WP Security

Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins

July 23, 2018 by Simon

This is a quick post that shows how I upgraded to Wordfence Premium to get real-time defence feeds, malware scanner and two-factor authentication for WordPress logins

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Now on with the post.

What is Wordfence

WordFence is a free WordPress plugin (install guide here) that helps protect your WordPress site by logging and blocking bad events. I was a big fan of the Wordfence sister program called GravityScan (before it was retired)

Read my review of the free Wordfence plugin here.

I was using Wordfence free to

Whitelist logins for known IP’s (read my guide on whitelisting IPs here)
Block known bad IPs from the Wordfence global network (but with a 30-day delay)
Create a firewall
Rate limiting page requests
Scan my site for malware
Ability to see past failed logins (and ban them)
Ability to block/ban users who try and login form new IP’s
Force strong WordPress account passwords
Set ban thresholds
Have I Been Pwned breached password checks
Much more

Install and set up Wordfence (Free)

Read my guide here to learn how to setup Wordfence (Free).

Malware Infections

Your website is often scanned and ranked for safety by sites like Norton Safe Web, Google, Trend Micro, Kaspersky Virus Desk, SiteGuarding etc along with search engines. Having malicious files on your site will affect your site Search EnginOptimizationio (SEO).

I had a 5-year-old scan of a subdomain (that was hosted on a CPanel Host). The subdomain had false positives for malware.

Working to remove the false positive was a lengthy process.

You should aim to stay off the radar or many site scanning, check VirusTotal often to keep your self-updated as to the status of your website. Wordfence will hopefully detect real malware issues automatically in the future.

https://sitecheck.sucuri.net/ is a good site that can aggregate your sites safety ratings.

WordfFence Free v Premium

Wordfence Premium

Prices (USD)

WordFence Premium

Read about some benefits of Wordfence Premium here.

Real-time firewall rules and malware signatures
Global Wordfence premium IP blacklist
Priority server processing for premium customers
Two Factor Authentication (only if you don’t use whitelisting I found out)

Buying a Wordfence Premium API Key

Login to https://www.wordfence.com/dashboard/
Click Buy More API Keys
Enter your Payment Details

>Thanks, your card information has been updated. You can now go to your API Key Manager and create and manage your Wordfence API keys.

Now you can buy an API key and copy and paste the API ey o to your Wordfence plugin.

Wordfence Firewall

Wordfence does a great job at showing failed/successful, top blocked IP’s

Wordfence Malware Scanner

Wordfence premium has schedulable scans with real-time malware signatures

Scan Progress

Testing the scanner

Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”

I created an eicar.txt test file (information on eicar here (slightly modified so I don’t get tagged again b virus scanners)) to test the Wordfence malware scanner

echo 'X5O!P#removed#X54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /www-root/eicar.txt
sudo chown www-data:www-data eicar.txt

I enable scanning of files outside of WordPress

I rescanned my site with Wordfence

Result: Nothing??

I logged a support ticket to see if this is right?

Update: Wordfence support replied and said “Thanks for writing in. We do detect the EICAR test file, but scans don’t scan file types that aren’t dangerous on a site by default, since scans would waste a lot of time on files that aren’t exploitable.“

I disagree a virus is a virus.

Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”

I guess “all” does not mean “all”?

Wordfence support said EICAR files are detected if I rename the file to php. I renamed the file and to enabled “Scan images, binary, and other files as if they were executable“.

I started a new scan

> Scan Failed
>The scan has failed because we received an unexpected response from the Wordfence servers. This may be a temporary error, though some sites may need adjustments to run scans reliably

🙁

I scanned my system with ClamAV and it found the EICAR file.

clamscan -r --bell -i /www-root

Result:

/www-root/eicar.txt: Eicar-Test-Signature FOUND

ClamAV found the virus.

Setting up Two Factor Authentication (work in progress)

Add your desired user and number

Click Enable User

Wait for the text message and activation code (on your phone)

Enter the activation code and press Activate

The two-factor authentication should be activated

List of two-factor authorization enabled users.

I logged out of WordPress and logged back in but the two-factor auth did not work, I logged a support Ticket with my theme maker and WordFence.

Update: Wordfence Support “Wordfence > Tools > Two Factor Authentication options there is an option for Enable Separate Prompt for Two Factor Code which you could disable and try.“

This fix did not work. I sent a 2nd diagnostics report to Wordfence.

