SecuPress

SecuPress v2.0 aka Python

Blog SecuPress SecuPress v2.0 aka Python
0 comments

SecuPress 2.0 is here! As always, after a while without updating, this 2.0 is finally here. The goal of this version is to open the door to future versions 2.x because this change of major version number means that all the functionalities will be reviewed one by one in order to be improved in every sense of the word.

Python is the code name for Tony Stark’s Mark XX armor. You can spot him in Iron Man 3 when he uses all his armor during his house party protocol.

Iron-Man-Python-Armor

What’s New?

This version has been developed for a full 2 ​​months. I didn’t want to make a 1.5 or a mini 2.0, let alone a “simple” update.

SecuPress had to switch to v2 because the features, as good as they were, could be improved. And then as always, new features, fixes and improvements.

The changelog is the longest I have ever done, 200 tickets have been processed (WHAT ??). In fact, 100 have been deleted for obsolescence, or if it is a bug that we had 1 time in 2017 and no news since, or the ticket does not mean anything etc. Then really 105 others were processed in this version all the same, whether it was simple tasks that took me 30 seconds, or sometimes 2 weeks just for 1 ticket. Half of these tickets are improvements, a third are fix bugs, a dozen new features and the rest of the translation changed (see below).

Before embarking on the “visible” detail, let’s quickly talk about what is less visible and which matters a lot:

  • The required PHP version is now 5.6 instead of 5.4 and the required WordPress version is reduced from 4.0 to 4.9. We are at 5.7, which leaves us the right to 8 major versions behind, already quite a bit.
  • The translations have been revised, whether from English, grammatically or for mistakes, then in French the same. Better turns of phrase, clearer, and less blurry at the same time. The translations come from our .po / .mo files only, even for the free version because keeping control over what is written in our extension is important, it avoids many surprises!
  • In the same vein, sites in French Canadian (fr_CA) and Belgian French (fr_BE) will have French translations (fr_FR) by default instead of English.
  • Disabling SecuPress now removes the content that has been added to the wp-config.php and .htaccess files, and if possible, put your own code back (all without making backups, just commenting upstream, removing comments in downstream). And when removing the extension, everything finally disappears.
  • SecuPress block less requests methods because more and more plugins (Matomo, Elementor…) are using less conventional méthods but still in a clean way.
  • Emails sent from SecuPress won’t came from noreply@example.com where example.com is your domain name,  but from the admin email from WordPress settings, this will prevent the mails arriving on the spam box because noreply@ does not exists.
  • ps: Site Health has been removed in 2.0 but reintroduced in 2.0.1, bad idea 😉

And as surprising as it may seem, but I already mentioned it in a previous article, there is a security patch in this v2.0, it was discovered very recently by a customer, the flaw allows a simple visitor to ban any IP on a site that has SecuPress (free and pro) activated making it impossible to visit the site. This is a misreading of the IP address in the context of the honeypot module in the robots.txt. The danger level for your site is 0, it’s just annoying that a visitor can push IP addresses to be banned. It is all good !

Detail, or not, the free version will receive this update 2.0 in a week.

Come on, let’s cut out the new features as the SecuPress menu is split, so we go through module by module, page by page.

Main Scanner

The grade system appeals to a lot of people BUT it can also be a nuisance, especially professionals such as agencies that have clients for whom it is anxiety-provoking not to be able to have grade A. This grail is not necessary to have a site secure, the B grade is already very very good, but yet this generates unnecessary support for these professionals. It is up to us to alleviate them by proposing to hide this.

Grade A is now a little more accessible and the other grades more rewarding, let me explain. Two-factor authentication cannot always be activated for various reasons, however, if you do not have it, you will not have grade A. Certainly 2FA has been important for several years, but the site can be quite secure. for the security policy of the agency or the client himself. Access to grade A without 2FA should be possible, it’s done, the scanner no longer takes this test into account for the grade calculation.

