Wordfence Security – Firewall & Malware Scan - Version 4.0.3

Version Description

  • Improvement: Added "high sensitivity" scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
  • Fix: Removed code that caused error message during scan initialization.
  • Fix: IP to number conversation code had a problem with IP's with a single 0 in them. Bug was introduced in 4.0.2.
  • Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.
Download this release

Release Info

Developer mmaunder
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 4.0.3
Comparing to
See all releases

Code changes from version 4.0.2 to 4.0.3

lib/menu_options.php CHANGED
@@ -119,6 +119,7 @@ var WFSLevels = <?php echo json_encode(wfConfig::$securityLevels); ?>;
119
<tr><th>Scan for unauthorized DNS changes</th><td><input type="checkbox" id="scansEnabled_dns" class="wfConfigElem" name="scansEnabled_dns" value="1" <?php $w->cb('scansEnabled_dns'); ?>/></td></tr>
120
<tr><th>Scan files outside your WordPress installation</th><td><input type="checkbox" id="other_scanOutside" class="wfConfigElem" name="other_scanOutside" value="1" <?php $w->cb('other_scanOutside'); ?> /></td></tr>
121
<tr><th>Scan image files as if they were executable</th><td><input type="checkbox" id="scansEnabled_scanImages" class="wfConfigElem" name="scansEnabled_scanImages" value="1" <?php $w->cb('scansEnabled_scanImages'); ?> /></td></tr>
122
<tr><td colspan="2">
123
<div class="wfMarker" id="wfMarkerFirewallRules"></div>
124
<h3 class="wfConfigHeading">Firewall Rules</h3>
119
<tr><th>Scan for unauthorized DNS changes</th><td><input type="checkbox" id="scansEnabled_dns" class="wfConfigElem" name="scansEnabled_dns" value="1" <?php $w->cb('scansEnabled_dns'); ?>/></td></tr>
120
<tr><th>Scan files outside your WordPress installation</th><td><input type="checkbox" id="other_scanOutside" class="wfConfigElem" name="other_scanOutside" value="1" <?php $w->cb('other_scanOutside'); ?> /></td></tr>
121
<tr><th>Scan image files as if they were executable</th><td><input type="checkbox" id="scansEnabled_scanImages" class="wfConfigElem" name="scansEnabled_scanImages" value="1" <?php $w->cb('scansEnabled_scanImages'); ?> /></td></tr>
122
+ <tr><th>Enable HIGH SENSITIVITY scanning. May give false positives.</th><td><input type="checkbox" id="scansEnabled_highSense" class="wfConfigElem" name="scansEnabled_highSense" value="1" <?php $w->cb('scansEnabled_highSense'); ?> /></td></tr>
123
<tr><td colspan="2">
124
<div class="wfMarker" id="wfMarkerFirewallRules"></div>
125
<h3 class="wfConfigHeading">Firewall Rules</h3>
lib/wfConfig.php CHANGED
@@ -32,6 +32,7 @@ class wfConfig {
32
"scansEnabled_options" => false,
33
"scansEnabled_dns" => false,
34
"scansEnabled_scanImages" => false,
35
"scansEnabled_oldVersions" => false,
36
"firewallEnabled" => false,
37
"blockFakeBots" => false,
@@ -99,6 +100,7 @@ class wfConfig {
99
"scansEnabled_options" => true,
100
"scansEnabled_dns" => true,
101
"scansEnabled_scanImages" => false,
102
"scansEnabled_oldVersions" => true,
103
"firewallEnabled" => true,
104
"blockFakeBots" => false,
@@ -166,6 +168,7 @@ class wfConfig {
166
"scansEnabled_options" => true,
167
"scansEnabled_dns" => true,
168
"scansEnabled_scanImages" => false,
169
"scansEnabled_oldVersions" => true,
170
"firewallEnabled" => true,
171
"blockFakeBots" => false,
@@ -233,6 +236,7 @@ class wfConfig {
233
"scansEnabled_options" => true,
234
"scansEnabled_dns" => true,
235
"scansEnabled_scanImages" => false,
236
"scansEnabled_oldVersions" => true,
237
"firewallEnabled" => true,
238
"blockFakeBots" => false,
@@ -300,6 +304,7 @@ class wfConfig {
300
"scansEnabled_options" => true,
301
"scansEnabled_dns" => true,
302
"scansEnabled_scanImages" => false,
303
"scansEnabled_oldVersions" => true,
304
"firewallEnabled" => true,
305
"blockFakeBots" => true,
32
"scansEnabled_options" => false,
33
"scansEnabled_dns" => false,
34
"scansEnabled_scanImages" => false,
35
+ "scansEnabled_highSense" => false,
36
"scansEnabled_oldVersions" => false,
37
"firewallEnabled" => false,
38
"blockFakeBots" => false,
100
"scansEnabled_options" => true,
101
"scansEnabled_dns" => true,
102
