our free customers are now 100% back in business. Apologies for the delay, but this was worth the wait.
|
317 |
+
* Wordfence Security is now 4X faster for both free and paid customers.
|
318 |
* Significantly reduced CPU and memory overhead.
|
319 |
+
* Significantly reduced network througput when communicating with Wordfence Security scanning servers.
|
320 |
+
* Big performance improvement on our own scanning servers which allows us to continue to provide Wordfence Security free for the forseeable future.
|
321 |
* Upgraded scanning API to version 2.4
|
322 |
* Upgraded Geo IP database to October version.
|
323 |
* Moved core, theme, plugin and malware scanning into hashing recursive routine for big performance gain.
|
338 |
* Paid feature: Remote site vulnerability and infection scanning.
|
339 |
|
340 |
= 3.2.5 =
|
341 |
+
* Moved all attack signatures out of the plugin to prevent Wordfence Security being detected as malicious in a false positive.
|
342 |
|
343 |
= 3.2.4 =
|
344 |
* Improved country blocking to make bulk adding/deleting of countries much easier.
|
351 |
|
352 |
= 3.2.1 =
|
353 |
* Theme and plugin scanning is now free. Woohoo!
|
354 |
+
* Added introductory tour for Wordfence Security.
|
355 |
+
* Upgraded to Wordfence Security scanning API version 2.0 to allow free theme and plugin scanning.
|
356 |
* Fixed two issue with scheduled scanning for premium users that would cause scans to not run or run at wrong times under certain conditions.
|
357 |
* Added feature to view unknown files on system to help clean badly infected systems. See on scanning page in "Tools" under yellow box.
|
358 |
* Fixed blocked countries overflowing their container in the user interface.
|
359 |
* Fixed case where if user is using MySQL >= 5.1.16 and doesn't have the "drop" privilege, they can't truncate the wfFileQueue table and it could grow uncontrollably.
|
360 |
* Updated to the new Libyan flag.
|
361 |
* Fixed mysql_ping() reconnection to DB generating warnings.
|
362 |
+
* Fixed issue that caused scans to hang. Wordfence Security now processes smaller batches of files before checking if it needs to fork.
|
363 |
* Security scan for backdoors: "s72 Shell", "r57 kartal", "r57shell", "rootshell", "r57", "r57 Mohajer22", "r57 iFX", "php backdoor", "phpRemoteView"
|
364 |
* Security scan for backdoors: "nstview", "nshell", "mysql tool", "nsTView", "matamu", "mysql shell", "load shell", "ironshell", "lamashell", "hiddens shell"
|
365 |
* Security scan for backdoors: "h4ntu shell", "go shell", "dC3 Shell", "gfs sh", "cybershell", "c99 w4cking", "ctt sh"
|
387 |
* Fixed permanent IP blocking bug which caused permanently blocked IP's to no longer display in the list after some time, even though there were still blocked. (Incorrect SQL query)
|
388 |
* Fixed "Can't get admin ID" on scan starts for both MU and single site installs.
|
389 |
* Improved status messages for sites with very large numbers of comments.
|
390 |
+
* Fixed bug that caused sites in subdirectories to not be able to view site config or run the memory test on the Wordfence Security "options" page.
|
391 |
* Fixed database disconnect bug (mysql server has gone away). An additional fix was required to finally squash this bug.
|
392 |
+
* Removed the code that prevented you from installing Wordfence Security on Windows. Sorry Windows customers!
|
393 |
* Improved scheduling so that it is now more reliable.
|
394 |
+
* Fixed bug that caused a loop for customers who could not contact the Wordfence Security servers on install.
|
395 |
* Added helpful message if you get the "can't connect to itself" error message with some additional documentation to help solve this issue.
|
396 |
+
* Improved error reporting when Wordfence Security can't connect to the scanning servers. Now features a helpful explanation rather than a generic message.
|
397 |
* Added Country Geo-Blocking feature for paid customers.
|
398 |
* Added Scan Scheduling feature for paid customers.
|
399 |
|
400 |
= 3.1.1 =
|
401 |
+
* Added another fix for "mysql server has gone away" error. Wordfence Security now makes sure the DB is still connected and reconnects if not.
|
402 |
* Added new detection for encoded malicious code in files.
|
403 |
* Fixed bug introduced yesterday that prevented permanent blocking of IP's.
|
404 |
* Improved ability to detect if we're running on Windows (but we don't support Windows yet).
|
405 |
+
* Issue intelligent warning if Wordfence Security can't read base WordPress directory.
