Shoutout to Bluehost

Bluehost reached out to me a few weeks ago to say “Hi, and by the way we love Wordfence”. I was doubly stoked because they have been my favorite WordPress host for some time now. To date I still haven’t found a single performance issue or vulnerability on their platform. Their stuff just works!

So we’ve become friends and today they gave us a very nice mention on their blog.

We’ve been crazy busy at Wordfence with a ton of new signups and I haven’t had time to set up a blog for www.wordfence.com, so in the mean time I thought I’d post my love for Bluehost here. Wordfence blog coming soon!!

If you’re looking for a way to secure WordPress, get Wordfence here!

How to (really) choose WordPress Hosting

I am the creator and maintainer of Wordfence, an anti-virus and security plugin for WordPress. We are still a young plugin, but already are about to pass 50,000 downloads.

Often when our customers have a problem with Wordfence, they create a temporary admin account for me and I sign in to their (usually) hosted WordPress site to diagnose it. So I’ve experienced a large number of WordPress hosts over the last few months.

Wordfence is a fairly complex plugin. It has an admin interface that provides real-time traffic views and these contact our API servers in real-time to do things like resolve the geolocation of IP addresses. Admin’s can also kick off a scan and watch it run and of course scheduled scans run in the background on a regular basis.

The background scans have provided a fair amount of insight into which hosts have issues and which don’t: For example when a WordPress cron job or a Wordfence scan starts a scheduled event, it needs the server to be able to connect back to itself. A surprisingly large number of servers are unable to do this because they don’t know their own hostname or have some other problem.

I’ve also seen a number of servers that have trouble making connections to external servers like our API server. Some have intermittent issues and some don’t make the connection at all.

Perhaps the most frequent problem I’ve seen is too little memory for WordPress. This manifests in several ways:

  • The most common is that the php.ini memory_limit variable is set too low. 30 Megs is a common setting which is too low for a WordPress site running many plugins or one or two complex plugins or themes.
  • The next most common is the Apache RLimitMem setting is set too low and so Apache will prevent PHP from allocating more memory even if memory_limit is set to a high value. I’ve frequently seen RLimitMem settings that are low with a high php.ini memory_limit value – an obvious misconfiguration.
  • The most difficult to diagnose problem is where the host has configured PHP and Apache with high memory values, but there is a killer daemon running on the host that simply kills any process that grows beyond a certain size. This is rare, but it exists.
To give you some perspective on how serious too little memory is, here is how it usually manifests itself: A customer installs plugins until they are right at the threshold of the maximum memory their host has provided. They then install one more plugin and it causes WordPress to “white screen” meaning that your WordPress site simply doesn’t load. This usually means the plugin needs to be uninstalled via FTP because the WordPress admin interface is no longer available.
I’ve run across several hosts who limit the maximum running time of an Apache process to as little as 15 seconds. This is not enough for longer running WordPress cron jobs. We have coded a workaround in Wordfence for hosts like these, but this will still affect WordPress’s own scheduled jobs if they run longer than 15 seconds.

Another problem I ran across 2 months ago is a very (very) large WordPress host who’s deployment system was corrupting WordPress core files. This means every new WordPress install started off as corrupt. We spotted this because Wordfence alerted that core files on a fresh install were different from the originals. We thought this was a bug, but it turns out their deployment system was corrupting a core file in a way that created subtle bugs in the editing interface of WordPress. They have undertaken to fix the issue and I haven’t confirmed if they have.

And finally there’s performance. When I sign in to various hosts to diagnose issues I’ll sometimes experience a snappy interface and occasionally it’s just dog slow. The WordPress admin interface, which tends to consume more memory and CPU than a non-authenticated site visitor, just screams that the host is overselling their virtual servers because it takes a while to load.

When we first created Wordfence we bought space on the top WordPress hosting providers and made sure our software ran on all of them. It’s now several months later and I’ve had the experience of working with many customer installations across many more hosts.

When choosing a host, find out the following:

  • What is the real memory limit? [In php.ini, apache2.conf and any other limits]
  • What is the longest time a process can run before they kill it?
  • Install Wordfence on the new machine and verify core files are intact.
  • Make sure the interface is snappy and stays that way.
  • Make sure the host has been in business for a while and will be for the foreseeable future.

