Mark Maunder
Forum Replies Created
-
Hi,
Hashing the last two bytes of an IP address gives you entropy of 2^16. That means it’ll take just 65536 guesses to reverse the hash back to an IP address. That’ll take a few hundredths of a second per IP address.
Even if you hash the entire IP, same issue. It’s 4294967296 guesses per IP and you can exclude a lot of the entire address space. So it won’t take long to reverse any individual IP or the whole lot.
So hashing is just a measure that lets you pretend you aren’t storing the ip when in fact you are. You may as well ZIP compress them and claim you no longer have the IP address, because it’ll take about as long to reverse the IPs from hashes.
Don’t confuse ‘encrypt’ with ‘obfuscate’, which is really what you’re doing here.
One of our senior devs also commented that this will break a lot of things in the plugin because we use that function in a lot of areas for comparisons – so this will lead to false matches.
Mark.
Hi,
“the customer himself doesn’t need to see all the IPs to provide security for his site with your plugin”
Actually you do. You need to be able to manage IPs you have blocked, be able to manually view attacks in live traffic, and so on. You as a site owner perform security functions using Wordfence and need to be able to see and manage IPs.
“To be compliant with GDPR the customer should get these users’ consent first”
This is incorrect. Providing a security function is a legitimate interest. Please see Recital 49 of the GDPR: https://www.privacy-regulation.eu/en/r49.htm
I would caution against looking at features that a vendor is providing, Google Analytics in this case, and using them to infer how the GDPR works. GA is a marketing tool and so falls into a very different category, compared to Wordfence which provides a security function.
If security companies could no longer store IPs in order to block attackers, they would not be able to protect you. That is why GDPR Recital 49 says that security “constitutes a legitimate interest of the data controller concerned”.
Mark.
It’s all quite boring actually. No conspiracy here I’m afraid.
ByteGrid: We own our own servers and physically locate them in a rack at ByteGrid which is a data center that provides colocation. They do not have access to the data on those servers. They just provide power, climate, security and bandwidth.
Twilio is who we use to send SMS’s when providing two factor authentication. We share your phone number with them so that they know who to send the SMS to. Again, boring.
Freshworks makes Freshdesk, our ticketing system. Your email and name is stored in that system. It has to be or we wouldn’t know who we’re talking to.
Mode is a tool we use to query our own databases. It’s like a SQL client on steroids with graphing and analyzing capability. Mode Analytics connects to our DB servers and we use it to query things like attack data, user data and so on. Because the data passes from the DB, through their systems and into the user interface, we have to list them as a sub-processor.
I think you’ve misunderstood the ‘sharing’ part of what Mode does. It gives us the ability to share reports internally at Defiant. That data is not shared outside our organization.
Our DPA is clear on who our sub-processors are. If we shared that data with any other company, they would be listed as an additional sub-processor in the DPA.
Mark.
Hi there,
We do not have the ability to delete posts. A moderator did that. That moderator is not a member of our team. They are a volunteer.
We did not change our privacy policy or DPA, as you have suggested.
I think the confusion here is that you are reading our Privacy Policy which applies to the plugin AND our website. Our website does not specifically target European customers and we are not based in the EU, and so our own website is held to different compliance standards.
The Wordfence plugin is what you are concerned about because that is what you are running on your own website. Our plugin is GDPR compliant. As Kerry previously pointed out to you, if you want to understand what data we collect and who we share it with via the Wordfence plugin, all that information is in the DPA (data processing agreement). We are very clear on who we use to store data and what the vendor names are. It’s also important for you to understand that we aren’t “sharing” data with outside marketing companies via the plugin. Instead, we use these services, like AWS, to provide the functionality of the plugin. e.g. we have to store some data on disk, and in some cases we use Amazon Web Services for that. They are GDPR compliant, they are a sub-processor of ours, and if you have a user request deletion, we ensure that our sub-processors delete that data.
I also think there is some misunderstanding on your part. You said:
“You have now added a “Defiant Data Processing Agreement” where you are basically asking your clients who receive EU traffic to legally assume all risk. There’s a 20-page agreement that I must contract a lawyer to guide me through?? Seriously?”
This is how the GDPR works. If you are required to be GDPR compliant, are a data controller with a website that users visit and you use services that process user data to provide things like security, email services, blog comments, data analytics etc, you need to have a DPA with those data processors. We are a data processor and you are a data controller. To establish that relationship under GDPR, we have a DPA that we both sign.
I should add that our organization has spent hundreds of hours working with one of the best law firms in the world to become compliant. This included a comprehensive data audit, removing sub-processors who are not GDPR compliant, ensuring that we clearly list our compliant sub-processors, updating our ToS and Privacy Policy, creating the DPA, creating the processes whereby you can download a pre-signed DPA from us and email it to privacy@defiant.com and appointing team members to key security and privacy roles. A lot of work and thought has gone into this. As a website operator, if you are required to be GDPR compliant, you may want to consider seeking legal advice, as we have. The GDPR is complex and unfortunately it creates a significant compliance burden for smaller website owners and service providers.
