Version Description
- Updated Geo IP country database to newest version (September 2014 edition)
- Security fix. Improved referrer sanitization in live traffic.
- Changed scan success messaging for clarity.
- Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.
Download this release
Release Info
| Developer | mmaunder |
| Plugin |  Wordfence Security – Firewall & Malware Scan |
| Version | 5.2.3 |
| Comparing to | |
| See all releases | |
Code changes from version 5.2.2 to 5.2.3
- js/admin.js +1 -1
- lib/GeoIP.dat +0 -0
- lib/wfLog.php +6 -1
- lib/wfUtils.php +2 -2
- lib/wordfenceHash.php +0 -1
- readme.txt +8 -2
- wordfence.php +2 -2
js/admin.js
CHANGED
|
@@ -632,7 +632,7 @@ window['wordfenceAdmin'] = {
|
|
| 632 |
if(res.issuesLists[issueStatus].length < 1){
|
| 633 |
if(issueStatus == 'new'){
|
| 634 |
if(res.lastScanCompleted == 'ok'){
|
| 635 |
-
jQuery('#' + containerID).html('<p style="font-size: 20px; color: #0A0;">Congratulations!
|
| 636 |
} else if(res['lastScanCompleted']){
|
| 637 |
//jQuery('#' + containerID).html('<p style="font-size: 12px; color: #A00;">The latest scan failed: ' + res.lastScanCompleted + '</p>');
|
| 638 |
} else {
|
| 632 |
if(res.issuesLists[issueStatus].length < 1){
|
| 633 |
if(issueStatus == 'new'){
|
| 634 |
if(res.lastScanCompleted == 'ok'){
|
| 635 |
+
jQuery('#' + containerID).html('<p style="font-size: 20px; color: #0A0;">Congratulations! No security problems were detected by Wordfence.</p>');
|
| 636 |
} else if(res['lastScanCompleted']){
|
| 637 |
//jQuery('#' + containerID).html('<p style="font-size: 12px; color: #A00;">The latest scan failed: ' + res.lastScanCompleted + '</p>');
|
| 638 |
} else {
|
lib/GeoIP.dat
CHANGED
|
Binary file
|
lib/wfLog.php
CHANGED
|
@@ -504,9 +504,14 @@ class wfLog {
|
|
| 504 |
$res['blocked'] = $this->getDB()->querySingle("select blockedTime from " . $this->blocksTable . " where IP=%s and (permanent = 1 OR (blockedTime + %s > unix_timestamp()))", $res['IP'], wfConfig::get('blockedTime'));
|
| 505 |
$res['IP'] = wfUtils::inet_ntoa($res['IP']);
|
| 506 |
$res['extReferer'] = false;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 507 |
if( isset( $res['referer'] ) && $res['referer']){
|
| 508 |
$refURL = parse_url($res['referer']);
|
| 509 |
-
if(is_array($refURL) && $refURL['host']){
|
| 510 |
$refHost = strtolower(preg_replace('/^www\./i', '', $refURL['host']));
|
| 511 |
if($refHost != $ourHost){
|
| 512 |
$res['extReferer'] = true;
|
| 504 |
$res['blocked'] = $this->getDB()->querySingle("select blockedTime from " . $this->blocksTable . " where IP=%s and (permanent = 1 OR (blockedTime + %s > unix_timestamp()))", $res['IP'], wfConfig::get('blockedTime'));
|
| 505 |
$res['IP'] = wfUtils::inet_ntoa($res['IP']);
|
| 506 |
$res['extReferer'] = false;
|
| 507 |
+
if(isset( $res['referer'] ) && $res['referer']){
|
| 508 |
+
if(! preg_match('/^https?:\/\/[a-z0-9\.\-]+\/[^\':<>\"\\\]*$/i', $res['referer'] )){ //filtering out XSS
|
| 509 |
+
$res['referer'] = '';
|
| 510 |
+
}
|
| 511 |
+
}
|
| 512 |
if( isset( $res['referer'] ) && $res['referer']){
|
| 513 |
$refURL = parse_url($res['referer']);
|
| 514 |
+
if(is_array($refURL) && isset($refURL['host']) && $refURL['host']){
|
| 515 |
$refHost = strtolower(preg_replace('/^www\./i', '', $refURL['host']));
|
| 516 |
if($refHost != $ourHost){
|
| 517 |
$res['extReferer'] = true;
|
lib/wfUtils.php
CHANGED
|
@@ -207,10 +207,10 @@ class wfUtils {
|
|
| 207 |
public static function isValidIP($IP){
|
| 208 |
if(preg_match('/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/', $IP, $m)){
|
| 209 |
if(
|
| 210 |
-
$m[0] >= 0 && $m[0] <= 255 &&
|
| 211 |
$m[1] >= 0 && $m[1] <= 255 &&
|
| 212 |
$m[2] >= 0 && $m[2] <= 255 &&
|
| 213 |
-
$m[3] >= 0 && $m[3] <= 255
|
|
|
|
| 214 |
){
|
| 215 |
return true;
|
| 216 |
}
|
| 207 |
public static function isValidIP($IP){
|
| 208 |
if(preg_match('/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/', $IP, $m)){
|
| 209 |
if(
|
|
|
|
| 210 |
$m[1] >= 0 && $m[1] <= 255 &&
|
| 211 |
$m[2] >= 0 && $m[2] <= 255 &&
|
| 212 |
+
$m[3] >= 0 && $m[3] <= 255 &&
|
| 213 |
+
$m[4] >= 0 && $m[4] <= 255
|
| 214 |
){
|
| 215 |
return true;
|
| 216 |
}
|
lib/wordfenceHash.php
CHANGED
|
@@ -65,7 +65,6 @@ class wordfenceHash {
|
|
| 65 |
throw new Exception("Invalid response from Wordfence servers.");
|
| 66 |
}
|
| 67 |
wordfence::statusEnd($fetchCoreHashesStatus, false, true);
|
| 68 |
-
|
| 69 |
if($this->malwareEnabled){
|
| 70 |
$malwarePrefixStatus = wordfence::statusStart("Fetching list of known malware files from Wordfence");
|
| 71 |
$malwareData = $engine->api->getStaticURL('/malwarePrefixes.bin');
|
| 65 |
throw new Exception("Invalid response from Wordfence servers.");
|
| 66 |
}
|
| 67 |
wordfence::statusEnd($fetchCoreHashesStatus, false, true);
|
|
|
|
| 68 |
if($this->malwareEnabled){
|
| 69 |
$malwarePrefixStatus = wordfence::statusStart("Fetching list of known malware files from Wordfence");
|
| 70 |
$malwareData = $engine->api->getStaticURL('/malwarePrefixes.bin');
|
readme.txt
CHANGED
|
@@ -3,7 +3,7 @@ Contributors: mmaunder
|
|
| 3 |
Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
|
| 4 |
Requires at least: 3.3.1
|
| 5 |
Tested up to: 4.0
|
| 6 |
-
Stable tag: 5.2.