The one host that in my experience stands out head and shoulders above others is Bluehost. They are one of the larger hosts and I’ve never had a problem with performance, memory, scheduled jobs or anything else on one of their WordPress installs. Starting today I’m recommending our clients head over there to get rock solid WordPress hosting.

Time for a Linode downgrade

My credit card number was stolen a few days ago by someone in Palo Alto right after my site was on Hacker News’s home page. I’m going to choose to believe they are unrelated. Interesting though since I don’t live or work in California and this card has never visited there. On the positive side, Visa Signature customer service is worth every penny and 2 new cards arrived on my doorstep in France in 48 hours.

But moving on to the point of this blog entry… it forced me to look at all the recurring fees I’m paying for and either update the card number to my new card or ditch the service.

I discovered my Linode fees had crept up to $115 a month for three servers and one getting backed up. So I ditched the two dev servers and was still paying $60 for a Linode 1536 instance with backup fees.

  • So I deleted log files and brought the disk space down to 12 gigs from 50 gigs.
  • Added more aggressive log rotation to protect from running out of space.
  • Optimized Apache to only have 5 children.
  • Optimized nginx as a reverse proxy so slow clients won’t hog the apache children by setting a shorter proxy timeout.
  • Added mod_status to do real-time checks on how many apache children are busy and what site they’re serving. (This server actually runs 3 sites including skipthepie.org and the website for my sister’s amazing Cape Town restaurant.)
  • Set MaxRequestsPerChild for apache to be 100 to make sure the apache kids don’t grow if there’s a memory leak.

This of course assumes you’re running nginx in front of apache as a reverse proxy, without which you absolutely can’t run a medium traffic website on nothing but thin-air.

Once it was all done, I shrunk the disk down to 20 gigs, rebuilt the server as a 512, got my $36 prorated refund from Linode (thanks guys, very nice policy!!) and I’m now paying $25 a month for hosting instead of $115 (Or saving $1080 per year)

Not exactly rocket science or Earth Shattering, but always nice to keep things lean and mean.

 

Introducing Wordfence, the Ultimate WordPress security plugin.

Exec Summary: Last year this WordPress blog was hacked which led me to discover the timthumb vulnerability you may have heard of. I fixed timthumb and worked with Ben, the author to release timthumb 2.0. Then I started work on Wordfence, what I hope will be the best security plugin in the business for WordPress. Wordfence is now completing beta testing. Install it, it’s free and it will help protect your site and keep you off Google’s malware list and in the search results. For beginners: you install Wordfence by going to your WordPress blog’s “Plugins” menu, clicking “Add New” and searching for “Wordfence”.

Full Post:

Last year on August 1, this WordPress blog was hacked. Thankfully I caught it quick enough to stay of Google’s malware list. I retraced the hacker’s steps and discovered a zero day vulnerability in many WordPress themes and plugins in the form of a popular image resizer called timthumb.php.

So I rewrote timthumb.php and worked with the author of timthumb and some of the WordPress team to merge my code into timthumb and we launched it as timthumb version 2.0.

But getting hacked made me realize that as awesome as WordPress is, it can do security better.

So I dropped everything and spent the last few months writing what I hope will be the last word in WordPress security.

A few days ago I quietly released Wordfence into the WordPress plugin repository. Since then I’ve been working with some amazing WordPress publishers to make Wordfence even better and I’ve been rapidly rolling out improvements, enhancements and (yes, believe it or not) a few bug fixes. I’d say Wordfence is getting close to finishing Beta testing at this point.

Except for two (rather minor) features, Wordfence is completely free. It is also backed up by a cluster of cloud based scanning servers that do most of the heavy lifting to keep your site running super fast.

