Two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution.
It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.
There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blogand on Acunetix’s blog as well.
Between the two plugins they’re looking at something close to 6 million downloads, granted not all current and some will be updates, but assuming even 25% are unique sites that’s an impressive number for any plugin. The real issue comes in that it applies to any WordPress blog that has comments enabled.
If you’re using a third-party service, like Disqus, this won’t affect you. A really simple way to test is leave yourself a comment like this:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>
This means I can pass any commands I want to your server and they’ll execute, hence the term remote command execution (RCE).
Replace my echo with an eval and encode a payload and now it’s a different ball game. Case in point, a backdoor shell, all while going via your comments and bypassing all other authentication controls.
Again, not an issue to be taken lightly, this is a very serious vulnerability, further exasperated by the fact that any user can exploit it. The easiest way to protect yourself is to upgrade. You can find the latest updates on the WordPress.org repository:
Top marks to the plugin developers for acting quickly on the issue. Now it’s your turn end-users, update!
This is a guest post written and contributed by CloudFlare. CloudFlare makes it easy for any site to be as fast and secure as the Internet giants.
CloudFlare, a web performance and security company, is excited to announce our partnership with Simple Servers! If you haven’t heard about CloudFlare before, our value proposition is simple: we’ll make any website twice as fast and protect it from a broad range of web threats.
Today, hundreds of thousands of websites—ranging from individual blogs to e-commerce sites to the websites of Fortune 500 companies to national governments—use CloudFlare to make their sites faster and more secure. We power more than 65 billion monthly page views—more than Amazon, Wikipedia, Twitter, Zynga, AOL, Apple, Bing, eBay, PayPal and Instagram combined—and over 25% of the Internet’s population regularly passes through our network.
CloudFlare is designed to take a great hosting platform like Simple Servers and make it even better.
We run 23 data centers strategically located around the world. When you sign up for CloudFlare, we begin routing your traffic to the nearest data center.
As your traffic passes through the data centers, we intelligently determine what parts of your website are static versus dynamic. The static portions are cached on our servers for a short period of time, typically less than 2 hours before we check to see if they’ve been updated. By automatically moving the static parts of your site closer to your visitors, the overall performance of your site improves significantly.
CloudFlare’s intelligent caching system also means you save bandwidth, which means saving money, and decreases the load on your servers, which means your web application will run faster and more efficiently than ever. On average, CloudFlare customers see a 60% decrease in bandwidth usage, and a 65% in total requests to their servers. The overall effect is that CloudFlare will typically cut the load time for pages on your site by 50% which means higher engagement and happier visitors.
Over the course of 2011, CloudFlare identified a 700% increase in the number of distributed denial of service attacks (DDoS) we track on the Internet (see the chart below). As attacks like these increase, CloudFlare is stepping up to protect sites.
CloudFlare’s security protections offer a broad range of protections against attacks such as DDoS, hacking or spam submitted to a blog or comment form. What is powerful about our approach is that the system gets smarter the more sites that are part of the CloudFlare community. We analyse the traffic patterns of hundreds of millions of visitors in real time and adapt the security systems to ensure good traffic gets through and bad traffic is stopped.
In time, our goal is nothing short of making attacks against websites a relic of history. And, given our scale and the billions of different attacks we see and adapt to every year, we’re well on our way to achieving that for sites on the CloudFlare network.
Any website can deploy CloudFlare, regardless of your underlying platform. By integrating closely with Simple Servers, we make the process of setting up CloudFlare “1 click easy” through your existing Simple Servers Cpanel dashboard. Just look for the CloudFlare icon, choose the domain you want to enable, and click the orange cloud. That’s it!
We’ve kept the price as low as possible and plans offered through Simple Servers are free. Moreover, we never charge you for bandwidth or storage, therefore saving you tons via reduced bandwidth costs.
For site owners who would like to take advantage of CloudFlare’s advanced offerings, we also offer a ‘Pro’ tier of service for $20/month. The ‘Pro’ tier includes all of the ‘Free’ tier’s offerings, as well as extra features like SSL, full web application firewall and faster analytics.
We’re proud that every day more than a thousand new sites, including some of the largest on the web, join the CloudFlare community. If you’re looking for a faster, safer website, you’ve got a good start with Simple Servers, but the next step is to join the CloudFlare community
After extensive trials we are now pleased to announce that all SSD Rocket box servers now use the latest Samsung 840 PRO series drives.
This is our latest stage in a market leading solid state drive journey.
After the initial dismal performce of the crucial SSD dives and OCZ over the last 24 months we switched the first gen Samsung drives, then to the latest Intel 520 series.
We tested with the Latest 3.5ghz Dell/Intel Ivy bridge boxes and Magento flew.
The Samsung 840 PRO is a market killing drive with massive performance over anything else we have tried
Just look at the read and write speeds…
Samsung’s SSD 840 PRO Series is a high-performance SSD, capable of delivering up to 100,000 IOPS Random Read Speed and 540MB/s Sequential Read Speed—an SSD of unrivaled high performance. Built with an advanced MDX controller, Samsung’s SSD delivers high speeds regardless of data type, unlike competing controllers that greatly favor compressible data.
As the world’s #1 DRAM, NAND Flash, and SSD supplier; Samsung SSDs are designed and built completely in-house. The Samsung SSD 840 Series is optimized for exceptional, sustained performance and unrivaled reliability through its specially-engineered wear-leveling and garbage collection algorithms backed by a generous 5-year limited warranty.
