Mark Maunder
Forum Replies Created
-
@wpwebbouw Sounds like you have a different problem to the original poster who was referring to our own readme.txt being modified. I recommend starting a new thread and posting the specific false positives you’re seeing. We’re not currently aware of any issue like the one you’re describing at this time.
So I will weigh in on this one too. Why was the information about the free wordfence learning center deleted from the readme file that has been modified in my sites? Is WordFence planning on charging for access to the currently free information?
No. Absolutely not. Unlike some other security providers who charge a lot of money for that kind of content, we are providing it completely free for the community to help secure you. You’re welcome.
While readme txt files may not be important, they are good files to hack and see the response. I suspect most plugin developers leave backdoors to the plugin to fix small things on the fly rather than issue a big update. That does not make the practice a good one for security.
LOL! No we don’t backdoor our own software. That would be both criminal and stupid because it’s open source and you can check the code yourself.
I think that’s all we have to say re this thread guys. If you have a further issue, please start a new thread with your specific problem, include as much supporting data as you can and we will be happy to address it.
Regards,
Mark.
@061375 I think your issue is unrelated to renaming readme.txt.
@rklrkl You’re an anonymous troll who is attacking others on the WP forums, like Otto who is an incredibly nice guy (who I’ve met in person) and has made an enormous contribution to the WP community. We’re always happy to provide support to those who need it, but not at the expense of common decency. You’re an idiot. Buzz off.
For reference: https://wordpress.org/support/topic/please-use-relative-urls-in-the-wordpress-database?replies=6
@scotten Why don’t you drop us an email at genbiz@wordfence.com and one of our guys (Probably Matt R) will give you some personal assistance with whatever you need.
Hopefully we can help secure your site and get you back to focusing on your business.
Regards,
Mark.
Hi All,
To answer your question about whether we are not following our best practices: That is correct. We did not follow our own best practices in this case. We screwed up. We’re sorry. We have had an internal conversation about this and I’m going to share some of our current thinking:
1. We should not have checked in a change to a current version that produced this warning. Sorry about that. Won’t happen again.
2. We’re also questioning how useful it actually is to be alerted about a change in readme.txt vs a change in a .php file for example. We haven’t made any decisions about this yet, but we will be rethinking this as our product design goes forward.
Hope that helps clarify what happened here.
Regards,
Mark.
Hi,
Matt asked me to reply here. The product you’ve mentioned is an affiliate scheme that pays a 50% commission to people who successfully send leads to the maker of the software. That’s probably why you’re hearing a lot about it. Motivated affiliates are spamming to earn a commission.
The “vulnerability” it mentions was discovered by us, was fixed by us and we were polite and honest enough to disclose it to our customers. The fix actually fixes the issue in every version of Wordfence via a server side fix. It was fixed before the vulnerability was disclosed. So the claim the video makes about infected sites is garbage. Our customers were never at risk – clearly the author doesn’t understand how vulnerability disclosure works or that we fixed and then disclosed it ourselves.
Regards,
Mark.
/readme.html is a core WordPress file shipped with every release and Wordfence is tampering with that despite that fact that every third-party WordPress developer is told to never modify/rename/delete core WordPress files!
I think it’s OK to modify readme.html. You’re the first to complain about this. If we get more feedback about this issue from the community that indicates they want a different behavior, we’ll consider changing it.
The default behaviour of the /readme.html renaming has dubiously changed between recent releases – it used to be an option the end-user had to turn on, but it has silently been changed to be enabled by default in the latest release.
We enabled this by default to defeat certain very popular vulnerability scanners. If you don’t like it, just disable the option. It’s as easy as unchecking a box. Nothing dubious about it.
If you are concerned about version leakage (e.g. the latest /readme.html contains the 4.3.1 version string), then ask the WordPress maintainers to remove that version string, which is the correct way to fix this, not to rename a core file randomly!
Why don’t you? The maintainers of WP core value community feedback. You can report your issue here:
https://make.wordpress.org/core/handbook/testing/reporting-bugs/
The WP-CLI tool has the command “wp core verify-checksums” – Wordfence’s renaming of /readme.html now breaks that useful security-checking command because /readme.html is part of WP’s checksumming. Yep, a security plugin breaks a core WP security feature – well done.