Here are some of the more notable ways Wordfence enhances your WordPress security:

  • Scans your core files against a reference copy which I maintain in our cloud servers.
  • Lets you see what has changed, how the file has changed and even repair it.
  • Scans your comments, posts and all files including core, themes, plugins and everything else under your WordPress root directory for malware, virus signatures, vulnerabilities and (very importantly) URL’s that are known to host malware or viruses.
  • I want to re-emphasize the last point. Wordfence keeps known dangerous URL’s, including ALL URL’s that are on Googles’ safe browsing list, out of your comments, pages, posts and files. This is by far my favorite feature because it’s virtually gauranteed to keep you off the dreaded red-page-of-death-malware-list that Chrome and Google use to ban sites.
  • Wordfence comes with a complete firewall that lets you set up rules based on the type of traffic and either throttle or block offenders with an SEO safe 503 (come back later) HTTP message.
  • Another favorite feature of mine is that you can block fake Google crawlers. I actually added this after I tested Wordfence on this site because I couldn’t believe how many scrapers were pretending to be Googlebot. So now they are all instantly blocked.
  • Wordfence uses Google’s recommended reverse-forward DNS verification to sift the fake Googlebots from the real ones.
  • It includes login security against every form of brute force attack out there including abusing your lost-password form.
  • And what’s the point of having all this awesome security if you can’t see who is visiting, who’s getting blocked and what humans and robots are doing? So Wordfence includes real-time traffic that wait..for…it…
  • …Includes crawlers, scrapers, robots and all non-human traffic. Something you can’t get from Google Analytics or any other Javascript based analytics package.
  • I’ve even broken out Googlebot, other crawlers, 404 errors, humans and there’s an All Hits view.
  • And of course it includes commercial grade city-level geolocation which is another feature that comes from our cloud servers.
  • Wordfence is also built using much of the knowledge I’ve gained building Feedjit’s real-time analytics so it is careful to minimize any impact on network, website and mysql database performance and keep your website running super-fast.

Most importantly, Wordfence comes with a commercial license if you prefer first-class support and support forums for free users including a generic WordPress security forum where I’m happy to answer general config questions.

Improving WordPress security is going to be a marathon, not a sprint. I’m in this for the long haul. So check out Wordfence now by installing it on your blog and work with me to make the Web and WordPress more secure.

 

WordPress Security: Which is more secure? A VPS or a VHost?

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

In web server admin parlance, a VPS is a Virtual Private Server and a VHost is a virtually hosted website. There were a few questions regarding security on VPS’s and VHosts in my previous post on “Seven ways I could hack into your WordPress website“, so I thought I’d clarify what the difference is between WordPress hosted on a Virtual Private Server (VPS) vs WordPress on a Virtual Host (VHost) and what the security implications are of each configuration.

A Virtually Hosted Website (VHost)

In the early days of the web, you would have a single physical machine running a single operating system running a single web server. That web server would serve up a single website.

HTTP 1.0 introduced the optional “Host:” header and HTTP 1.1 made it mandatory with any web request that a browser sends. The effect of this is that when a web browser sends a request to any web server, it lets the server know which website it wants to see. Because web servers know what website a browser expects, they can now host an unlimited number of websites. This is called virtual hosting.

When you have a virtually hosted website, you are sharing a single server and operating system with many other websites. Your files and the files of other websites are stored on the same operating system. You all share the same web server and the server chooses which of your websites it needs to serve based on what a web browser requests when it connects to that web server.

Usually on a virtually hosted website, you won’t have access to other website files and they won’t have access to yours. This is usually done by giving you a unique username that you use to sign in and your username only has permissions to view your files.

A Virtual Private Server (VPS)

A VPS is a little different. Normally when you install any operating system, you install it directly on a machine like a server or workstation. With a VPS, you first install a base operating system like Windows or Linux. Then you install a virtual machine hosting platform called a Hypervisor. Examples of Hypervisor’s are VMWare and Xen.

Within the Hypervisor you can then install multiple virtual machines. These pretend to be physical hardware and when you boot them up you get a BIOS message similar to when you boot up a physical machine.

Within these virtual machines you can then install an operating system like Linux or Windows. Using this config you can have potentially hundreds of virtual machines running on a single physical machine.

So to summarize, you have a physical machine running an operating which runs a hypervisor which runs multiple virtual machines and each virtual machine runs its own operating system. Within these operating systems you run your own web server, have the files for your website and do anything else you feel like doing. It’s impossible for someone on another virtual machine to access your virtual machine.

