Author Archive

WordPress Core files integrity check

April 25, 2015

My plugin can now scan your WordPress Core files and compare them with the installation source code available from wordpress.org. This new integrity check could be very helpful for finding new threats hidden in WP Core file. There may be lots reasons, other than malicious threats, for Core files to differ from the original source so this is an optional fix that requires you to check the box next to each file you want to restore. If a Know Threat is found in these files it will still come up as an automatic fix but if not you can now optionally revert any of these modified Core files to the original code.

This new feature is currently only available to those who have donated at the default $29+ level.

Tags: ,
Posted in Updates 15 Comments »

SoakSoak bug, round two, still widespread infections

December 19, 2014

I've been really busy so it's been a while since my last post, but this is really important so thought I should update everyone.

This recent SoakSoak bug infected a lot of WordPress sites through a vulnerability in the Revolution Slider plugin. Apparently the developers know about this security hole back in September but did nothing about it until the exploit was widespread. There is now a new version of Revolution Slider that has been patched but there are also many themes that use this slider that cannot be automatically upgraded. The newest version of my Anti-Malware plugin will automatically block the attempts to exploit this vulnerability on your site, even if you have a vulnerable version of Revolution Slider installed.

The bigger problem is that once you have been hit by this bug then there may be other backdoors planted on your site and your DB password may also have been stolen. Your site can also then be used to spread this infection to other sites. I have seen a new round of this threat that no longer uses the popular IP address in the script source. Now its using a variety of infected domains spread the infection.

This threat is changing all the time so please make sure to download the Definition Updates whenever I release a new one. You can follow my Twitter feed @GOTMLS to get notified of new updates.

[sign_post]

Tags: , , ,
Posted in Updates 2 Comments »

Heartbleed vulnerability

April 14, 2014

heartbleedIf you are hosting an SSL site on a server running OpenSSL version 1.0.1 - 1.0.1f or 1.0.2 with the HEARTBEATS extension turned on then your site has been vulnerable to a Heartbleed attack. You should upgrade to OpenSSL version 1.0.1g, rebuild OpenSSL with -DOPENSSL_NO_HEARTBEATS, or move your site to a more secure host.

Is your site vulnerable to the Heartbleed attack?

Here are four independent sites that will check your server:

https://filippo.io/Heartbleed/
http://www.digicert.com/help/
http://safeweb.norton.com/heartbleed
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

Tags: ,
Posted in Updates No Comments »

I started a twitter account

February 12, 2014

I'm going to use this twitter account to post plugin and definition update notices as well as any other important info I need to get out there: @GOTMLS

[sign_post]

Tags: ,
Posted in Updates No Comments »

Spanish translation added in last release

January 11, 2014

Thanks to Andrew Kurtis of webhostinghub.com my plugin has now been translated into Spanish of by Jelena Kovacevic. The new language files were tested and packaged in the last release. Now, if you have WPLANG defined as 'es_ES' in your wp-config.php file then the Anti-Malware Settings and Scan pages will be output en Español :-)

I'm also thinking of creating a facebook page for my plugin to get more feedback and collaboration form my users. Have some big ideas I would like share and get some help with to move this plugin forward. Leave a comment here and let me know what you think. Would you follow me on facebook? comment, Yes or No.

Tags: , , ,
Posted in Updates 2 Comments »

direct-install-method

August 19, 2013

I have had quite a few WordPress users having trouble with plugin upgrades or re-installing plugin that were not completely removed. The problem is that sometime WordPress will not remove the main folder for a plugin that is being upgraded or removed but it will remove all the contents of the folder. So then WordPress does not see that the plugin is installed but it cannot create the directory structure to reinstall it either.

The only thing you can do then is to login to your server via FTP (or a file manager in your hosting control panel) and delete the directory so that it can be re-installed. But for some people that just isn't so easy to get to. So I created this little helper plugin to force the deletion of any plugin's main directory and all of it's contents before upgrading or installing another version of that plugin. It's still under development and I would not recommend installing all your plugins with this one activated, but if you are have trouble upgrading a plugin because the destination directory already exists then this will probably help.

You can download the BETA vesion of this plugin here

Good Luck!

Aloha,
Eli Scheetz

Tags: , ,
Posted in Updates 2 Comments »

Downgraded the WP-Login threat and changed it to an opt-in fix

June 1, 2013

In my ongoing attempts to improve the security of WordPress and to clarify the brute-force threat, I have isolated the code for my login patch into an include file and added some notes to explain why the wp-login.php file comes up as a vulnerability.

I have also downgraded the severity of this threat and changed it to an "opt-in" fix instead of being marked in red and default checked for automatic repair. This is partly because I have perceived an ebbing of the brute-force attacks on WordPress sites that spiked a couple of months ago, but also because a moderator on wordpress.org suggested that I should not be modifying WordPress core files.

I will also be taking the "Dave" and other references from the movie 2001: A Space Odyssey out of the login patch because some people (not named Dave) didn't see the humor in it and I don't want to upset anyone.

Comments and suggestions are always welcome.

[sign_post]

Tags: , ,
Posted in Updates 14 Comments »

Just what do you think you are doing, Dave?

May 3, 2013

In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.

This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message "Just what do you think you are doing, Dave?" whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave :-)

The linked response "Open the Pod bay doors, HAL!" also a quote from the same movie and it's just there to link you back to the login page should you wan to try to login again.

I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it's login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server's resources are not tied up just telling hackers if they guessed the right password or not.

I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.

Aloha,
Eli Scheetz

Tags: , ,
Posted in Updates 4 Comments »

Happy Birthday to GOTMLS Anti-Malware

March 26, 2013

Today is the official one-year anniversary of the first release of this plugin on the WordPress Plugin Repository. I feel really positive about how far this plugin has come in the last year. I am also very proud of how many people that my plugin has helped. I've got a lot of plans for improving this plugin so I want to thank those who have made a donation and ask all those who have not yet donated to contribute now. Donations to this project support me making time to work on it and make it better. So don't just use it, support it!

Aloha,
Eli Scheetz

Tags: ,
Posted in Updates No Comments »

How did your site get hacked?

February 28, 2013

Everyone who has had their site hacked wants to know how it happened. Unfortunately there are a lot of way to get hacked and no single method for stopping it. I created this plugin because of a vulnerability in timthumb.php that got widely exploited about a year ago. This very useful timthumb script had a weakness in the way it was written that allowed hackers to place any script on your site thereby enabling them to gain access to your files and spread their infection. A newer and stronger timthumb.php was release to stop this abuse and it is fairly simple to update this file to keep your site from being exploited in this way. One of the things my plugin will do is to find old timthumbs and update them.

But, of course, there are other ways for your server to get infected. Many people don't realise that having their site on a hosting account with other site means sharing the vulnerabilities of all the other sites. Having your site on an isolated account, all by itself, can be a great improvement to your security. You will also need to make sure that your site up-to-date and has no vulnerabilities of it's own. Make sure the plugins and themes you have installed are secure and well trusted.

A lot of people think that they need to change there FTP passwords. This is not a bad idea but it's extremely unlikely that the a hacker is using your FTP account. Once a hacker has exploited a security hole in you website, hosting account, or server they will plant a script on your site to gain full access to your files. Then they don't even need your FTP to inject more malicious code and spread their infection further.

Unfortunately it may be very time consuming and costly to figure out exactly how you got hacked, but stay vigilant and take any security measures you can to avoid being an easy target. With every step you take to secure your site you become harder to hack and less of a target.

Aloha,
Eli Scheetz

Tags: ,
Posted in How To 3 Comments »