WordPress Security – Secure WordPress sites in cPanel/Plesk/DirectAdmin or any web server using cPGuard

WordPress Security – Secure WordPress sites in cPanel/Plesk/DirectAdmin or any web server using cPGuard

WordPress is a well-known Content Management System ( CMS ) that is powering millions of websites around the world. Along with its popularity to build and manage websites, it is also the hot target of various types of attacks. A WordPress website hosted on a server will face attacks from time to time and it is essential to set up a secure environment for the website to avoid a security compromise.

 What are the major threats to a  WordPress website?

Following are some of the major threats/attacks a WordPress website can face generally. The type of attack is not just limited to these but can be more in number in certain cases.

  1. Brute force attacks
  2. Attacks to scan WordPress core vulnerabilities and attempts to exploit them
  3. SQL Injection Attacks
  4. Attacks to exploit known plugin and theme vulnerabilities
  5. Malware uploads
  6. etc

Again, the attack types are not just limited to the above and you may experience more type of attacks based on scenarios ( other common web attacks like DDoS is excluded in this article ).

How to secure WordPress sites from these types of attacks?

Due to the popularity of WordPress and the increased number of security incidents, there are so many options provided for website owners to secure their websites. These include

  1. Keep the WordPress core, plugins, and themes up to date
  2. Install a security plugin on the website
  3. Take general WordPress site hardening measures
  4. Enable proper website integrity checks and monitoring
  5. etc

Each of the above options is expensive in terms of the paid plugins/themes that you choose and the man-hours to set up the site. Also, this is possible only when you have complete control over the WordPress websites on your server.

What are the challenges a host can face on a shared server with multiple WordPress sites?

On a shared server, there is a high probability to have a good percentage of WordPress websites owned by multiple clients. Since the websites are created and managed by different people, the standards that are taken to ensure website security must be different.  The installed WordPress version may be old, but installed plugins and themes can be different…in many cases, the sites may contain outdated/unused components with vulnerabilities. In some cases, the website may leave without any security settings and such sites can be a big threat for other websites on the server as well if there is no account isolation enabled.

How cPGuard can help to secure WordPress websites?

cPGuard as a web security suite can help the hosting providers to enforce security to all websites on the server with minimal or no manual effort. Once you install and configure cPGuard on your server, it can detect all websites and enable security for them. The beauty of cPGuard is the minimal effort and the expense to secure websites owned by multiple clients and with multiple components with different versions. Give below are some of the major modules that can protect WordPress sites on your web hosting server.

  1. Powerful scanner engine:- The cPGuard scanner engine can do both automated, scheduled ( daily/weekly ), and on-demand scans against the website files. This ensures that your  files are constantly monitored for malware
  2. Infection cleanup:- If the scanner engine detects viruses on your WordPress site, the cPGuard cleanup function can clean them up. We also restore the infected WordPress core files from the original copy and thus ensure the website integrity
  3. WordPress Core Checksum match:- This will check the core checksum of each website and restore the core files from the original source if there is a mismatch. This can remove the hidden malware in core files
  4. Web Application Firewall:- The cPGuard WAF powered by Malware Expert Commercial ModSec rules is very powerful to stop most generic and specific web attacks. The WAF has explicit rules for WordPress security and keeps updated for the latest vulnerabilities reported
  5. Captcha protection:- This is the unique method that we have to stop brute-force attacks against websites on your server. This can largely help to stop bots and thus reduce server load.
  6. Automated notifications to the customers:- cPGuard allows you to send automated email notifications to your customers about the outdated WordPress, plugins, themes, and other potentially vulnerable files they have on their websites. This will make the customer aware of the possible vulnerabilities contained in their websites and can patch them proactively. This will increase total server security as well. You also have the option to customize this email notification content to brand it

The additional protection to your websites is not just limited to the above but the other modules like IPDB distributed firewall, Process monitoring, CMS threats overview, etc can give additional protection to the websites. Also, the feature-rich App Portal UI can give you an overview of the threats that your server is facing…the App Portal enables centralized management for all your servers as well.

How can you try cPGuard?

The installation and configuration are pretty straightforward. You have the option to test cPGuard for 30 days without any cost…you can order the 30 days TRIAL from our cart.  After the trial you can purchase a paid license to continue using cPGuard and cPGuard is the cost-effective solution to protect your websites and it can reduce your license costs by up to 70%.

WordPress core checksum verification and check suspicious cPanel user activity in cPGuard version 4.58

WordPress core checksum verification and check suspicious cPanel user activity in cPGuard version 4.58

We have released cPGuard version 4.58 recently with 2 major features added. We believe the latest features will be helpful for our customers to automatically manage abusive attempts to compromise an account/website and send alerts to the end user and the server administrator. The  2 new features are explained below.

Suspicious User Activity Tracking for cPanel

We have been noticing so many suspicious activities reported, especially on cPanel servers where the hackers could authenticate using valid credentials and do malicious activities on the account. By gaining access to the compromised accounts, the hackers usually upload virus files, backdoors, phishing contents, or completely wipe the website files. The actions are not limited to these but they can do anything they wish to do on the account. This is a widespread compromise and there are thousands of cPanel accounts compromised mostly happened mostly collected through the compromised user’s system and spam campaigns. It is possible that such credentials are being sold on the web for money. In such cases, the only and first fix is to reset the user account password and possibly enable 2FA.