|
406 |
+
* Don't activate Wordfence Security if user is running Windows.
|
407 |
* Cleaned up errors if a file can't be scanned due to permission restrictions.
|
408 |
* Improved reporting of which user scan is running as and how we determined who the admin user is.
|
409 |
|
410 |
= 3.1.0 =
|
411 |
* Changed the way we monitor disk space from % to warning on 20 megs and critical on 5 megs remaining. This deals with very large disks in a more rational way. (Thanks Yael M. and Ola A.)
|
412 |
* We now deal with cases where the $_SERVER variable contains an array instead of string for IP address. It seems that some installations modify the value into an array. (Thanks S.S.)
|
413 |
+
* The Wordfence Security DB connection now more reliably changes the mysql timeout for the session to prevent "mysql server has gone away" errors. (Thanks Peter A.)
|
414 |
|
415 |
= 3.0.9 =
|
416 |
* Fixed problem where scan process can't get admin ID.
|
432 |
* Fix bug that caused scan to not start on sites with thousands (over 20,000 in one case) users.
|
433 |
* Scan start is now faster for sites with large numbers of users.
|
434 |
* Fix bug that caused scan to get killed when checking passwords on sites with thousands of users.
|
435 |
+
* Wordfence Security now intelligently determines how to do a loopback request to kick off a scan.
|
436 |
* Scan is no longer called with a cron key in HTTP header but uses a query string value to authenticate itself which is more reliable.
|
437 |
|
438 |
= 3.0.6 =
|
439 |
* Improved malware and phishing URL detection.
|
440 |
+
* Upgraded to Wordfence Security API version 1.9
|
441 |
* Fixed issue that caused large files to slow or crash a scan.
|
442 |
* Added workaround for PHP's broken filesize() function on 32 bit systems.
|
443 |
* Added an improved test mode for URL scanner for better unit testing on our end.
|
454 |
* Changed wfscan.php message when accessed directly to be more helpful.
|
455 |
|
456 |
= 3.0.4 =
|
457 |
+
* Detects if the Wordfence Security app (not scanner) is short on memory and requests more
|
458 |
* Fixes an issue where scan breaks if all scanning options are disabled
|
459 |
|
460 |
= 3.0.3 =
|
474 |
* Made scan locking much more reliable to avoid multiple concurrent scans hogging resources.
|
475 |
* Debug status messages are no longer written to the DB in non-debug mode.
|
476 |
* Modified the list of unknown files we receive back from the WF scanning servers to be a packed string rather than an array which is more memory efficient.
|
477 |
+
* Added summary at the end of scans to show the peak memory that Wordfence Security used along with server peak memory.
|
478 |
+
* Hashes are now progressively sent to Wordfence Security servers during scan to drastically reduce memory usage.
|
479 |
+
* Upgraded to Wordfence Security server API version 1.8
|
480 |
+
* List of hosts that Wordfence Security URL scanner compiles now uses wfArray which is a very memory efficient packed binary structure.
|
481 |
* Writes that WF URL scanner makes to the DB are now batched into bulk inserts to reduce load on DB.
|
482 |
* Fixed bug in wfscan.php (scanning script) that could have caused scans to loop or pick up old data.
|
483 |
* Massively reduced the number of status messages we log, but kept very verbose logging for debug mode with a warning about DB load.
|
484 |
* Added summary messages instead of individual file scanning status messages which show files scanned and scan rate.
|
485 |
* Removed bin2hex and hex2bin conversions for scanning data which were slow, memory heavy and unneeded.
|
486 |
+
* Wordfence Security database class will now reuse the WordPress database handle from $wpdb if it can to reduce DB connections.
|
487 |
|
488 |
= 2.1.5 =
|
489 |
* Fixed bug that caused WF to not work when certain DB caching plugins are used and override wpdb object.
|
490 |
+
* Fixed Wordfence Security so activity log only shows our own errors unless in debug mode.
|
491 |
+
* Wordfence Security now deletes all it's tables and deletes all saved options when you deactivate the plugin.
|
492 |
* Removed all exit() on error statements. Critical errors are handled more gracefully by writing to the log instead.
|
493 |
* Fixed a bug that would cause a database loop until running out of memory under certain error conditions.
|
494 |
* Suppressed useless warnings that occur in environments with basedir set or where functions are disabled for security reasons.
|
508 |
* Fixed registered users not appearing in live traffic.
|
509 |
* Fixed temp file deletion bug that caused warnings and loops.