The Samsung SSD 840 PRO Series provides the same excellent performance throughout its entire lifetime even under extremely heavy workloads. In fact, the sophisticated MDX controller is capable of maintaining peak performances under punishing conditions for more than twice as long the nearest competitor.
Business Friendly Features
The 840 SSD 840 PRO Series introduces three important hardware features for businesses: Worldwide Name (WWN), LED Indicator support, and AES 256-bit Full Disk Encryption (FDE). The first two features make it easier to integrate the 840 PRO SSD into server and storage systems while the AES Encryption helps safeguard data against attack. By encrypting all information on the disk at the hardware level, there is no detrimental effect on performance.
Plus, Samsung’s Magician software has been completely redesigned and includes several business-friendly features including Drive Health Status, Total Bytes Written (TBW), and Disk Scan & Error Reporting functionality. This allows IT managers to monitor drive health and plan hardware replacement cycles.
We are pleased to announce our latest rack has been commissioned, with diverse 1000mbs network and is “tier 4 aligned”, the highest recognised datacentre standard in the industry, and offers N+N (aka 2N) redundancy and is used for our dedicated and shared customers.
Needless to say the new rack benefits from our standard double battery backup, generators and diesel – enough to last for a week, to surmount extended power outages.
Hard at work during the install:
The team worked hard at the weekend adding a new R1soft backup server to further strengthen our backup solution. The new server adds a whopping 16TB of storage that also fails over to a redundant SAN.
All linked to our dedicated and shared servers via 1000GBS internal network. The box is a 8 Disk Dual xeon CPU with 32GB of ram and is backed up by dual power via diverse A/B supply.
Simple Servers are ELITE R1Soft Backup Partners.
I spoke with 2 team leads from Clouflare on the phone today, both really nice and helpful guys. They will be sorting the issues out we had. Top marks guys!
Cloudflare is an excellent service and we recommend it thouroughly having had a great experience until this week.
One of our customers was experiencing a heavy load of nearly 2000 concurrent users on their magento site, not a problem as we have built a custom Magento cluster with a huge 32 Xeon cores powered with intel SSD raid arrays on Dell 12th gen kit. In short the best you can buy.
We ran this customer on Cloudflare and it ran well, until we opted for the $200 per month Railgun option. After nearly 48 hours of support tickets we finally got the epic response of:
Engineering hasn’t responded yet, but there should be an updated version of Railgun next week which should improve speed and stability of the railgun listener. Thank you for your patience
So Railgun doesnt quite work for busy sites, our customer lost sales for a 48 hour period in the time it took to get the final response. Support could not answer our question fully. I hope Railgun does work in future releases and we will try it again for sure. But for now it will stop your Magento site from selling and cause you and your customers trouble. Shame…
We are please to announce that the Simple VIP reseller programme is finally here!
Earn discounts of up to 25% with no buy in and no minimum term!
Join the Simple partner programme, leverage our hosting expertise, and get access to a very competitive referral compensation plan. The programme is designed to make it straightforward to enhance your business with our best-in-class performance hosting solutions.
We have just completed a massive 32 core cpu custom magento cluster using the latest 12 Gen Dell Enterprise servers with Intel 330 series SSD drives. This was to help an existing customer who started getting 700 + concurrent users to their Magento store, they expect this traffic to double in the next month.
We have load balanced the web front end with an all SSD web and Mysql cluster.
2 x Dell R720 web server front end
Raid 10 Intel 330 SSD 256 GB Drives
24 Gb Ram
Dual hex core Sandy Bridge Intel cpu
710 Raid cards with battery backup
Dual 750w PSU
1 x Dell R320 Mysql server
Raid 10 Intel 330 SSD 256 GB drives
16 Gb Ram
Quad core Sandy Bridge Intel cpu
2 x load balancer servers HA pair
We added Litespeed enterprise and Varnish caching to help things along.
After our early adoption of SSD drives for web servers we have learnt a lot, the hard way…
Our Current SSD server fleet consists of Crucial, Various OCZ flavours, Samsung and now Intel.
We have had excellent performance from Samsung (0 Fails), and terrible performance from Crucial (All 20 Crucial drives failed within the first 8 months). We now bolster our SSD arsenal with the latest Intel next gen drives.
The new drives will be commissioned into our cloud and dedicated server platforms.
Random Read (8GB Span)
Random Write (8GB Span)
Power – Active
Power – Idle
|<= 80 grams|
Payment Card Industry Data Security Standards or PCI DSS is a set of security standards for organisations that handle or store credit/debit card information. These standards are defined by The Payment Industry Standards Council to better protect cardholders from fraud.
Currently any web site that allows customers to input their card details needs to be compliant to the PCI DSS standards. If the web site redirects customers to a third party payment provider like WorldPay, PayPal or SagePay then they do not need to comply as the companies themselves handle the payment security. If you’re unsure if you need to comply with DSS feel free to ask us and we will be happy to advise you.
Once you have confirmed if your company needs to comply by PCI DSS then you can approach organisations like Security Metrics (www.securitymetrics.com) or TrustWave (www.trustwave.com) to test your site compliance. These companies will produce a report based on an independent scan of your web site that comprehensively tests for any vulnerabilities.
Usually you will need to make some changes to your web site and hosting before you will receive a successful report. These changes may include updating software, tightening up your firewall or possibly making changes to your web site.
Once you have passed your initial scan the security organisation will run a regular report, usually once a month. The PCI DSS standards change fairly regularly so be prepared to make changes every few months to remain compliant.
Simple Servers will make sure your server always complies with PCI DSS with any of our managed hosting packages.