If you are one of the many users of the WordPress Security Plugin, WordFence, we highly encourage you to update. They recently pushed out a security update that could be affecting your install. It is important to note however that what is interesting about this release is that it was actually a Low Severity issue. What’s remarkable however is both their immediate response to the issue, and the detail they provide in their change log.
This is a very good way for a development firm to respond in the event of incidents. Snippet from their change log:
Via their Changlog:
Security release. Upgrade immediately.
This release fixes an XSS vunlerability on Wordfence “view all traffic from IP” page.
Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
Improves Revolution Slider proteciton.
Fixed bypass for fake googlebot blocking.
This is was in response to a Full Disclosure by the folks at Vexatious Tendencies. In which they outline each of the critical issues patched in the last release.
Wordfence v5.2.3 suffers from multiple vulnerabilities including 2 stored XSS, insufficient logging of requests, being able to bypass the throttling feature (designed to limit scraping) and being able to bypass the exploit detection feature. All of these appear to be the result of a lack of understanding of PHP superglobals.
While their approach to the disclosure is frowned upon, it did bring about a speedy response by the WordFence Team.
If you’re wondering, we wanted to wait on this disclosure to give them time to patch and release before publicizing the full-disclosure.
Sucuri and WordFence Scanning Conflict
*** Update: 20140918 *****
We have been in touch with the WordFence development team and they will be working to apply a global push of our network IP’s to their network. This should alleviate issues on your end, both clients and non-clients that might use our scanner.
If you experience an issue let us know and we’ll engage them to update.
Thanks WordFence team.
It’s also become apparent that the WordFence plugin is blocking our scanners from hitting your site. The folks at Code Fetti put together a nice write up on the issue. What this means to you, whether a user or someone that enjoys our Free SiteCheck scanner is that you own’t be able to scan your environment. This will also affect the Free scanner in the Free WordPress Security – Sucuri Plugin.
It will generate a warning that looks something like this:
If you’re wondering, yes this is a bad thing for you. This means we can’t see how your website is behaving on a browser. An important scanning function that complements the way WordFence scanning works.
Not to worry though, as the good folks at CodeFetti have recommended, an easy fix exists where you can simply whitelist the IP you want to use.
Go to your Dashboard>WordFence>Options and scroll down to Other Options:
Whitelist the Sucuri Security Monitor ID by listing it as shown below. Save your changes.
Here is what the option looks like:
If you use the Free SiteCheck scanner you can whitelist this IP: 220.127.116.11
We’re engaging with the WordFence team to see if we can’t implement a more permanent solution, but for now, if you experience this issue please follow the instructions above.