The 2017 WordPress Security Half-Time Report
2017 has been a remarkable year so far for Wordfence and our customers. We are about halfway through the year at this point, so I’d like to give you an update on some of the incredible innovation and progress at Wordfence in 2017.
Our company’s top priority is to secure our customers’ websites from attackers. Our goals are to prevent an attack before it can occur, and to provide the best detection capability available to help you find and fix security problems and malware on your website. To fulfill this objective, we need to innovate constantly on several fronts. This year, we have improved the performance of our security products, improved detection capability, introduced a completely new service that expands beyond the WordPress universe, and published continual cutting-edge research to help you better understand the threats you are facing.
As a result, the team at Wordfence has been terrifically busy this year, and the items I mention below only include the highlights of their many impressive achievements so far. The Wordfence security plugin for WordPress has received 13 updates this year as of this writing, or an average of an update every two weeks. To get an idea of the rapid pace of innovation at Wordfence, look at the most recent 13 releases in our change log and how much has gone into each one.
Plugin Release Highlights in the First Half of 2017
First, a Strong Focus on Security Innovation
January 12: We released an improvement to brute force login reporting, tracking brute-force attempts to wp-login.php and XMLRPC separately so that we could better identify attackers and attack types. We also improved the performance of brute force attack reporting.
January 26: We launched a robust Dashboard for Wordfence to give you a clear overview of your security posture. This release also included a menu redesign to help you navigate the Wordfence user interface more easily.
February 7: This release changed the way we block IPs: we switched to blocking them at the Wordfence WAF (Firewall) level to virtually eliminate the performance impact that blocked IPs have when accessing your site.
February 23: We improved the Wordfence firewall’s ability to inspect incoming form submission requests for malicious content.
March 9: This was a big milestone. We launched the Wordfence IP Blacklist for our Premium customers. The blacklist is a real-time list of IPs that are attacking WordPress sites right now. It is continually updated and continually pushed out to our customers. This release dramatically improved the protection that our Premium customers receive.
Next, We Focused on Performance
March 23: We improved the performance of the Wordfence malware scanner when handling very large files. We also improved Wordfence compatibility with various caching systems.
April 5: We reduced the memory usage of the overall scan and reduced its network bandwidth usage.
April 25: We further improved the performance of Wordfence on large multisite installations.
May 17: We optimized the malware signature scan to improve speed when scanning your site for malicious files.
June 1: We further reduced the overall memory usage and peak memory usage of the malware scanner.
Now, A Shift Back to Security Improvement and Innovation
June 15: We added a brand new capability to the Wordfence scan, letting you know if you are using any plugins that have not been updated in two or more years. It also alerts you if a plugin you are using has been removed from the WordPress.org plugin repository. The scan also includes any vulnerability info related to an outdated plugin or one that has been removed from the official WordPress repository. This helps you ensure that the plugins you are using are well-maintained and vulnerability-free.
Major Customer Service Improvements
January 9: Wordfence added Paypal support to our checkout. This was by popular request, and intended to better support our international customers.
January 26: Our site cleaning team lowered the price for site cleanings from $179 per site to $149 per site. When the site cleaning team told me they wanted to do this in early January, I was very surprised and, of course, overjoyed. They explained that their operations had become so efficient that they could lower the price to the $149 level. When you consider that a site cleaning includes a Wordfence Premium license worth $99, that is a huge value.
May 4: The site cleaning team then went even further and launched our Site Security Audit service. Our customers have been asking for this service for a long time, and the package the team put together is exceptional. Along with the comprehensive security auditing service, it includes a 90-day guarantee and a free Wordfence Premium license for just $149 per site.
May 16 was a big day for us. We launched Gravityscan.com, which scans any website for malware and vulnerabilities. Gravityscan is a completely new kind of scanner that performs a deep scan of any website to discover security problems that may make your site vulnerable to being hacked, and also checks if you have already been hacked. The team had worked on Gravityscan for about a year prior to launch. It is phenomenally high-performing, very easy to use and free. Gravity continues to grow at a terrific pace and already has thousands of daily users performing security scans on their websites.
Highlights From the Blog in the First Half of 2017
January 12: We blogged about a highly effective Gmail phishing campaign that was affecting even experienced online users. The campaign used a data URI to throw up a fake login screen and steal Google credentials. On January 18, Google reached out to us and provided information on what actions they had taken to fix the issue, and we posted a follow-up.
Early February was a dark time for many WordPress site owners. A major vulnerability was found in the WordPress core which allowed attackers to exploit the WordPress JSON API to easily deface WordPress sites. A security company disseminated details about the vulnerability, and the exploits began almost immediately.
February 9: We covered the story in a blog post titled “A Feeding Frenzy to Deface WordPress Sites.” We hadn’t seen an attack this bad before or since.
February 10: We posted a follow-up showing a 26% growth in defacements within 24 hours. This was an early indication of how widespread and severe the impact of this attack would be. Wordfence added protection for our Premium customers in real-time as this attack emerged.
February 13: We published research showing how WordPress was used as a command and control server for some of the malware used in the 2016 election hacks.
February 23: We wrote about a catastrophic data leak that Cloudflare experienced. The Cloudflare system had inadvertently mixed sensitive data across sites and visitors. A visitor to one site would accidentally receive data destined for a visitor viewing a completely different site.
March 1: We published a report on a criminal organization we code-named Jersey Shore. This organization was attacking and infecting WordPress sites and using them to market counterfeit sports apparel.
March 17: We came out in support of end-to-end encryption on the Web. We recommended that website owners move away from cloud-based WAFs that intercept traffic and decrypt it. Instead, we suggested that site owners allow users to have a completely secured connection from their browser to the destination web server without intercepting traffic.
April 10: We published a report identifying thousands of vulnerable and infected home routers at ISPs around the world that were attacking WordPress websites. We identified over 10,000 IP addresses in Algeria alone that were attacking WordPress. We posted a followup the next day providing a tool that users could use to check if their router is vulnerable.
April 14: We published a report showing how attackers were able to register a domain that looked identical to a legitimate domain and use it for phishing . The technique exploited the way web browsers render unicode domains. We included an example where we registered our own demo version of a domain called ‘epic.com’ that looked identical to the real epic.com and could be used for phishing.
April 20: We published a fun post that included over 50 tools for security analysts. These tools were curated by our team during a technology-sharing call, and they use many of those same tools in their day-to-day work.
May 10: We published research that included 22 abandoned WordPress plugins still listed on the WordPress repository, each of which had significant security vulnerabilities.
May 12: We wrote about WannaCry, also called WannaCrypt, as the story was unfolding in real-time. We published the story on within hours of the attack first emerging to give our users early warning. By the following Monday, it had become a major story in the media.
The Next Half of 2017 Will Be Extraordinary
Writing this blog post has been a helpful exercise for me personally. We are so busy at Wordfence that we don’t often take a step back and look at how far we have come, or how quickly we are moving. Writing this post has given me a tangible sense of how quickly the team is moving.
I am continuously looking for ways to improve our organization, our practices and our business processes. Looking at what we have achieved in the first 6 months of this year, I am left with a sense that we have a small (38+ people) but nimble, adaptive and fast-moving team that is doing a fine job of serving our customers.
As always, we will continue to improve and innovate. I expect the second half of 2017 will have challenges in store for our customers and the security community, but the Wordfence team is well-equipped to respond rapidly and ensure that our customers receive the best available protection for their websites.
Mark Maunder – Wordfence Founder & CEO