WordPress® Hardening: One-Click Security with cPanel

WordPress® Hardening: One-Click Security with cPanel

by cPanel: WordPress is far and away the most widely-used content management system on the web, but that popularity comes at a price. It’s also the most attacked CMS. Not because it’s un-secure, but because attackers know that a WordPress vulnerability is a gateway to tens of millions of websites.

As soon as a WordPress website goes online, automated bots begin to probe it for weaknesses. That’s why it’s critically important to security harden WordPress sites, ensuring that they have the smallest possible surface area for attackers to target.

Security hardening was once a long and complicated manual process, but WordPress Toolkit for cPanel  makes it a one-click affair. This article will explore some of the ways WordPress vulnerabilities are exploited and how WordPress Toolkit protects sites against many common attacks.

Common WordPress Vulnerabilities

Every vulnerability is unique, but most attacks against WordPress sites fall into one of four categories:

  • Brute force and dictionary attacks: Attackers attempt to guess security credentials such as usernames and passwords. Attacks of this type are carried out by bots that can quickly flood WordPress authentication systems with a deluge of login attempts.
  • Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks: Bad actors bombard sites and networks with requests and data, consuming resources, degrading performance, and potentially taking them offline. WordPress includes a system called XML-RPC, which is often used in denial of service attacks.
  • Core, plugin, and theme vulnerabilities: Bugs in code can be exploited to circumvent authentication systems, upload malicious code, or gain extra privileges.  Bad actors often look in a site’s files for clues about the sort of attack it is vulnerable to.
  • Code injection attacks: Running malicious code is a goal of many bad actors. They scour WordPress sites searching for vulnerabilities that will let them inject PHP, JavaScript, or SQL code.

WordPress Toolkit for cPanel implements features and security measures that protect sites against each of these attack types.

Security Hardening with WordPress Toolkit for cPanel

cPanel’s WordPress Toolkit is a complete WordPress management solution with an intuitive interface. You can think of it as a single dashboard for controlling all of your WordPress sites. It automates WordPress hosting tasks, including installation, updates, and backups. It also surfaces configuration tweaks that you’d otherwise have to dig around in the admin interface or edit configuration files to change.

WordPress security hardening is one of the places where WordPress Toolkit really shines. First, it applies fixes for critical vulnerabilities during installation, so sites are secure before they go online. Second, it scans existing sites for suboptimal security settings and can fix them at the click of a button.

We’ll have a look at some of the security fixes it applies in a moment, but first, we’ll show you just how easy it is to security harden a WordPress site with cPanel.

To use one-click hardening, you will need:

  • A cPanel instance with WordPress Toolkit installed
  • A WordPress Toolkit Deluxe license.

You can find the WordPress Toolkit in Applications on cPanel’s main page. Sites are listed on the overview page with status information and configuration switches.

Second Log4j vulnerability discovered, patch already released

Second Log4j vulnerability discovered, patch already released

After the disastrous Log4j vulnerability disrupted the online world, another vulnerability surfaced online.

The Log4j vulnerability has become one of the largest security issues we’ve seen in recent times. With the level of attention now being focused on this problem both by attackers and defenders, it’s likely that we’ll see further information and possible vulnerabilities.

A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.”

“This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says.

In the aftermath of the immediate response, companies should carefully consider how they can manage this type of risk strategically. Improving detection of software versions and using software supply chain security tools are good examples of defense-in-depth security measures that can provide short-term mitigations. Using these tools gives IT departments the time needed to coordinate comprehensive patching and testing of their software systems in a safe and controlled fashion.

It turns out that the first patch was ‘incomplete’, and therefore, another Apache Log4j version has been released. Second Apache Log4j Bug Found Reportedly, Apache has released another major update for its Log4j code library addressing a serious bug. Identified as CVE-2021-45046, this vulnerability appeared following an incomplete patch of the (now infamous) Log4Shell flaw (CVE-2021-44228). As stated in the vulnerability description, It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

Log4j

Log4j

Log4j is a Java library that adds a drop-in functionality to many online software products. For an end user it’s not something they would generally download and use. It’s a Java library that would be included as part of the software. Because of that, end users aren’t generally aware if the software they use contain the vulnerability. The log4j vulnerability is rated at 10 on a scale of 1 to 10, with 10 representing the most dangerous level of vulnerability.

The popular cPanel web hosting server control panel software recently issued a patch to fix a critical flaw in the log4j Java library discovered in part of the software used for email. The vulnerability itself is named, Log4Shell.

Internal Update
Our team is currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Minecraft and others. Our security team is actively monitoring the effects of this vulnerability.

At this point, we have not identified an impact to the HDWEBPROVIDER Platform, but our teams are monitoring activities to ensure all instances of our back-end are safe and will be taking appropriate action as needed.

The only cPanel service affected by the log4j vulnerability was the Dovecot Solr cPanel plugin which we are NOT using our servers. We already did not recommend that plugin because of its higher resource usage for no real benefits to IMAP searches. 

Status:
cPanel has already put out a patch for this as of Friday and our servers and cloud network is fully secured against this vulnerability.