We are happy to announce that we expect to start cPGuard v4 client beta testing by the first week of April 2022. Version 4 of cPGuard is not just a typical update with some UI improvements and new features. It is a complete revamp which introduces a fresh UI with an incredible new workflow. We have built a new framework that opens endless possibilities for integrations onto multiple platforms. We are trying our best to make each component perfect and for a trouble-free upgrade from V3 to V4.  As it is a new software model, there are a few things you need to notice about V4 features and requirements.

What are the new features in V4?

• Centralized server management :- In cPGuard V4, you have an option to view and manage all your servers from our Cloud-based user interface. This will make your life easier especially when you need to check cPGuard on multiple servers.
• User-based access :- You can define an access matrix for your server managers to your servers without giving them root access. You can create multiple users and grant access flexibly on your servers
• Server overview reports :- From the centralized UI, you will get an overview of the attack rate against your servers,  servers with alerts, etc 
• Control Panel independent :- We are crafting cPGuard V4 as control panel independent.  So we can support more control panels soon and can introduce more features into cPGuard. 

Requirements for cPGuard V4

As it is a new software model, the requirements to run cPGuard also change a bit compared to previous versions.

• App Cloud should be able to communicate to the agent installed on the customer’s servers. So the cPGuard Cloud IPs must have whitelisted on client servers or the software will not function well. We will add an automatic whitelist for CSF and in other cases, the user must do manual whitelisting of the IPs that we provide. 
• The supported Operating System list is updated and we support almost all RHEL and Debian derivatives now. But cPGuard version 4 will not support CentOS 6.x and Debian 9.
• The UI will be centralized, so you need to login into the cPGuard dashboard separately using your OPSSHIELD client area login credentials. 
• You may notice some missing data in V4 dashboard initially, which is fine because those are the new metrics for V4. We try to import all V3 data to V4 during the upgrade but new metrics need to populate from the new data collecting system  

Do you need to take any action now?

You do not need to take any action now. We will roll the existing servers into V4 sequentially with multiple updates. During the process, we will alert the customers if any of the requirements cannot meet and you can resolve it manually to prepare your servers for V4 update.  We hope that we can release V4 within a couple of weeks. 

Stay tuned to our Social media accounts to get additional information about cPGuard V4. 

We have released cPGuard version 3.69 on January 26 2022 and the update is available on all servers automatically. We encourage our customers to make sure that they use the latest version always as we follow sequential updates and every update is applicable for the latest versions of the software.

What is up with version 3.69?

We release regular updates to our software, scanner rules, WAF rules, etc to make sure that everything is up to date to detect the latest threats. For a person who follows the release notes of cPGuard, the new version may not feel anything exciting!

But it took up almost 2 months to complete this build as it has a completely revamped scanner engine code. Our developers have re-written the whole code from scratch to make it more efficient and organized. As a project which is running for over 4 years and started as a specific control panel plugin, we believe this is the right time to start working on the project revamp to enter into new areas

The major changes

Our team is working on some cPGuard enhancements and internally calls it cPGuard V4. So version 3.69 is the first step towards V4 release and we will soon release the following updates in the upcoming versions.  In 3.69, the major changes include

• Revamped scanner engine code
• Eliminated the dependency with system ClamAV
• Enhanced file checks and improved scanner speed
• etc

What is next?

As I mentioned above, 3.69 is just the first step towards a milestone. Our team is working hard to increase the cPGuard productivity and reduce the admin overhead. We will have some major updates this year and we believe that it can help our customers to manage cPGuard and the servers easily. 

What is IPDB Firewall?

In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.

The main components of the IPDB firewall are

1. The Cloud Advisor:– is a server cluster containing multiple servers dedicated to collecting, building and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats

2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list

What are the recent updates in IPDB?