Wordfence support said

>When our two-factor authentication feature allows you to login bypassing the need to enter the authentication code it is typically because of these possible reasons:

> 1) The user has whitelisted their IP address in the advanced firewall option “Whitelisted IP addresses that bypass all rules“.

>2) Another plugin, or possibly a theme, that creates non-standard WordPress behaviour such as user role and capabilities modification, or that modifies the login flow process in some way.

It appears my IP whitelist was disabling the two-factor auth feature 🙁

I’d rather keep the two-factor auth along with keeping the whitelist (just in case my whitelist IP is known and used).

Refund

I asked Wordfence for a refund (given)

Conclusion

Pros

Protects and blocks bad logins
Real-time blocked IP and malware feeds

Cons

Almost $140 Australian dollars a year
A scan does not detect eicar.txt test virus files (ticked logged), renamed to eicar.php and still no luck.
Two-factor auth (authenticator and SMS) does not work (ticket logged)
Wordfence support resolve/close support tickets with no confirmation from the user.
Two Factor Auth is disabled if you whitelist IPs 🙁

Is Premium worth it? Yes if you want “Real-time firewall rules and malware signatures” (and don’t whitelist your IP).

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Updated conclusion and Wordfence refund

v1.3 added whitelist 2FA info

v1.2 added replied from Wordfence support re EICAR and Two Factor Auth.

v1.1 Added Pros and Cons section

v1.0 Initial Post

Set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

July 5, 2018 by Simon

This is how I set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

Buy a domain name from Namecheap here.

Before you begin

Take a backup of WordPress files + database and take a snapshot of your VM (see my UpCloud VM guide here).

Having a ready backup IS a good idea.

Why Whitelist

Whitelisting is not bulletproof but it is an important link in the security chain. Security is only as good or bad as the strength of your weakest link.

Using updated software, applying patches, using HTTPS, using a reliable host in a reliable location, using good passwords are equally important as IP filtering. Whitelisting IP’s goes a long way to ensuring you have least access privileges on connections.

Remember to scan your site with OWASP Zap, Qualys and Kali Linux too.

What IP’s are you going to Whitelist?

Q1) Does your ISP offer a static IP address (or a dynamic IP)?

My ISP does NOT provide a static IP by default (I can pay $20 a month for one (that’s too expensive)).

You can check your public IP by loading http://icanhazip.com/ (this will return your public IPV4 address).

Load https://ipv6.icanhazip.com/ to view your IPV6 IP (if you have one)

Q2) Do you need to whitelist IP addresses while on the go (Mobile)? If so I would recommend you whitelist a VPN’s IP or IP range.

Recently I had Apache web server auto-install and knock out my NGINX web server and I needed to login on a mobile device to investigate, Luckily I whitelist my VPN’s IP and logged in from my mobile device and resolved the issue.

Use a VPN to get a static IP

If you don’t have a static IP or you want to connect to your site on the go (Mobile) you can set up a VPN and use their static IP

I was using http://cyberghostvpn.com/ to have a static IP but a server failure in Sydney caused my defined whitelisted IP to disappear so I change to https://protonvpn.com/ (as Cybergost were unable to provide known IP’s of VPN servers).

TIP: Don’t just whitelist one server, whitelist a few as you never know when a server will go down.

Here is a screenshot of the 1st VPN I tried (Cyberghost), Cyberghost VPN is connected to a specified server (Dallas).

I switched to ProtonVPN.

Here is a screenshot of ProtonVPN connected to a Switzerland server. Read more about Proton VPN here.

I set Proton VPN to auto-start and connect to my desired server

Proton VPN offered me a 7-day PLUS trial (All Countries, 5 devices, highest speed, secure core etc) after I started using the free version (3 countries, 1 device, speed low). I assume everyone gets the same PLUS trail offer.

You can view Proton plans and pricing here.

Ok, now that we know how to get a static IP, let’s configure some firewalls.

Network Firewall at UpCloud

I use the awesome UpCloud to hold my domains (read more about UpCloud performance here). You can log in to your UpCloud Dashboard and load the server list, click your server and then click Firewall and define firewalls.

