What is cPGuard WAF?

The cPGuard WAF module is an important part of cPGuard security suite to protect your websites from malicious traffic and attacks. It is powered by Malware.Expert commercial ModSec rules and are loaded with a wide variety of protection levels. With cPGuard, you can implement the WAF rules quite easily and flexibly and enforce maximum website protection based on your preference. We have rules to protect major attack like the following which is well explained in the following sections

1. WordPress/Joomla and other CMS brute-force attacks
2. Crawler bots  and exploit/vulnerability scanner prevention
3. Generic attacks like XSS, SQL injection, WP abuses, etc
4. Block malicious files upload via web
5. Zero-day exploits blocking
   etc

What are the important modules of cPGuard WAF?

The cPGuard WAF consists of various types of rules and each can stop different types of attacks. The major advantage in enabling the WAF with cPGuard is, you can select the set of rules that you wish to enable for your websites. So unlike the competing WAF solutions, our rules are quite wisely separated and let the customers to choose the protection level.

• RBL Protection:- This provides the advanced DDoS protection for POST attacks [ brute-force, script exploits ] and blocks common abusive IP addresses collected through our network of servers with cPGuard installed. We recommend turning this ON if you are getting too many POST attacks as it can help to block many attacks before reaching your application and helps to reduce server load.
•  Captcha Protection :-  Recommended This ruleset will enforce all users to verify not as bot before accessing the CMS [ like WordPress, Joomla, etc ] login pages or submitting the login credentials. Once they are identified as a real user, they will be able to login to their website. This can greatly reduce the load due to brute-force attacks. You can also define the set of URIs that you wish to protect using the captcha system, which makes the protection more powerful and flexible.
• WEBSHELL protection:- If you enable this ruleset, your server will be protected from the execution of PHP shells like following
  • Phoenix WebShell
  • FilesMan
  • c99shell
  • b374k
  • WSO
  • Ani-Shell

  Frontpage may open in web shells, but command execution [ like a copy, delete, move, etc ] is blocked. You can enable this rules set if you control all the web apps on your server.

• SCANNER protection:-  Recommended This will help to keep away bad crawlers from your system. This is a major headache for web hosts and causes unnecessary use of system resources. It can block
  • Bad User-Agents
  • Bad search engine crawlers (Cause High loads)

In addition to the above rules set, the WAF consists of rules to stop brute-force attacks and to enable web-based files scanning.

Why cPGuard WAF is better than the competing WAF solutions?

Our WAF is top-notch to block major automated attacks with less server load compared to the competing WAF solutions. In addition, we cause very minimal or zero false positives in most cases with an option to whitelist rules if they find any isolated issues with any rules.

In general, cPGuard WAF outperform all other competing WAF solutions based on the following points

• We have very minimal but generic WAF rules. That helps to offer a wide range of protection with very little server load
• Rules are generic and thus can block the same types of attacks with different vectors
• We carefully watch the latest exploits and release rules to protect them
• We have explicit generic rules to protect common CMS systems
• Our Captcha protection system is one of the best which can stop all brute-force and bot attacks towards your CMSes
• Cloud-based central system to analyze the latest web threats and to block them 
• The WAF module is clubbed with IPDB Firewall in the core which will eventually help to stop attacks in the system firewall even before it reaches the application server

Have more questions?

In case you are misleaded by some marketing emails about our software and WAF module and would like to know more, please feel free to reach us. Our team is always happy to answer your questions and explain about the cPGuard software

About the vulnerability

Contact Form 7 is a famous WordPress plugin that helps users to create different contact forms on the website. The plugin has a very big user base and having almost over 5 million active installations. So, any vulnerability to such a popular plugin will cause serious security issues to a big number of websites.

Recently there was a report related to this plugin where some security researchers were able to exploit its vulnerability which allowed them to files of any type, bypassing all restrictions set to allow the type of upload-able file types on a website. Also, it allows web shell injections which create it more dangerous and threatening to the website security.

How cPGuard handles the problem?

Immediately after the vulnerability is announced, our WAF team has started investigating it and released a WAF update to protect our user’s websites from the vulnerability. So far cPGuard WAF has the following set of protections against the particular vulnerability.

• We have an explicit WAF rule which prevents exploiting the particular vulnerability
• Our existing WAF rules will prevent uploading PHP files
• Our existing WAF rules will prevent accessing PHP files from the target location.
• Our scanner engine can report about the  file uploads/injections 

Do I still need to worry?

Our WAF and scanner engine are powerful enough to block such targeted and generic types of web exploits. Even though cPGuard provides security measures for this problem, we still encourage you to advise your users to upgrade the Contact Form 7 plugin to the latest version, 5.3.2.

If you need any additional details, please  contact our support team.