"scansEnabled_scanImages" => false,
103
+ "scansEnabled_highSense" => false,
104
"scansEnabled_oldVersions" => true,
105
"firewallEnabled" => true,
106
"blockFakeBots" => false,
168
"scansEnabled_options" => true,
169
"scansEnabled_dns" => true,
170
"scansEnabled_scanImages" => false,
171
+ "scansEnabled_highSense" => false,
172
"scansEnabled_oldVersions" => true,
173
"firewallEnabled" => true,
174
"blockFakeBots" => false,
236
"scansEnabled_options" => true,
237
"scansEnabled_dns" => true,
238
"scansEnabled_scanImages" => false,
239
+ "scansEnabled_highSense" => false,
240
"scansEnabled_oldVersions" => true,
241
"firewallEnabled" => true,
242
"blockFakeBots" => false,
304
"scansEnabled_options" => true,
305
"scansEnabled_dns" => true,
306
"scansEnabled_scanImages" => false,
307
+ "scansEnabled_highSense" => false,
308
"scansEnabled_oldVersions" => true,
309
"firewallEnabled" => true,
310
"blockFakeBots" => true,
lib/wfScanEngine.php CHANGED
@@ -908,8 +908,6 @@ class wfScanEngine {
908
'sslverify' => false,
909
'headers' => $headers
910
) );
911
- wordfence::status(4, 'info', "Proxy scan start headers: " . var_export($result['headers'], true));
912
- wordfence::status(4, 'info', "Proxy scan start response: " . var_export($result['response'], true));
913
wordfence::status(4, 'info', "Scan process ended after forking.");
914
}
915
return false; //No error
908
'sslverify' => false,
909
'headers' => $headers
910
) );
911
wordfence::status(4, 'info', "Scan process ended after forking.");
912
}
913
return false; //No error
lib/wfUtils.php CHANGED
@@ -83,7 +83,7 @@ class wfUtils {
83
return long2ip(-$long);
84
}
85
public static function inet_aton($ip){
86
- $ip = preg_replace('/(?<=^|\.)0+/', '', $ip);
87
return sprintf("%u", ip2long($ip));
88
}
89
public static function getBaseURL(){
83
return long2ip(-$long);
84
}
85
public static function inet_aton($ip){
86
+ $ip = preg_replace('/(?<=^|\.)0+([1-9])/', '$1', $ip);
87
return sprintf("%u", ip2long($ip));
88
}
89
public static function getBaseURL(){
lib/wordfenceClass.php CHANGED
@@ -434,10 +434,12 @@ class wordfence {
434
}
435
}
436
public static function lockOutIP($IP, $reason){
437
if(wfConfig::get('alertOn_loginLockout')){
438
wordfence::alert("User locked out from signing in", "A user with IP address $IP has been locked out from the signing in or using the password recovery form for the following reason: $reason", $IP);
439
}
440
- self::getLog()->lockOutIP(wfUtils::getIP(), $reason);
441
}
442
public static function isLockedOut($IP){
443
return self::getLog()->isIPLockedOut($IP);
434
}
435
}
436
public static function lockOutIP($IP, $reason){
437
+ //First we lock out IP
438
+ self::getLog()->lockOutIP(wfUtils::getIP(), $reason);
439
+ //Then we send the email because email sending takes time and we want to block the baddie asap. If we don't users can get a lot of emails about a single attacker getting locked out.
440
if(wfConfig::get('alertOn_loginLockout')){
441
wordfence::alert("User locked out from signing in", "A user with IP address $IP has been locked out from the signing in or using the password recovery form for the following reason: $reason", $IP);
442
}
443
}
444
public static function isLockedOut($IP){
445
return self::getLog()->isIPLockedOut($IP);
lib/wordfenceConstants.php CHANGED
@@ -1,5 +1,5 @@
1
<?php
2
- define('WORDFENCE_API_VERSION', '2.7');
3
define('WORDFENCE_API_URL_SEC', 'https://noc1.wordfence.com/');
4
define('WORDFENCE_API_URL_NONSEC', 'http://noc1.wordfence.com/');
5
define('WORDFENCE_MAX_SCAN_TIME', 86400); //Increased this from 10 mins to 1 day because very big scans run for a long time. Users can use kill.
1
<?php
2
+ define('WORDFENCE_API_VERSION', '2.8');
3
define('WORDFENCE_API_URL_SEC', 'https://noc1.wordfence.com/');
4
define('WORDFENCE_API_URL_NONSEC', 'http://noc1.wordfence.com/');
5
define('WORDFENCE_MAX_SCAN_TIME', 86400); //Increased this from 10 mins to 1 day because very big scans run for a long time. Users can use kill.
lib/wordfenceScanner.php CHANGED
@@ -186,31 +186,33 @@ class wordfenceScanner {
186
));
187
break;
188
}
189
- $badStringFound = false;
190
- if(strpos($data, $this->patterns['badstrings'][0]) !== false){