Let’s continue in the same direction with the PHP version. We are currently at 8.0.1 but not having this version does not make your site less secure, if you are in 7.3 it still works since it is supported for security, moreover minor versions do not count more for the scanner test, which will also reduce support from web hosts who are asked from customers for too fast PHP upgrades when SecuPress scares them about it. The PHP version is therefore no longer taken into account in this calculation.

In return, if you have a 2FA and / or a top PHP version, then your rank will receive a “+”, a kind of bonus rank!

grade-c-plus

My local website with grade C+

Ha, that’s not enough, you don’t want the rank system at all anymore? Ok, you can remove it in 2.0, a simple cache to uncheck and you will have this:

no-grade

Grade is gone.

New Scanner

Not any for this v2.0 in fact, just that it will be necessary to rescan the one of wp-config.php because new constants can be deposited to improve security.

Which brings me to an improvement of the UX, it is now possible to scan only 1 element of the scanner without having to rescan everything, just hover your cursor over a scan:

new-scan

Relaunch the scanner by clicking just on its button !

Modules

Overall, only the dashboard has kept its settings reset button, I might put it back on the others but as these are not “just” checkboxes but the activation of modules, deactivate everything in 1 click on each module page is not necessarily a good idea to follow.

Come on, let’s take them in order:

Dashboard

3 new advanced parameters have been added including that of the grade system which can be deactivated. The second being the possibility of not having a menu in the admin bar. I admit that if all the extensions duplicate their menu over there at the top, there is no more room! The advantage of our is that it allows faster access to a specific option of a module while the basic menu does not, it’s up to you!

no-adminbar

Uncheck to hide the adminbar menu

Then the third is just a setting that already exists as a PHP constant. A big word to sa that you can hide the display of contextual helps in SecuPress to light the interface, so you have to know what setting is doing what, are you an expert or what?

mode expert

The expert mode

Users & Login

Move Login Page

Nothing really new here or almost, we introduce a way to use the WordPress parameter ?wp_lang=. So it’s now possible to get the moved login page with the choosen lang (if it’s installed on your site, we use the native way, not creating our own).

Login Errors

SecuPress relied on translations from WordPress to replace the error text, but if WordPress changes even a single character, then the module no longer works, and if another plugin adds more I can’t tell so this requires too much maintenance. The errors are now all simply removed, or rather replaced by a default message. If you need them to stay displayed, like with WooCommerce I was told, do not activate the module.

Password change

This option has disappeared because under WordPress 5.7 (update!) An administrator can change the password of a user without having to know his password AND this user may not accept this reset. With the old option, the admin had to know the user’s pass, in short, not necessarily great, I prefer to remove it.

Locking of the default role, registrations and admin email

3 options

The 3 new settings

3 new options that have arrived in this 2.0. SecuPress will ensure that we cannot change these 3 WordPress settings. The interface will no longer allow it and even if you manage it via code and even if you modify in database, SecuPress keeps control and prevents the new setting from being taken into account.

What do you mean, what is it for? Let me explain: many flaws, strangely especially in premium themes, allow you to modify WordPress options. All you need is a for loop on an element of a $_POST which runs an update_option($name, $value) and presto, we can inject the registration setting (do we open them?) And we change the role by default (do we set admin?), I let you imagine the rest? Yes, the attacker can legally create an admin account, impossible for a script or security plugin to prevent this EXCEPT now by blocking settings upstream.

I hope you have configured the alerts to receive notifications of an admin’s connection to your site!

Captcha

The captcha can now be activated only if the JS does not return an error when loading the options page, this prevents that we can activate the module while on the login page it is in error because of a bad setting of a .htaccess / .htpasswd or a JS error.

Themes and Extensions

Nothing for the moment, but the rapid overhaul (2.1?) Of the module for detecting vulnerable or deleted themes and extensions from the repository is planned in order to be more relevant. To be continued.

WordPress core

Database

Previously if your database prefix was wp_ or wordpress_ SecuPress could correct this for you through its scanner, then it would use a random string. But you didn’t have the option to change it manually. The case happens if you have mistakenly disclosed your prefix, then impossible via SecuPress to request a change again, it is now possible.

change-prefix

Now you can!