Over the past few versions after the initial release of IPDB, we have been continuously working on it to enhance the performance of IPDB module. With that said, we were able to bring in so many updations so block more attacks with fewer false positives. Few of the major changes include

• Refined blacklist Logic:- We now have a better algorithm to mark an IP address as bad and put it into the global blacklist. That helps to eliminate a significant share of false positives from the total blacklist.
• Enhanced whitelist:- Based on the feedback from our clients, we have added many more major players including search engines, CDN providers, monitoring agents, etc into the blacklist which helped to refine the central list.
• Better CLI Tools:- For a Linux geek, it is always handy to work from CLI than doing any tasks from GUI. So we have added more CLI tools to handle IPDB using commands
• Network whitelist:- Now you can whitelist a Network using a defined format. This will help to whitelist a range of your IP address and that makes the tool handier. You can add whitelist from cPGuard settings or via our command line utility

• New IPDB stats UI:- You can now view requests being blocked in realtime from the new IPDB section in cPGuard UI. We will be rolling out more reports and stats on IPDB in coming versions.

Wait…I have some complaints or suggestions

We would love to hear from you and our team can work based on your feedback. Kindly reach our support team with your feedback and we will process it accordingly.

This is one of the first questions that will raise when someone decides to try cPGuard on their servers. The answer is not simple and it needs to be explained from top to bottom as the protection is offered at multiple levels.

So let us check what all protection that cPGuard offers

• Malicious file uploads/updates
• Web attacks/exploits
•  Incoming Spam Emails and IP/Domain  Reputation Checks
• Extensive Reports

1. Malicious File uploads/updates

This is one of the common problems that every website owner is facing and affecting website reliability and integrity. This happens most commonly because of any exploits open in the website, compromised user account, or logins or possibly due to a compromised account hosted in the same shared environment. So to detect the malicious file contents, cPGuard has multiple layers of file scanning options to make sure that every file is passed through our scanner engine.

• Layer 1 HTTP Upload Scanner:- This is the first level of file scanning if the file is uploaded/updated via Web. So whenever a file is uploaded using your website, it will pass through the scanner engine. We carefully manage this step to scan only relevant files and in case we detect any malicious pattern for which we do not have any definition, we will scan ti through our central system and take necessary actions.
• Layer 2 Automatic Scanner:- This is the second level of scanning, which can catch any files updated/uploaded regardless of how it is done. We monitor the operation of the files to fetch the list of files to monitor and pass it through the scan engine. Since we monitor only website files and process them as batches, this consumes a very small amount of server resources and takes very little time to complete the scan compared to the competition.
• Layer 3 Weekly automatic scan:- We run a weekly scanner to scan all files updated/uploaded in the last 7 days and scan them. This helps to ensure that all recent files are analyzed based on our constantly updated virus database and thus fetch new types of attacks even if they can bypass initially.
• Layer 4 manual scan:- This is the last layer of scanner which needs manual intervention to start the scan against a defined target. This can help to find all new/old malicious files under the targeted path and help to create custom reports.

So the multi-layer file scanning that you can flexibly enable on your server ( you can customize each based on your preference from cPGuard Settings ) can scan all types of file changes on your server and take action on them. There is also a file auto-clean option using which you can attempt to clean files automatically and restore them to the original location, and it can prevent website outage due to core files infection.

2. Web attacks/exploits 

This is the WAF layer that actually helps to mitigate most of the attacks before it reaches your Web Applications. Our WAF is powered by Malware.Experts Commercial WAF rules and cPGuard ModSec rules. In this layer, it has multiple components to mitigate varieties of web attacks.

• The WAF Integration:- It is the core WAF rules enabling that you can do from settings and it will load the core rules into your web server. This ruleset contains the mitigation rules for generic attacks, some latest CVEs reported, targeted CMS attacks ( WordPress, Joomla, etc ). We always recommend you to enable this and it can protect your websites from many web attacks.
• Brute-force protection:- This module protects your websites from brute-force attacks against the defined URLs. This can effectively monitor the real IPs and block them if they cross the access threshold.
• Scanner Rules under WAF :- When you enable this rules set, it will protect your websites from common abusive botnets. It can save server resources and unnecessary processing of the requests.
• Webshell Rules under WAF :- These rules can stop processing any web shells if they are already uploaded ot your websites. This is a highly sensitive rules set and we do not recommend it unless you have complete control across all the websites on the server
• Captcha Protection under WAF :- This module protects your websites from brute-force attacks against the defined URLs. This can greatly reduce your server load and protect your websites from abusive accesses.