191
- for($i = 1; $i < sizeof($this->patterns['badstrings']); $i++){
192
- if(strpos($data, $this->patterns['badstrings'][$i]) !== false){
193
- $badStringFound = $this->patterns['badstrings'][$i];
194
- break;
195
}
196
}
197
- }
198
- if($badStringFound){
199
- $this->addResult(array(
200
- 'type' => 'file',
201
- 'severity' => 1,
202
- 'ignoreP' => $this->path . $file,
203
- 'ignoreC' => $fileSum,
204
- 'shortMsg' => "This file may contain malicious executable code",
205
- 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . $badStringFound . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.",
206
- 'data' => array(
207
- 'file' => $file,
208
- 'canDiff' => false,
209
- 'canFix' => false,
210
- 'canDelete' => true
211
- )
212
- ));
213
- break;
214
}
215
$this->urlHoover->hoover($file, $data);
216
} else {
186
));
187
break;
188
}
189
+ if(wfConfig::get('scansEnabled_highSense')){
190
+ $badStringFound = false;
191
+ if(strpos($data, $this->patterns['badstrings'][0]) !== false){
192
+ for($i = 1; $i < sizeof($this->patterns['badstrings']); $i++){
193
+ if(strpos($data, $this->patterns['badstrings'][$i]) !== false){
194
+ $badStringFound = $this->patterns['badstrings'][$i];
195
+ break;
196
+ }
197
}
198
}
199
+ if($badStringFound){
200
+ $this->addResult(array(
201
+ 'type' => 'file',
202
+ 'severity' => 1,
203
+ 'ignoreP' => $this->path . $file,
204
+ 'ignoreC' => $fileSum,
205
+ 'shortMsg' => "This file may contain malicious executable code",
206
+ 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . $badStringFound . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.",
207
+ 'data' => array(
208
+ 'file' => $file,
209
+ 'canDiff' => false,
210
+ 'canFix' => false,
211
+ 'canDelete' => true
212
+ )
213
+ ));
214
+ break;
215
+ }
216
}
217
$this->urlHoover->hoover($file, $data);
218
} else {
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
Contributors: mmaunder
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security
4
Requires at least: 3.3.1
5
- Tested up to: 3.8
6
- Stable tag: 4.0.2
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
@@ -150,6 +150,13 @@ cause a security hole on your site.
150
151
== Changelog ==
152
153
= 4.0.2 =
154
* Feature: Ability to bulk repair or delete files when cleaning a site.
155
* Feature: You can now limit the number of emails per hour that Wordfence sends.
2
Contributors: mmaunder
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security
4
Requires at least: 3.3.1
5
+ Tested up to: 3.8.1
6
+ Stable tag: 4.0.3
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
150
151
== Changelog ==
152
153
+ = 4.0.3 =
154
+ * Improvement: Added "high sensitivity" scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
155
+ * Fix: Removed code that caused error message during scan initialization.
156
+ * Fix: IP to number conversation code had a problem with IP's with a single 0 in them. Bug was introduced in 4.0.2.
157
+ * Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.
158
+
159
+
160
= 4.0.2 =
161
* Feature: Ability to bulk repair or delete files when cleaning a site.
162
* Feature: You can now limit the number of emails per hour that Wordfence sends.
wordfence.php CHANGED
@@ -4,13 +4,13 @@ Plugin Name: Wordfence Security
4
Plugin URI: http://www.wordfence.com/
5
Description: Wordfence Security - Anti-virus, Firewall and real-time WordPress security Network
6
Author: Mark Maunder
7
- Version: 4.0.2
8
Author URI: http://www.wordfence.com/
9
*/
10
if(defined('WP_INSTALLING') && WP_INSTALLING){
11
return;
12
}
13
- define('WORDFENCE_VERSION', '4.0.2');
14
if(get_option('wordfenceActivated') != 1){
15
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
}
4
Plugin URI: http://www.wordfence.com/
5
Description: Wordfence Security - Anti-virus, Firewall and real-time WordPress security Network
6
Author: Mark Maunder
7
+ Version: 4.0.3
8
Author URI: http://www.wordfence.com/
9
*/
10
if(defined('WP_INSTALLING') && WP_INSTALLING){
11
return;
12
}
13
+ define('WORDFENCE_VERSION', '4.0.3');
14
if(get_option('wordfenceActivated') != 1){
15
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
}