|
510 |
* Fixed issue that caused warning about WORDFENCE_VERSION
|
511 |
+
* Fixed Wordfence Security admin area not working under SSL
|
512 |
* Fixed bug that caused IP addresses of clients to be misinterpreted if there are multiple addresses from chained proxies.
|
513 |
* Now stripping port numbers from IP's which we weren't doing before.
|
514 |
* Added check for validity of IP's and report fatal error if it fails because this could lock users out.
|
527 |
= 2.1.1 =
|
528 |
* Added ability to permanently block IP's
|
529 |
* Added ability to manually block IP's
|
530 |
+
* Made Wordfence Security more memory efficient, particularly the forking process.
|
531 |
* Fixed issue that caused WF to not work on databases with blank passwords.
|
532 |
+
* Wordfence Security now stops execution of a DB connection error is encountered.
|
533 |
+
* Clear cron jobs if Wordfence Security is uninstalled.
|
534 |
* Enabled hourly cron for Wordfence security network.
|
535 |
+
* Wordfence Security now works if your server doesn't have openssl installed
|
536 |
+
* Wordfence Security now works even if you don't have CURL
|
537 |
* Fixed visitor logging so it works with HTTPS websites.
|
538 |
* Alert emails now contain filenames in each alert description.
|
539 |
* Users with weak passwords alerts now contain the username in the email.
|
540 |
* Upgraded API to 1.7.
|
541 |
* Fixed issue that caused DISALLOW_FILE_MODS to make WF menu disappear.
|
542 |
* Modified wfDB to deal with very large queries without exceeding max_allowed_packet
|
543 |
+
* Fixed issue that broke ability to see file changes and repair files in security scan results.
|
544 |
|
545 |
= 2.1.0 =
|
546 |
* Fixed scans hanging on Dreamhost and other hosts.
|
547 |
+
* Made Wordfence Security more memory efficient.
|
548 |
+
* Wordfence Security scans are now broken into steps so we can scan a huge number of files, posts and comments.
|
549 |
* Alert emails now include IP address, hostname lookup and geographic location (city if available).
|
550 |
+
* Improved security scan locking. No longer time based but uses flock() if on unix or time on Windows.
|
551 |
* Suppressed warnings that WF was generating.
|
552 |
* Improve handling of non-standard wp-content directories.
|
553 |
* Fix restored files were still showing as changed if they contained international characters.
|
554 |
* Improve permission denied message if attempting to repair a file.
|
555 |
* Fixed problem that caused scans to not start because some hosts take too long to look up their own name.
|
556 |
+
* Fixed issue with Wordfence Security menu that caused it to not appear or conflict with other menus under certain conditions.
|
557 |
+
* Upgraded to security API version 1.6
|
558 |
+
* Improved geo lookup code for IP's to improve security.
|
559 |
* Fixed debug mode output in live status box - coloring was wrong.
|
560 |
* Added ajax status message to WF admin pages.
|
561 |
* Fixed colorbox popup so that it doesn't jump around on refresh.
|
564 |
* Fixed CSS bug that changed plugins page layout in admin area
|
565 |
* Added memory benchmark utility.
|
566 |
* Added process runtime benchmark utility.
|
567 |
+
* Added ability to security scan in debug mode which accesses the scan app directly.
|
568 |
|
569 |
= 2.0.6 =
|
570 |
* Added IP whitelisting including ability to whitelist ranges that are excluded from firewall and login security measures.
|
571 |
* RFC1918 private networks and loopback address is automatically whitelisted to prevent firewall or login security blocking internal routers and proxy servers, internal firewalls and internal users.
|
572 |
* Added WORDFENCE_VERSION constant to improve version lookup performance.
|
573 |
+
* Fixed issue that caused security scans to not start and humans to not be logged in live traffic. Wordfence Security makes security scan script and visitors script executable on install or upgrade now.
|
574 |
* Fixed bug that caused disk space scanning to still show an issue found in security scan summary even when user chooses to ignore the security issue.
|
575 |
* Made disk space thresholds 1 and 1.5% space remaining because many hosts have very large disks where 1% is gigabytes.
|
576 |
+
* Made wordfence Security database handle cache deal with concurrent connections to different databases.
|
577 |
+
* Improved Wordfence Security database library's error reporting.
|
578 |
+
* Improved performance when Wordfence Security looks up it's own version during security scans and other operations.