Linode is one of the most popular virtual machine hosting providers and they use the Xen Hypervisor to host Linux virtual machines.

So which is more secure?

By now you’ve probably already figured it out: Running your own virtual machine that is completely segmented from everyone else is usually the more secure option. Here are a few reasons why:

  1. If your web host messed up the machine configuration or permissions, then other users may be able to access your files.
  2. If another user’s WordPress installation gets hacked, it may be possible for the hacker to gain read or in rare cases read and write access to your files.

Another thing I like about having a VPS instead of a VHost is that you have your own IP address. On the Internet, IP addresses can get blacklisted, particularly if you’re sending email. If your web application sends email e.g. if you’re using the WordPress “Subscribe to Comments” plugin, then your emails may be flagged as spam if another user on the same server is sending a lot of spam.

With a VPS you have your own IP address, so as long as the IP address wasn’t already black-listed when you got it from your web host (I’ve seen it happen) then only you are responsible for how that IP address is perceived on the Net.

In conclusion: While VPS’s tend to cost slightly more (about $20/month from Linode), they are well worth the extra cost when it comes to protecting your website and your reputation. As always please post any questions in the comments and I’ll either answer them directly or in a future post.

Caveat: I have generalized greatly when it comes to VPS and VHost configurations. There are many variants including Type I and Type II Hypervisors, shared hosting where a single OS hosts one web server instance per website and many more. I’ve described two common VPS and VHost configs above for illustrative purposes, however the VPS config I describe is probably the most common configuration used by VPS providers.

 

WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

1. Upgrade to the newest version of WordPress

I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

2. Upgrade all your themes and plugins to their newest versions

In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

3. Get rid of the ‘admin’ user

If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Make sure all your passwords are strong

OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

5. Know what other web applications you have installed

Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

6. Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

7. Make sure you don’t get social’d

Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

WordPress Security: Have you been hacked?

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.

Be Right Back – with a solution to your problems

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m driving through Europe for the next week so am not very available online. Currently in awesome Andorra. So if I’m not very responsive to your WordPress security needs I apologize. However, I have been working on a permanent fix to help with the recent spate of WP hacks and will be making it available as soon as I’m back at work. So apologies for the delay and thanks for your patience.

Has your WordPress Blog been Hacked? Email me now!

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

If your WordPress blog has been hacked, please email me. I’m collecting data on intrusion methods and backdoors. If you’ve been hacked, I’ll examine your server free of charge, share what I find with you and will make recommendations on how to repair your site, all at no cost. Please note that I will need “Shell” access to your machine. In other words I’ll need a username and password and will log in via SSH to examine the server that hosts your WordPress blog.

If you’re in dev or ops and have an attack vector you’d like to share, please zip it up and email it to me with as much technical detail as you can.

Email me at mmaunder at gmail.

Thanks!!

WordPress Security: Hardening and Malware list removal

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I spent some time yesterday reaching out to folks I know to try and get some input on WordPress security, avoiding getting listed as Malware and how to get removed from the Malware list. Rand Fishkin, the founder of SEOMoz and all round SEO God was kind enough to introduce me to Justin Briggs who is an SEO consultant and guru. Justin quickly came back with the following advice:

WordPress is certainly more susceptible to malicious attacks due to its popularity and the large number of sites that can be compromised with an exploit.
The best preemptive solution is to keep up on updates and increase security associated with WordPress.
Here are two good articles on ways to improve WordPress security.
WordPress offers an article on hardening WordPress:
If a site is compromised, Google will make an effort to get in touch with you. They outlined these details of how they attempt this here:
http://www.google.com/support/webmasters/bin/answer.py?answer=163633#3
They also offer some additional tips:
Once a site has been cleaned up, you can send a request to Google:
I’ve had a friend’s site who was exploited several months ago. It was a bit of work to get it cleaned up, but the warning was removed relatively quick after submitting the request to Google.
I contacted friends who are current and former Google employees but no luck getting in touch with the Malware team. In general it’s hard to connect with folks inside the big G with questions that are usually handled by support teams. [As I’ve been politely told in the past]. 🙂