Firewall: Open IPv4/IPv6 ports for:

ICMP
53 (DNS)
80 (HTTP)
443 (HTTPS)

Only allow access to port 22 from whitelisted IP’s (or IP ranges)

I like to set separate firewall rules for IPV4 and IPV6, for TCP or UDP and I limit rules to certain IP range and port.

Ubuntu Firewall

I also like to run a ufw firewall (more information on ufw) on my Ubuntu server (read this guide on securing Ubuntu in the cloud and running a Lynis audit).

Manually setup firewall rules in ufw.

sudo ufw allow from 1.2.3.4 to any port 22
sudo ufw allow from 1.2.3.5 to any port 22
sudo ufw allow from 1.2.3.6 to any port 22

Don’t forget t restart your firewall

sudo ufw disable
sudo ufw enable

Run a local nmap scan to find open ports

nmap -v -sT localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-04 22:30 AEST
Initiating Connect Scan at 22:30
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Completed Connect Scan at 22:30, 0.02s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000086s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Don’t be concerned if you see open ports from a local nmap scan (e.g port 22 or 3306), these are locally open. We need to scan externally to see if these ports are opened.

Scan your site with an external nmap tool like pen-test-tools or here.

You should not have non-web based service ports freely open externally (web-based ports e.g 80 and 443 are ok)

Port 22 access should be whitelisted to select IP’s only. You should not have any database ports open externally.

Whitelisting WordPress Access

Download WordFence plugin for WordPress from https://www.wordfence.com/

Read more on downloading WordPress plugins from the command line here. Read my past Wordfence post here.

Once Wordfence is installed open the WordFence All Options screen (/wp-admin/admin.php?page=WordfenceOptions).

Now you can add your static IP (or IP ranges) to the WordFence whitelist.

Setup auto block for any non whitelisted Itryingng to login to /wp-login.php

I permanently ban any IP accessing my login page (there are many).

What to do with rejected IP connections?

Wordfence will block connections to WordPress. I’d suggest you setup fail2ban to block other unwanted connections at network level too.

Conclusion

You should now have a VM that will allow port 22 access by whitelisted IP’s and a WordPress that only allows logins from whitelisted IP’s.

Cons

If you forget to start your VPN you can’t log in to your VM via port 22 or log in to WordPress (excellent, this is by design).

Pros

Secure (need I say more)

I hope this guide helps someone.

Please consider using my UpCloud referral code and get $25 UpCloud VM credit for free when you signup to create a new VM.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.2 Added Proton plans link

v1.1 Added auto block WordFence option

v1.0 Initial Post

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

March 23, 2018 by Simon

It is possible to deploy a server in minutes to hours but it can take days to secure. What tools can you use to help identify what to secure on your website?

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line, installing a Free SSL certificate and setting up SSL security.

Security Tools

https://asafaweb.com/ is a good tool for quick scanning
Kali Linux has a number of security tools you can use.
You can run a system audit Lynis Audit.
Checking your site for vulnerabilities with Zap.
Run a Gravity Scan malware and supply chain scan
Use Qualys SSL scan to test your SSL certificate: https://www.ssllabs.com/ssltest/

Qualys SSL Labs SSL Tester is the best tool for checking an SSL certificate strength

Most people don’t know Qualys also has another free (limited to 10 scans) vulnerability scanner for websites.

Goto https://freescan.qualys.com/ and click Start your free account.

Complete the signup form

Now check your email to login and confirm your email account

Login now from the email.

Create a password (why the 25 char max Qualys?)

Enter your website URL and click Scan

The scan can take hours

While the scan was being performed I noticed that Qualys offers alerts (I’ll check this out later): https://www.qualys.com/research/security-alerts/

Yes, the scan can take hours, take a walk or read other posts here.

The scan is almost complete

Yay, my latest scan revealed 0 High, 0 Medium and 0 Low-risk vulnerabilities.

It did report 23 informational alerts like “Firewall Detected“.

Threat Report Results

Patch Report Results

This report was empty (probably because I don’t run Windows)

Threat Report Results

The OWASP report contained partial scan results (maybe the full report is available to pro users)

Previous Scan Results

The Qualys dashboard will show all past scans.

My first scan showed a Low priority issue with the /wp-login.php page as the input fields did not have “autocomplete=”off””, I fixed this by adding “autocomplete=”off”” the removing the page (safer).

The second scan found two issues with cookies (possibly ad banner cookies) and 2 subfolders that I created in past development exercises. I deleted the two sub-folders that were not needed.