|
579 |
+
* Removed three rules in base wordfence Security htaccess that could cause 500 errors on servers that don't allow these options to be overridden. Does not affect htaccess security because we inherit the base htaccess and still protect our lib/ directory with our own htaccess.
|
580 |
|
581 |
= 2.0.5 =
|
582 |
* If your plugin PHP files are viewable by the world, we now give you a detailed warning on the seriousness of this security threat with ability to view the offending .htaccess files.
|
588 |
* Fixed bug that would cause security scanning of PHP files with base64 content to stop.
|
589 |
|
590 |
= 2.0.4 =
|
591 |
+
* Now security scanning all comments, posts and pages on multi-site installation for malware and phishing URL's. Significant security enhancement.
|
592 |
* Improved messages on multisite when a bad comment or post is found.
|
593 |
* Fixed bug that caused paid users to not be able to activate their premium key.
|
594 |
* Made upgrade process much friendlier.
|
595 |
* Got rid of GeSHi syntax highlighting because it segfaults and is resource intensive. Using built in PHP highlighting instead.
|
596 |
* Message asking you to configure an alert email address only appears for 3 pageviews after plugin activation so it's less irritating.
|
597 |
* Fixed bug for MU users that caused WF to tell you that your WF schema is missing and you need to reactivate.
|
598 |
+
* Fixed bug that caused malware URL security scanner to not work for MU users.
|
599 |
|
600 |
= 2.0.3 =
|
601 |
* Removed unbuffered queries and switched to conventional queries that are memory efficient for better stability.
|
602 |
+
* Made security scanning large numbers of URL's contained in things like awstats log files extremely memory efficient and way faster.
|
603 |
* Removed alerts about unknown files in core directory if they belong to an older wordpress version and are unchanged.
|
604 |
* Other performance improvements like using strpos instead of strstr.
|
605 |
* Moved "scan files outside base dir" option to be in correct place on config page.
|
608 |
* Fixed plugin upgrades so that css and scripts are not cached across versions.
|
609 |
|
610 |
= 2.0.1 =
|
611 |
+
* Improved security scanning for specific attacks being used in the PHP-CGI vulnerability ( CVE-2012-1823)
|
612 |
* API keys no longer required. WF fetches a temporary anonymous API key for you on activation.
|
613 |
* Added real-time activity log on scan page.
|
614 |
* Added real-time summary updates on scan page.
|
615 |
* Fixed ability to view files that have symlinks in path.
|
616 |
* Added message to configure alert email address for multi-site and single site installs on activation.
|
617 |
+
* Disabled firewall security rules by default because most sites don't need them.
|
618 |
* Disabled blocking of fake googlebots except for high security levels to prevent users who like to pretend they're googlebot from blocking themselves.
|
619 |
* Geshi the syntax highlighter now asks for more memory before running.
|
620 |
* Fixed bug that caused scan to hang on very large files.
|
621 |
* Added an index to wfStatus to make it faster for summary statuses
|
622 |
* Removed multisite pre-activation check to make activation more reliable on multisite installs.
|
623 |
+
* Better problem reporting if you trashed your Wordfence Security schema but the plugin is still installed.
|
624 |
|
625 |
= 1.5.6 =
|
626 |
* Removed use of nonces and purely using 30 minute key for unlocking emails.
|
630 |
= 1.5.5 =
|
631 |
* Added ability for admin's to unlock login and unblock their IP addresses if they're accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse.
|
632 |
* Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency.
|
633 |
+
* Made advanced security options visible so you know they exist.
|
634 |
* Fixed dns_get_record() function not existing bug on Windows sytems pre PHP 5.3.0. Was causing scans to hang.
|
635 |
* Increased login lockout defaults to be much higher which still protects against brute force hacks.
|
636 |
* Removed CURLOPT_MAXREDIRS in curl to avoid safe mode warnings.
|
637 |
* Fixed ability to view and diff files on blogs installed in subdirectories.
|
638 |
* Fixed ability to see individual IP hits on subdir sites.
|
639 |
* Plugin and theme update messages now include links to the upgrade page.
|
640 |
+
* Removed the link on the login form that mentions the site is protected by Wordfence Security.
|
641 |
* Changed lockout defaults to be much higher.
|
642 |
+
* Added options for higher number of failures before lockout in options page for configurable login security.
|
643 |
* Now including plugin version in the activity log when the admin chooses to email it to us for debugging.