One of the frequent questions that we are receiving recently is, how efficient the scanner is, and what can be the option to do something similar to the Rapid scan offered by another solution. To answer this question we have to explain how the total scanning system works automatically or manually and the total workflow is much faster and efficient compared to any other competing solution.

The scanner levels

In cPGuard, we scan each new/updated files in multiple levels which helps to process the files in various ways, multiple times with the most recent virus signatures, and efficiently process them with very less load. Each of the layers is explained below.

1. HTTP Upload Scanner:- If you have WAF integration enabled, this is the first level of scanning if the file is uploaded/updated via the Web. This scanner will immediately deny file upload if it contains malicious code and notifies the customer. You can find the related log in Web Server ModSec log or under WAF logs in cPGuard WAF.

2. Automatic Scanner:- If you have Virus Scanner enabled under Settings >> Scanner, this will trigger. So this is the background scanner where it keeps track of all uploaded/modified files and scans them.

3. Daily Scanner:- If you have Dialy Scanning enabled from Settings >> Additional Settings, Daily files scanning will trigger every day. This option will scan all files uploaded/updated in the last 24 hours.

4. Weekly Scanner:- If you have Weekly Scanning enabled from Settings >> Additional Settings, Weekly files scanning will trigger every Sunday. This option will scan all files uploaded/updated in the last 7 days.

So how the incremental scanning work?

Like the different scanner level explained above, each layer works differently. So once you have cPGuard installed and configured on your server

• Run ALL manual scan which will scan all Web Files on your server and take actions on them
• Enable Daily Scan
• Enable Weekly Scan
• Make sure that WAF integration is enabled and works fine

So the above steps make sure that your server will be free from all known virus files. In addition to the scanner layers, our WAF rules are powerful enough to stop uploading/exploiting vulnerable files and add an extra layer of security.

Is the incremental scan really fast? 

Yes, it really works fast and efficiently than any other competing solution. Based on the analysis from multiple servers, it took less than a few minutes to complete daily scanning for 200GB web data and that too without any high load on the server. You can see how many files it scanned and how much time it took for each scan.

Is it possible to schedule Daily and Weekly Scans?

Yes, if you prefer to run the scheduled scans at any particular time you can do it easily. To do it

• Disable Daily and Weekly scanners from Additional Settings
• Use the cpgcli CLI utility to schedule Daily and Weekly scans at your preferred time.

More questions?

We are always happy to hear from you…if you need any more clarifications please reach our Support desk.

What are the new features in recent cPGuard versions?

At OpsShield, our engineers are always keen to hear the feedback from our customers, read each of them carefully and make amendments to the software to make it useful and user-friendly. So in each versions, we try to add at least one of the requested features along with the other updates and bug fixes. So in recent cPGuard versions, we have added few such options which you might not have noticed yet. 

1. User-defined Captcha protected URLs

We have introduced our recent Captcha protection techniques a couple of months back, which will handle the Captcha requests in our cloud . This is one of the best and effective mechanisms out there and it will take out the load to handle attackers out of your server. This method can stop majority of the attacks against your server and reduce server load in a great scale.  We used to protect a set of pre-defined URLs like WordPress login page, Joomla login page, etc which get most of the attacks. But to make it flexible and to protect other web apps and URLs, we now make this list user-defined. So the user can now decide which all URLs should be protected using Captcha and it is the unique feature that is available to protect your web apps. You can simply add the  new URL from Settings >> WAF of cPGuard UI.

2. Weekly Scanner

We have added a weekly scanner recently, which will scan all files which are updated in past 7 days. This will ensure that all files will scan again using the updated rules set and thus can eliminate many bad files from the server. The scanner is designed to consume very few resources and finish in a short time span. This is also an optional feature, where users can opt to disable this from Additional Settings page, though we recommend to keep it enabled

3. Revamped License Checking 

One of the often complaints that we receive from our clients was about the license status. It failed to detect the license status some times because the license system was  located in central Europe and some clients had connections issues to the resource. So to fix it, we have migrated our licensing system to AWS and distributed the checks through their worldwide network. So now the license check can be done from any location without any failure

4. Command Line Utility

This is one of the other feature requests that we received in past…a clean and simple tool to manage settings from the command line. So that is available now…you can refer our KB  to know more about this tool and various command-line options it has. This is  a very useful tool for people who wish to change settings quickly and on multiple numbers of servers using some automation.

5. Enhanced daily reports

We have changed the daily report formatting and style to a modern way, in which a user will get all activities with a graphical representation. It is good enough to understand the whole attack statistics happened on the server.

The features are not limited to the above but you can find all the details about each version update in our changelog. Also if you wish to add any specific features into cPGuard, please feel free to contact us and we will see what we can do with it.