Mark.
We posted an update today on the blog. You can find the post here:
More to come next week.
Regards,
Mark.
Hi all,
We posted an update on the blog today. More to come next week.
Regards,
Mark.
Hi guys,
We posted an update today. More to come next week.
Regards,
Mark.
Thanks David, really glad you’re happy. I posted this for the team on our internal Slack. Really nice feedback. Thanks again.
Mark Maunder – Wordfence and Defiant Founder & CEO.
Forum: Reviews
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] the best!Thanks for your kind feedback.
Mark Maunder – Wordfence Founder/CEO.
Forum: Reviews
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] superThanks for your kind feedback.
Thanks for your kind feedback.
Mark Maunder – Founder/CEO.
It sounds like you’re looking at a different product. Wordfence 7 is clean, quieter and far more effective and easy to use than previous versions. It is also thoroughly tested and performs flawlessly on a huge range of platforms.
Wordfence 7.0.1 was a major user interface redesign which moved the focus onto security fundamentals. Our emphasis is now on securing your website and doing the things that are most important to prevent a hack. This includes giving you a quick and easy way to see what your security posture is and whether you have the blacklist, firewall and malware scan enabled and if you have any current issues.
Live traffic can be useful for some purposes e.g. seeing in real-time which bots are visiting your site. But it is not fundamental to security and in fact creates unnecessary work if you are trying to watch it and stop attacks manually. Wordfence actually does that work for you automatically now and you can disable live traffic and have a perfectly secure high performance site.
If you would like live traffic back on the menu on the left, we have provided an option to enable that. Just ask in the support forums.
Our team are without question the leaders in the WordPress security space. There is no better way to secure your site than Wordfence. We do realize that creating and releasing great software is an evolutionary and collaborative effort, so if you have any constructive feedback we’d love to hear from you in our forums. Our team is very responsive and that feedback is always brought back to product meetings.
Regards,
Mark Maunder
Wordfence Founder/CEO.Hi there,
Our metrics show incredible adoption and feedback from customers has been incredibly positive. Wordfence is more popular than ever and our rate of growth has increased.
You should understand that our team is a combination of engineering/QA/UX and security experts who are leaders in their field with an incredible depth of experience. Our focus is on securing your site, preventing a hack and detecting any issues you might have. If we don’t do that, we’re not doing our job.
Much of the feedback you’re seeing, and perhaps what you’ve experienced, is that we changed Live Traffic. With Wordfence 7, we removed the menu option and we also made the default view more compact. Both can be changed back. Post in the forums to find out how.
We removed the emphasis on live traffic because it does not improve security fundamentals. I suspect many users are unhappy because it created a kind of gamification of security: Block the bad guys as they arrive. No enterprise grade security product expects users to behave that way. So we deemphasized it so that that is no longer the default mode of use.
We are aware of the need for a global options page and that was an oversight. Product design is an evolutionary thing. We have received feedback on this and are responding, fast!
Our emphasis is now on securing your website and doing the things that are most important to prevent a hack. This includes giving you a quick and easy way to see what your security posture is and whether you have the blacklist, firewall and malware scan enabled and if you have any current issues.
WordPress security is all we do and we do that extremely well. If you are looking for a way to prevent a hack and detect if you have any security issues, Wordfence is by far the industry leader and with this release, we move the product emphasis firmly into that space.
Regards,
Mark Maunder
Wordfence Founder/CEO.Wordfence 7.0.1 was a major user interface redesign which moved the focus onto security fundamentals. Our emphasis is now on securing your website and doing the things that are most important to prevent a hack. This includes giving you a quick and easy way to see what your security posture is and whether you have the blacklist, firewall and malware scan enabled and if you have any current issues.
Live traffic can be useful for some purposes e.g. seeing in real-time which bots are visiting your site. But it is not fundamental to security and in fact creates unnecessary work if you are trying to watch it and stop attacks manually. Wordfence actually does that work for you automatically now and you can disable live traffic and have a perfectly secure high performance site.
If you would like live traffic back on the menu on the left, we have provided an option to enable that. Just ask in the support forums.
You can also enable an ‘expanded’ view in live traffic. Check the options at the top of the live traffic page.
Regards,
Mark Maunder
Wordfence Founder/CEO.Hi there.
Blocking IPs that access specific URLs still works. it’s under
Advanced Firewall Optionson the Firewall Options page. The option name is stillImmediately block IPs that access these URLs.Brute force protection is still extremely effective in Wordfence. Nothing about that has changed.
Rate limiting still functions as it always did.
The firewall still has the best rules in the business to block known and even several zero day exploits.
The newest version is 7.0.1 and I think that’s what you’re referring to.
It sounds like you may be having trouble finding things. If you need help or have any constrictive suggestions about how to improve things, we’d love to help you. Please post in the forums.
Regards,
Mark Maunder
Wordfence Founder/CEO