|
644 |
|
645 |
= 1.5.4 =
|
665 |
* Syntax fixes (various)
|
666 |
|
667 |
= 1.4.6 =
|
668 |
+
* Increased memory available to Wordfence Security to 256M during security scans, configurable in wordfenceConstants.php
|
669 |
* Improved memory logging during security scans. Current memory usage is now shown on the far right of filenames while scans occur.
|
670 |
|
671 |
= 1.4.5 =
|
672 |
+
* Bugfix - fixed bug that caused Wordfence Security menu to dissapear.
|
673 |
|
674 |
= 1.4.4 =
|
675 |
* WordPress Multi-site support added. Currently in Beta. Tested with subdomains, not subdirectories, but it should work great on both.
|
689 |
* Increased API curl timeout to 300 for slower hosts that seem affected during URL security scans.
|
690 |
|
691 |
= 1.4.1 =
|
692 |
+
* This is a major release of Wordfence Security, please upgrade immediately.
|
693 |
* Only scan files in the WordPress ABSPATH root directory and known WordPress subdirectories. Prevents potentially massive scans on hosts that have large dirs off their wordpress root.
|
694 |
* Don't generate plain SHA hashes anymore because we don't currently use them on the server side for scanning. (Still generates md5's and SHAC)
|
695 |
* No longer do change tracking on files before scans because the change tracking does almost the same amount of work when generating hashes as the actual scan. So just do the scan, which is now faster.
|
696 |
* Updated internal version to 1.2 to use new code on the server side which sends back a list of unknown files rather than known files, which is usually smaller and more network efficient.
|
697 |
* Improved logging in activity log.
|
698 |
+
* Removed SSL peer verification because some hosts have bad cert config. Connection to our servers is still via SSL to enhance security.
|
699 |
* Fixed a few minor issues. Overall you should notice that scans are much faster now.
|
700 |
|
701 |
= 1.3.3 =
|
704 |
* Link to forums added for free customer support.
|
705 |
|
706 |
= 1.3.2 =
|
707 |
+
* Reduced the number of database connections that Wordfence Security makes to one.
|
708 |
* Modified the memory efficient unbuffered queries we use to only use a single DB connection.
|
709 |
* Removed status updates during post and comment scans which prevents interference with unbuffered queries and makes the scans even faster.
|
710 |
|
711 |
= 1.3.1 =
|
712 |
+
* Fixed a bug where if you have the plugin "secure-wordpress" installed, you can't do a Wordfence Security scan because it says you have the wrong version. This is because secure-wordpress trashes the $wp_version global variable to hide your version rather than using the filters provided by WordPress. So coded a workaround so that your Wordfence Security scans will work with that plugin installed.
|
713 |
|
714 |
= 1.3 =
|
715 |
+
* Minor fix to point to the correct binary API URL on the Wordfence Security cloud servers.
|
716 |
|
717 |
= 1.2 =
|
718 |
+
* It is now free to get a Wordfence Security API key.
|
719 |
+
* Premium keys include theme and plugin file security verification which consumes resources on the Wordfence Security servers.
|
720 |
* Various bugfixes and performance enhancements.
|
721 |
|
722 |
= 1.1 =
|
723 |
+
* Initial public release of Wordfence Security Plugin.
|
724 |
|
725 |
== Upgrade Notice ==
|
726 |
= 3.1.1 =
|
727 |
Upgrade immediately. Fixes bug introduced in last release that broke permenent IP blocking.
|
728 |
|
729 |
= 3.0.9 =
|
730 |
+
Upgrade immediately. Fixes two security critical bugs: Could not get admin ID bug and permanent IP blocks not staying permanent.
|
731 |
|
732 |
= 3.0.6 =
|
733 |
+
Upgrade immediately. Improves malware URL detection by 20% or more to improve security.
|
734 |
|
735 |
= 3.0.3 =
|
736 |
+
Upgrade immediately. This release fixes an issue that caused Wordfence Security to show all your core files
|
737 |
missing under certain conditions. It was usually caused by high load on our scanning server and the
|
738 |
plugin not handling an error condition halfway through the scan correctly.
|
739 |
|
740 |
= 3.0.2 =
|
741 |
Upgrade immediately. This release drastically reduces memory, reduces new DB connections created by
|
742 |
+
Wordfence Security to zero (we simply reuse the WordPress DB handle), reduces the number of DB queries to
|
743 |
about 1% of the previous version by removing unneeded status messages and fixes a bug that
|
744 |
+
could cause Wordfence Security to launch multiple concurrent scans that can put high load on your system.
|
745 |
This is a critical release. Upgrade immediately.
|