|
| 7 |
|
| 8 |
Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
|
| 9 |
|
|
@@ -89,7 +89,7 @@ To install Wordfence Security on WordPress Multi-Site installations:
|
|
| 89 |
* Wordfence Security is the only security plugin that is fully integrated with it's own high speed caching engine to avoid security and caching conflicts.
|
| 90 |
* Wordfence Security actually verifies your website source code integrity against the official WordPress repository and shows you the changes. We are the only plugin to do this.
|
| 91 |
* Wordfence Security provides two-factor authentication (Cellphone Sign-in) for paid members. We're the only plugin to offer this.
|
| 92 |
-
* Wordfence Security includes
|
| 93 |
* Wordfence Security scans check all your files, comments and posts for URL's in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement.
|
| 94 |
* Wordfence Security scans do not consume large amounts of your precious bandwidth because all security scans happen on your web server which makes them very fast.
|
| 95 |
* Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
|
|
@@ -163,6 +163,12 @@ cause a security hole on your site.
|
|
| 163 |
|
| 164 |
== Changelog ==
|
| 165 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 166 |
= 5.2.2 =
|
| 167 |
* Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
|
| 168 |
* Changed the Wordfence Memory config option's label to make it clearer what the option does.
|
| 3 |
Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
|
| 4 |
Requires at least: 3.3.1
|
| 5 |
Tested up to: 4.0
|
| 6 |
+
Stable tag: 5.2.3
|
| 7 |
|
| 8 |
Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
|
| 9 |
|
| 89 |
* Wordfence Security is the only security plugin that is fully integrated with it's own high speed caching engine to avoid security and caching conflicts.
|
| 90 |
* Wordfence Security actually verifies your website source code integrity against the official WordPress repository and shows you the changes. We are the only plugin to do this.
|
| 91 |
* Wordfence Security provides two-factor authentication (Cellphone Sign-in) for paid members. We're the only plugin to offer this.
|
| 92 |
+
* Wordfence Security includes protection against DDoS attacks by giving you a performance boost up to 50X.
|
| 93 |
* Wordfence Security scans check all your files, comments and posts for URL's in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement.
|
| 94 |
* Wordfence Security scans do not consume large amounts of your precious bandwidth because all security scans happen on your web server which makes them very fast.
|
| 95 |
* Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
|
| 163 |
|
| 164 |
== Changelog ==
|
| 165 |
|
| 166 |
+
= 5.2.3 =
|
| 167 |
+
* Updated Geo IP country database to newest version (September 2014 edition)
|
| 168 |
+
* Security fix. Improved referrer sanitization in live traffic.
|
| 169 |
+
* Changed scan success messaging for clarity.
|
| 170 |
+
* Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.
|
| 171 |
+
|
| 172 |
= 5.2.2 =
|
| 173 |
* Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
|
| 174 |
* Changed the Wordfence Memory config option's label to make it clearer what the option does.
|
wordfence.php
CHANGED
|
@@ -4,13 +4,13 @@ Plugin Name: Wordfence Security
|
|
| 4 |
Plugin URI: http://www.wordfence.com/
|
| 5 |
Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
|
| 6 |
Author: Wordfence
|
| 7 |
-
Version: 5.2.
|
| 8 |
Author URI: http://www.wordfence.com/
|
| 9 |
*/
|
| 10 |
if(defined('WP_INSTALLING') && WP_INSTALLING){
|
| 11 |
return;
|
| 12 |
}
|
| 13 |
-
define('WORDFENCE_VERSION', '5.2.
|
| 14 |
if(get_option('wordfenceActivated') != 1){
|
| 15 |
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
|
| 16 |
}
|
| 4 |
Plugin URI: http://www.wordfence.com/
|
| 5 |
Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
|
| 6 |
Author: Wordfence
|
| 7 |
+
Version: 5.2.3
|
| 8 |
Author URI: http://www.wordfence.com/
|
| 9 |
*/
|
| 10 |
if(defined('WP_INSTALLING') && WP_INSTALLING){
|
| 11 |
return;
|
| 12 |
}
|
| 13 |
+
define('WORDFENCE_VERSION', '5.2.3');
|
| 14 |
if(get_option('wordfenceActivated') != 1){
|
| 15 |
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
|
| 16 |
}
|