By watching the activities and repeated incidents across some of our customer’s servers, we have added a new option to monitor the user activities after a virus incident is reported under a user. Please note that this new option will not help if the hacker wipes all files, but if they upload bad files and cPGuard can find them, the new logic will trigger. You can enable the new option from cPGuard >> Settings >> Additional Settings. Please note that, this will option will disable all new logins and you need to force reset the user password to restore the login access. Everything else like the websites, emails, etc will work fine.

WordPress file checksum verification and restoration 

It is another major issue we have been noticing where some random WordPress core files get bad code injection and thus cause a website malfunction. Many times such injections install malware, a backdoor, or a malicious redirect. Many times the injected code can repeatedly replace the index.php or the .htaccess file with malicious content and that actually disables the actual use of the reported file cleanup. We have been noticing that the injected code patterns are different in many cases and it is very difficult to identify such malware initially.

So we have started developing this feature using which you can ensure that the core WordPress files are clean always. We use the wp-cli tool to check the file hash and replace the files which do not match the original source. It is an automated process and we will send an email alert if any such incidents happen. You can control this option from Settings >> Additional Settings.

cPGuard now supports Ubuntu 22.04 LTS

cPGuard now supports Ubuntu 22.04 LTS

You can install cPGuard on various operating systems with or without control panels. We are happy to announce that we have added Ubuntu 22.04LTS to the supported Operating Systems list. So now you can install cPGuard on Ubuntu 22.04 with or without control panels. We are one of the first companies that offer the web hosting security suite for your websites offering support for Ubunutu 22.04.

Now you can install cPGuard on the following Operating Systems.

  • CentOS 7/Stream 8
  • RHEL 7/8
  • CloudLinux version 7/8
  • AlmaLinux 8
  • RockyLinux 8
  • Debian 10/11
  • Ubuntu 18.04/20.04/22.04 LTS
WordPress Core Files Cleanup with cPGuard

WordPress Core Files Cleanup with cPGuard

The file cleanup engine is an important part of the scanner module and that helps to automate removing file injections/infections without any manual effort. The importance of such cleanup is when any core file required for the website is infected and quarantined, and that can lead to website downtime.  This is one of the major problems that we were facing especially with WordPress websites.

So we have been checking for additional options to handle such cases and how to fix such issues using our cleanup engine. Conventionally we clean files based on the patterns and virus type, which seems to be not very effective because the hackers keep changing the pattern of the infection

Up on receiving multiple website down complaints after a virus scan and identifying most are WordPress websites, we have started looking for an option to handle such issues. We have finally come up with the file replace option from the original core file which is very effective based on our testing. So it works as the following

  • cPGuard Scanner engine detects an infected file
  • The file will then pass to the cleanup engine and it will identify the framework
  • If it detects WordPress, it will check whether the affected file is a WordPress core file
  • When it verifies a WordPress core is infected, it will detect the WordPress version
  • Then it will replace the affected file from the copy of the original file in the specific version
  • Finally, it verifies the restore after checking the file checksum

 It will also keep a copy of the infected file in the quarantine folder if you wish to check the injection later.

We have been testing this workflow and released it with version 4.37 today as it was found to be very effective to recover WordPress websites from the core file injections.

We hope this will give additional benefit to our customers to run their WordPress websites safely and with less downtime. If yuo need any additional information regarding this feature, please feel free to contact our support team.


Malware in nulled WordPress themes…The story continues…

Malware in nulled WordPress themes…The story continues…

The subject is pretty familiar for most of the WordPress developers and people who maintain the websites. Everyone who takes their website security seriously will honor the advice but there are still some people who wish to take short-cuts and install nulled themes and plugins. Such people are not saving money to add more modules to their website, rather opening a remote website management option to the hacker.

We have added some articles before about such websites which you should not relay to download the plugins or themes. Today I am going to talk about another such website, which is “freewordpresthemes [dot] com”. They are offering a few WordPress themes which you can download free from their website and they are packed with Malware inside. We found them during our regular inspection through the reported malware by our scanner engine. So the cPGuard scanner engine already protects you from the particular malware injected into their package.

So now let us take a look into the actual injection in their package. We found the below injected code in their “functions.php” file which is actually referring to a TXT file in their website.

The injected code actually pulls some code from their website, creates a new file under the public space of the website, adds some code to it which is the remote hand for the hackers.

So what does that mean? Yes, installing and enabling this theme means you have opened up your website to an anonymous person who can make changes to your website without permission.

So how can you escape from such threats? There is only one answer to that…download the themes and plugins from reliable sources. You should be ready to pay for the software that is going to serve your requirements or you should find some alternate options instead of opting for such short-cuts. Even though there are numerous incidents and reports around there regarding such issues, people who do not act wisely will end up in such troubles. 

You can also deploy security solutions like cPGuard on your server to protect you from such threats. But ultimately it is not recommended to use any nulled software if security matters!