Link to Update page in Wordfence email

Thanks for doing so!

Hi @wfyann,

I don’t see how a simple link to the Update page of my site could introduce a risk of phishing or other attacks – could you please elaborate on that claim so I can understand better?

The link would be added by your plugin, therefore it couldn’t be tampered with. And I don’t believe there’s nothing harmful about a link to http://www.example.com/wp-admin/update-core.php (where example.com is my domain). Even if someone else got hold of the email and clicked on that link, they’d still have to actually log into the site to get to that page. So there’s no risk there.

For what it’s worth, I’ve been using another plugin for the past several years called WP Updates Notifier (https://wordpress.org/plugins/wp-updates-notifier) which does exactly that. It checks on a regular basis for new plugins/themes/core, and sends me an email when updates are available, and the email does contain a link to my Updates page. It works great, and this plugin is used by 40,000+ people and I don’t believe it has any security risk with how it works.

My goal, though, is to stop using that plugin because Wordfence now provides the same functionality of checking for plugin/theme/core updates. No point having two plugins doing the same thing. So if Wordfence could add that link to the Updates page, as the other plugin does, then it would be a perfect replacement for this purpose! 🙂

@crudhunter as I understand it, you’re saying that a hacker could create a fake site resembling the WordPress login page, configured to capture the credentials entered into that page. The hacker would then need to have access to my email Inbox, and intercept a Wordfence email sent to me which contained the link to my own website (ie. the link I’m proposing here). The hacker could then send me a fake email that looks like a Wordfence email, and it would contain a fake link that looked like the link to my website but actually was a link to the hacker’s fake website. I’d click the link, go to the fake site, enter my credentials, and voila, the hacker knows my credentials. Is that the gist of what you’re saying?

I disagree with this premise for a number of reasons:

1) Your argument primarily rests on the idea that the Wordfence emails don’t and shouldn’t contain any link to my website, so that there’s no chance for the hacker to find out my site’s domain name or URL. You’re saying that the hacker’s success depends on him being able to determine my site’s URL by reading it in an email from Wordfence in my Inbox. However, this argument falls through because my site’s URL is already given in the Wordfence email anyway. It’s right there in the Subject of every Wordfence email. The subject says “Problems found on http://www.example.com”. So the hacker can already very easily work out the URL of my login page by just adding /wp-login.php to the end.

To this I would also add that it’s essential for my site’s URL to be given in the Wordfence email somewhere – at least in the Subject – so that I can determine which, of my many sites, this particular Wordfence email is referring to. It’s not enough to simply mention the site’s “name” in the email, because I could easily have a separate Production and Staging site, both with the same name but different URLs, and I need to know which of these two sites a particular Wordfence email refers to. Therefore the URL must be mentioned in the Subject.

Therefore, there’s no harm whatsoever in also providing the URL to my Updates page in the body of the email, when the site URL is already given in the Subject.

2) The only way a hacker could send me a fake email pretending to be from Wordfence, and with a fake link in the email which looked like my site’s URL but really was a link to a phishing site, would be if the hacker used http://www.example.com as the textual part of the link (where that is my website), but used his fake URL in the anchor tag of that link. The email itself would have to be an HTML email for it to work. However, pretty much every email client and email service today will spam-block an email that contains links like that. In addition, in order to appear legitimate, the fake email would need to use my site’s WordPress email address in the FROM field, and I can easily prevent that by enabling SPF and DKIM on my domain. Mail clients will block such emails. Furthermore, all modern browsers highlight the domain name of the webpage in the Address bar, so that it’s easy to see if it’s the site you intended to use. Any and every WordPress admin should be aware of the importance of checking the URL in the browser.

3) It’s perfectly normal for a website to send an email which contains a link back to the site. The vast majority of WordPress plugins which send out notification emails to the site admin, will include a link back to the site. For example I just noticed that Backup Buddy, one of the most widely-used backup plugins, includes links back to my site in its emails. That’s just one example.

But even WordPress’s own emails do this – ie. the emails generated by WordPress core itself. For example, if you’ve configured automatic core updates on your site, then WordPress itself will send you an email which contains links to your own site in the email text – including a link to the Dashboard – like this:

Howdy! Your site at http://www.example.com has been updated automatically to WordPress 4.8.1.