The multiple protection layers in HTTP can protect your websites from most generic and common attacks and sources. We constantly monitor the Web abuses reported by WAF from our centralized system and making adjustments accordingly to increase the protection level.

3. Incoming Spam Emails and IP/Domain  Reputation Checks

cPGuard helps to reduce Incoming Spam Emails using the SRBL system which uses an intelligent algorithm to check all incoming email sources and find whether they are abusive or not and take actions accordingly. This can stop emails from now abusive IPs and thus reduce the incoming spam email count.

Additionally the systems helps to keep rack of the IPs/Domains on the server and check whether they are listed in major blacklists. It will alert you promptly when there is a blacklist detected and helps to take note of the total server reputation. You can even choose to suspend an account when a domain is blacklisted and it can save your IPs from being blocked in SEO and search engines.

4. Extensive Reports and Notifications

cPGuard produces a lot of reports and notifications which can give an overview of the total attacks against your server and security issues for particular accounts. There is more graphical representation of the web/virus attacks per day or certain period and the notifications are instant to alert you about recent attacks. You can flexibly turn on/off certain notifications and define the email addresses to which that you want to receive alerts.

The protection is not limited to above points….

Yes, the software offers more protection like automated Rootkit scanning, CSF integration, wp-cron.php job mangement, etc to ensure smooth managemrn tand security on your server. We constantly add more features, enhance the exisiting features and do everything that we can to deliver the best services to our customers.

If you really think that cPGuard can improve in any certain point by adding or enhancing any feature, please feel free to reach us and we will do every possible things to meet the requirements.

It is a well-known fact that WordPress is one of the web applications that get the majority of web attacks when installed on a domain. In addition to the conventional attack vectors, there are plenty of other attack methods that are being used to attack WordPress website and applications. So all WordPress website owners should protect their websites using an additional security layer to protect their website from common attacks like brute-force, SQL injection, Cross-site attacks, etc and other unconventional types of attacks.

Nulled Plugins and Themes

When we talk about other types of attacks, one of the most tricky types is the installation of “Nulled Plugins and Themes”. We recently had a customer, who came to us regarding clean up of his websites which had nulled plugins installed. The funny fact is that the client knew that they were nulled but decided to install them as they are free but never knew they will open up a backdoor to his websites.

So how it can damage your websites?

The severity of the damage that can be done is based on the source of these nulled plugin/theme. In the specific case that we are taking as an example here, the plugins where downloaded from thewordpressclub [.] org and the websites faced the following issues.

1. Repeated JS injections into the database which resulted in redirects to malicious websites upon website visit.
2. Added junk records to the wp_options table for the backdoor
3. The admin user password kept resetting without the knowledge of website owner
4. Unwanted posts created under the websites

and many more…..

 Interestingly, the terms and conditions at thewordpressclub [.] org has a section Remote Access stating that by downloading and installing installing these plugins/themes you are allowing TheWordpressClub to remotely control your website 

What kind of injection were added to the nulled plugins?

We have noted the following files added to the plugin packages, which contained the core code.

For example, following are some sample paths in actual plugin installations

In addition to that, they have added the following lines to other files to use  the malicious function and active the remote handler.

How to get rid of such issues?

The answer is pretty straightforward; do not install plugins/themes from non-trusted sources. If you want to install a plugin/theme, you should use WordPress official repository to search and install or use the official website of the provider to download the package. If you try to enjoy the premium features of any paid solution for free using such shortcuts, you will end up with serious trouble including your data loss.

Though cPGuard can detect and clean the majority of these malicious injections, we strongly recommended to stay away from such plugin providers and use only the genuine software