The third scan was clean.

Here is a scan of a static website of a friends server (static can be less secure if the server underneath is old or unpatched).

Happy scanning. I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.1 Static Web Server Scan

v1.0 Initial post

Scanning WordPress with Gravity scan for free to detect Supply Chain Attacks and WordPress malware

January 5, 2018 by Simon

A recent trend with some WordPress Plugins (and Google Chrome Extensions) is malicious parties will purchase existing plugins (extensions) and inject malicious code into new versions to infect sites and software, this is called “Supply Chain Attacks”. This is a personal unpaid review of Gravity Scan.

Update Feb 2018: Gravity Scan is shutting down 🙁

Recently WordFence wrote a blog post about Supply Chain Attacks found cases where older plugins are being purchased by malicious people in order to infect WordPress sites. WordPress CMS apparently runs 29% of the websites on the internet. Wordfence is a firewall and Gravity Scan is a vulnerability scanner, they complement each other.

I have blogged here about setting up WordPress via Command line and setting up an Ubuntu server for as low as 42.5 a month on Vultr.

What can you do to protect your WordPress sites from “Supply Chain Attacks”? First, install the WordFence plugin (I blogged about it here). Wordfence gives you a great set of security settings and reports to keep your site safe. The Wordfence dashboard page on your site is a good place to stay up to date.

WordFence is a Firewall, Gravity scan is a vulnerability and malware scanner. Read more here.

Gravity Scan

Gravity scan is also made by the WordFence people to enable external audits and reports.

At login, you will be prompted to add a domain.

Scan

tip: You may want to whitelist Gravity scan servers. Read my guide about securing Ubuntu in the cloud.

sudo ufw allow from 68.64.48.0/27 to any port 443

A site scan will automatically be started.

Scan Results

Post Scan Actions

Speed Up future scans by downloading the Install Gravity Scan Accelerator (by clicking “Not instaled” under “Accelerator” in scan results) and follow the instructions to download, upload and verify the accelerator.

Read the Gravity Scan Accelerator Install Instructions here.

tip: I had to run the following command to make the

sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php

I also clicked “Trust Badge” link and added the script code to my site and verified it.

I now have a scan badge in my site footer.

Future scans are all good to go.

New Scan Options

It looks as if the accelerator gives more server-side verifications of checks of WordPress and PHP versions etc.

Go Pro

Gravity Scan also offers a non-free (paid) version where you can enable more options, enable scan schedules and set up SMS alerts and more for $4.95 a month per site.

To be honest I am happy with performing manual scans and I’d rather pay for a premium WordFence subscription first.

The Catch

Hang on Gravity scan requires a Pro membership to see High and Critical issues 🙁

I decided not to go pro to reveal issues.

A few months later

I started receiving scan results with severity Critical (but I can’t see results until I start a trail (and enter payment details)).

Time to start a trial

I started a trial and full details were shown, the critical error was my fault

Critical Issue

This was my fault, I left a previous version of WordPress in a subfolder from when I moved the site to a self-managed server. A quick few Linux commands later (removed) and this was fixed.

High Issue

Publically accessible file (fixed with a chmod command)

Current Scan Results

Remote Scan Options

Daily Scans, Alter levels, Malware, Vulnerability and status checks. Definitely, install the Accelerator as it found my local backup of WordPress.

Pros

Found a publically readable file
Found a past copy of my WordPress site (and all known issues with the old WordPress backup).
Can setup daily remote scans.

Cons

You have to go pro.
Can’t read my NGINX version (“Nginx version not detected, Gravityscan is unable to detect any associated vulnerabilities.“). I logged a ticket. Surely they can add a shell to”nginx -v” to the scan accelerator.
No word fence discount bundle?
Gravity scan and Word fence on twitter are slow to respond.

More to come.

More Reading

Hope this helps someone.

Donate and make this blog better

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V.1.5 Gravity Scan shutting down

v1.4 Added remote scan options

v1.3 Pros and Cons and current results.

v1.2 Added more

v1.1 Fixed a few issues

v1.0 Initial Version

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

WP Security

Set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

Scanning WordPress with Gravity scan for free to detect Supply Chain Attacks and WordPress malware

Popular

Security

Code

Tech

Wordpress

General

WP Security

Footer

Popular

Security

Code

Tech

Wordpress

General