Configuration file

Big chunk here, before we only had ALLOW_UNFILTERED_UPLOADS and DISALLOW_FILE_EDIT that SecuPress could secure. However, via the configuration file scanner, SecuPress could adjust others to you, others that you could no longer deactivate and which, in the event of SecuPress being deactivated, remained in place. As I said at the beginning, SecuPress deactivates and finally completely uninstalls now, it seems easy to do, but it is a point where I took 2 weeks (I thought 2 days…).

Now each constant that can be touched by SecuPress is an option, it will be checked via the fix of the scanner or by yourself. Then when you deactivate SecuPress (for testing only, stay there eh!) The constant will disappear and your old value restored. So you have better control over what is written in the configuration file.

We therefore have as a bonus in this 2.0: Debug management, site URLs, file editor, unfiltered uploads, database repair, cookie prefix value, and finally modification & refresh of security keys.

On this last point, I am talking about the module which removes the security keys from the wp-config and the database to create a mu-plugin file which will then also generate some randomly. In addition, you can generate them again if needed in 1 click.

regen-keys

1 click: new keys!

Besides this file has changed and will be replaced when switching to v2.0, you will then be disconnected, sorry for that!

Sensitive data

Forbid redirection on undisclosed public pages

Did you know? WordPress allows to redirect a visitor if the page on which he must arrive is a 404 and if he has put a certain parameter in the address bar? This allows this visitor to find pages – certainly public – which do not have a clickable link from the front-office nor are present in a sitemap.

Example, I have a page on secupress.me like this, which allows whoever has the link to get a free license (don’t search, even if you have the link, the content is password protected). Well with this native feature, a visitor could type in the address bar /?name=%free% and then land on my page because the page slug is /secupress-free-license.

anti404

SecuPress prevent now to find that, I mean, I didn’t find a usage in the core…

Firewall

Block bad referrers

When you navigate from one site to another, you usually carry information to the target site from where you came from. You may not want your site to be in the path of certain other sites, which is why you can use a new feature simply by listing the URLs of sites that you no longer want to be the referrer of yours.

bad-ref

Malware sites (oops they are mine!)

Bad URLs

The “Block SQL injection attempts” module has been removed, it is obsolete, these hacks are no longer done this way and even if we tried, it would only work on very old sites, with old hacker tools, in short, become useless, a module must disappear, that’s also an update, not just add (but I repeat myself, I say it at each update!)

Anti Spam

Nothing in v2.0, this module will also be revised to be even more efficient, (v2.2?)

Malware Scanner

Ok, here, big piece that took me many weeks too (dev that I had already done in 2020). This module currently works, but over time it is less and less precise, the way it was built in 2016 remains good but its detections are no longer precise or exhaustive enough, this then results in a huge bunch of false positives. I think 90% of the returns from this scanner were false positives in 2020 and the detection base could be even better filled.

I then went through one by one the malware files that I have always kept and that I find on WordPress customer sites that are being hacked. The old detection base was 6.5kb of data, that of v2.0 is 31.4kb or 4.8 times larger and also more precise which brings down the false positive rate to 5% instead of 90 .

On the interface side, we can no longer delete the detected files, it was a mistake on my part to have proposed to do that because, being in the business, I check the files and I delete them, but to verify it is on the FTP and you have to know if it is indeed real or not as a threat. I myself have NEVER used these checkboxes to delete files. This deletion not only created support, but above all I let you imagine what happens when you delete files from your site: Fatal error … Oops. So now we don’t have that worry anymore.

Instead, the detail for which this file was detected by the scanner was added. This still does not mean that the scanner is right BUT if you are in doubt about the name of the file, its location then open it from the FTP, look in the file for the words returned by our scanner and see (if you can) whether that seems like a real result to you or not. If in doubt, open a medium with these files as attachments and we tell you that.

Again, we can now see the scanner in operation, don’t forget that it works in the background, you can launch it and change page, close the tab, turn off the computer, move! It still works.

malware-scan

The new Malware Scanner working!