No further action is needed on your part. For more on version 4.8.1, see the About WordPress screen:
http://www.example.com/wp-admin/about.php

If the WordPress developers consider this safe to do, and not a risk for phishing, then I see no reason why it’s an issue for Wordfence either. I don’t see any risk of phishing here. Especially because, as I mentioned above, Wordfence already includes a link to my site in the Subject anyway.

I certainly agree with you that phishing is a big problem today, and I also know that phishers love to send out fake emails proporting to be from banks and other such websites. There’s no argument there.

What I disagree with is the notion that having a link in a Wordfence email, that points back to my site, is somehow going to help the hackers with their phishing. It simply won’t. Any hacker worth his salt, who wants to determine the URL of your website, will be able to easily figure out the URL using other means. He doesn’t need to hack into your Inbox and read your Wordfence emails to do so. And in any case, as I already explained, your site’s URL is already provided via other emails in your Inbox – such as the official WordPress emails.

But it’s *not* correct to say that millions of people have had their banking credential stolen as a result of hackers gaining access to their personal Inboxes, reading their emails, determining the URLs of their banks, then creating a fake banking site and sending a phishing email to the victim. That’s absolutely *not* how phishing works. You’re presenting a bit of a strawman argument with that point.

Phishing works the other way around. Instead of the hacker starting off with no knowledge of your bank’s (or other site’s) URL, then hacking into your Inbox, finding out your URL, and creating a fake site that looks like your site – which is what you are claiming – in reality the hacker will start out by already knowing your (bank’s) URL first – eg. he finds your site via Google or whatever. Then he’ll create the fake site, send you a phishing email, and hope you’ll click on the link. That’s how phishing works in reality. The hackers start out already knowing the URL of the site they want to target. They don’t need to access your Inbox – that’ not worth their time and effort. So – again – there’s no risk with including the URL in the email because the hackers really aren’t looking for that. They already know it.

In any case, my main points still stand: Wordfence already includes the URL in the email, and has done so for years I imagine. And WordPress core does too. That alone is evidence enough that this is a non-issue.

• This reply was modified 6 years, 7 months ago by GermanKiwi.

True. But everyone is already used to clicking on admin links in emails, because this is normal behaviour (also from WP core emails). And your email client, browser, and antivirus software will protect you from fake links in phishing emails anyway.

It’s not some obscure, random WordPress programmer who creates the emails that are sent out by WP core. The WP developers have a very good understanding of security. It’s one of the reasons WP is such a great platform.

Are you certain that the Wordfence “Problem” emails you currently receive, don’t contain the URL in the subject? All of the ones I receive do contain it.

Another email which contains a link back to your site’s Dashboard is the “reset password” email generated by WordPress.

And if you have enabled the Wordfence alert for “Alert when the lost password form is used”, Wordfence will send you an alert email which also contains a link to http://www.example.com/wp-admin/admin.php?page=Wordfence in the body of the email. I’m sure that many other Wordfence alert emails already do this too.

Therefore Wordfence clearly already considers this quite safe to do.

Actually the domain name given in the subject of the the Wordfence “Problem” emails is, in fact, clickable. Most mail clients, such as Outlook, will render it as a clickable hyperlink even though it doesn’t start with http. 🙂

Yes, you’re right, the other Wordfence emails do contain such links to the Admin area. Which has been entirely my point all along, of course. 😉

I would also argue that the fact that the standard “reset password” emails contain Admin links is also proof of my point. It’s not only expected behaviour, but totally necessary, for a reset password email to contain an Admin link to the site. It wouldn’t work otherwise. And everyone knows this and expects this. Maybe, in theory, a hacker could spoof the reset password email as you’ve described. And yet, we continue to use reset password emails. Every major, security-minded, account-based website uses them. It’s not considered a security risk at all.

Good mail clients will filter against fake hyperlinks (where the anchor tag URL points to a different domain) without needing to pass data on to an external service, and such checks are turned on by default as part of the built-in spam filtering. But this is really not the main point here. The main point is that there’s no harm in including Admin links in the email, because Wordfence already does so anyway, and WordPress core already does so anyway, and every other website on the planet already does so anyway, including the ones that actually do know about security. My point is that such links are a non-issue. 🙂

• This reply was modified 6 years, 7 months ago by GermanKiwi.