And here is the new results page with details

Logs & IP + Backups

Nothing new and I doubt there is any, why? Because logs are not security per se, nor are backups. And also, these are basic modules that do the job, but if we want more details in the logs or better sorting etc, or if we want to save on a cloud etc then we have to go towards solutions that are made for that, it is a profession in its own right. As much as I think it’s important to have logs and backups, I can’t do everything or the coffee. So either you keep these modules as such, or we will see the …

Addons

(What a magnificent transition) Addons is a new entry in the main menu of SecuPress:

new-addons

2 addons to replace logs and backups

Addons are nothing more than recommendations to other plugins that we know are doing a good job.

Alerts

Another good point here, currently the alerts are sent by email, this is the minimum, I just added the notifications on Slack! This allows agencies, for example, to receive alerts from their clients, or a webmaster to receive alerts from sites he maintains instead of having emails on a single box, much less consultable by a group.

accept-screen

In Slack we need to check to validate the Webhook

slack notifs

Webhook is now accepted

notifs-slack

Now I get the Slack notifications!

Schedules

Nothing in v2.0 and nothing planned, it works fine right?

The following !?

  • Addition of a new mode of 2FA, the famous “Google Auth” like, compatible with any mobile authentication application of the OTP (One Time Password) type, I recommend you under Android “Free OTP” which is ad-free , open source, free.
  • Redesign of the module for detecting extensions and themes that are vulnerable or deleted from the repo.
  • Redesign of the antispam API.
  • Added basic CSPs.
  • Best white label (support for logos everywhere).
  • Fix of the .htaccess bug as said previously.

Etc, any ideas? I have plenty of them;)

If you want to compare Pro vs Free features again, our features page is available and up to date.

Changelog (a little) detailed

Fix Bugs

  • Some htaccess rules were not writable because of the file which was not found, it is fixed, but I will remake another system for 2.1 because there is still a known bug in this 2.0. If you have more than one .htaccess, then the next ones in the tree override our rules and remove protections, the goal will be to target the most correct .htaccess.
  • The emoji ⚠️ has been removed from the error message in the drag module of the login page. Why ? Because when importing settings, there was sometimes an encoding problem making the settings blank …
  • Since WordPress version 5.3, you are asked from time to time if the administration email address is correct. If you had activated the module for moving the login page, then you could have it at each login.
  • If you are white label, the settings link in the extensions page was not valid.
  • The links to the doc are now in https.
  • Added support for “Unikname Connect” extension as 2FA, I don’t recommend this extension, the code doesn’t feel clean or secure to me… I’ll take a closer look.
  • Google was sometimes blocked depending on the request method it was using, but no SEO impact, it had more to do with APIs or third-party services on its part.
  • If you had PasswordLess and your role is not affected, then the login field remained visible in step 2 instead of disappearing.
  • License fields could no longer be hidden via the expected constant: SECUPRESS_HIDE_API_KEY
  • Updating the GeoIP database could cause, during a CRON, a fatal error, not bad for the front-end site.

Improvements

  • Scan report emails include the grade in the subject and are only sent if the grade is lower. Less spam, more precision, saves time!
  • Possibility to change the security keys in 1 click without touching the file on the server. Also, they no longer change on their own every month, some developers have had the bad idea of ​​setting their remote API key according to the WordPress keys instead of creating their own …
  • In the logs, the stock links were added to other extensions like “Purge cache”, while it’s not a public CPT, we took that out.
  • The main scanner refreshes itself after 3 minutes to prevent people from thinking they are stuck on the page, without refresh, for fear of breaking something.
  • The malware scan works even if Ajax is broken, a meta refresh tag takes over. ps: correct your JS anyway!
  • The hotlink serves in a better way the replaced image to avoid URLs in 404.
  • The secupress_die () function now takes into account the requested return http code as wp_die () does.
  • Overall improvement of the account enumeration blocking module.
  • PHP8 compatibility.
  • SecuPress no longer indicates that the wp-config.php and .htaccess files are not writable blah, no big deal.
  • SCRIPT_DEBUG is no longer taken into account in the wp-config scanner.
0 comments