WP-CLI is not part of core. Again, if you don’t like the feature in Wordfence, just uncheck the box.
If all of that wasn’t bad enough, Wordfence has a horrendous multi-version leak of its own, far worse than /readme.html. Yep, go here on Wordfence’s own product site:
https://www.wordfence.com/wp-content/plugins/wordfence/readme.txt
Every Wordfence install on the net leaks this readme.txt with far more version-related info than /readme.html !
Yup, we’re aware of that, and the version leak that every other plugin with a readme.txt has.
Can I please request that you remove this ludicrous /readme.html renaming and ask the WP devs to take the version number out of the file upstream instead. This is the only sensible course if you’re concerned about the correct way to secure that file.
As I mentioned above, I’d encourage you to participate in the community effort that goes into WordPress and file the issue yourself. Here’s the URL you want:
https://make.wordpress.org/core/handbook/testing/reporting-bugs/
We’ve noted your comments and will wait for more community feedback before making a call on whether or not to change the default behavior of our version hiding.
Mark
Hacking our own customers. That would be criminal. We obviously don’t do this and are, of course, offended that you would even suggest this.
Wordfence is based in Seattle, Washington and we fall under the jurisdiction of the United States. I’d refer you to the Computer Fraud and Abuse act in the United States, which includes severe criminal penalties for hacking computer systems.
I’d also refer you to the Wassenaar Arrangement which is the treaty that provides guidance for international criminal matters pertaining to cyber security.
Regards,
Mark Maunder
Founder/CEO.Incidentally, the issue I updated on our side (internally) is numbered 567 in case you’d like to reference that in further discussions with Tim, Colette or Matt R who all contribute on these forums and are part of our team.
Regards,
Mark.
Thanks for helping design Wordfence guys!
That was a lot. Many good ideas here. I’m going to try and distill them down into the very best of the best:
Goal: We need to not just block the bad guys. We need to reduce their ability to consume future server resources down to something that is completely negligible.
Secondary goal: If providing this kind of load-free blocking impacts admin access to site, ensure that this problem is solved elegantly.
I’m going to leave it there – I know you guys threw out a few other ideas, but lets go with that for now because that feels like the core of it.
What I’m going to do is enter a bug in our bug/feature tracker and get the product team around this later this coming week (with a link to this chat). We actually already have something in our system which is scheduled for 3 releases from now. But it treats the symptom, not the root issue, and it also might be implemented more elegantly.
Thanks. What a great way to spend a Saturday afternoon – having your customers design your product.
Regards,
Mark.
@themadproducer: Sorry I replied to the other poster first. Should have replied to you since this is your thread.
Thanks for bringing this to our attention. We have a feature in the queue which will be in one of the next three releases that will solve this issue – the problem of high load during intense brute-force attacks.
Having said that I should point out that our current code does a pretty good job of minimizing load when an IP has been blocked. If you can share any data here showing load etc, it would be much appreciated.
Regards,
Mark.
@pingram3541: I was at the Suits & Spooks conference in Washington DC earlier this year and this subject came up. Specifically, the legality of “hacking back”. I know you’re not directly suggesting that, but just wanted to make you aware that it’s discussed in the infosec community, which is indicative of the level of frustration out there.
Your pain is definitely shared.
Can you give us an indication of how much of your resources (bandwidth, anything else you’re billed for) are used by attacks. It might be difficult to differentiate between attacks and real traffic, but if you can, share what you have available.
Regards,
Mark Maunder – Wordfence Founder/CEO.
Hi @iltrev,
Please post the first three digits of the IP address that is trying to sign-in here. It might be an internal IP address and we can tell from the first three digits.
Mark.
Yes this actually came up in our dev meeting today. I think what would have saved us is if we had a save on our servers of every revision of your settings. (Just the stuff that doesn’t affect your privacy) and we could even expose those revisions on the user interface for you to revert to if you wanted to.
Will add a bug for this and we will discuss.
Thanks!
Mark.
Hi @dmori,
Apologies for any inconvenience caused. We’ve explained the issue here and how to fix it:
https://wordpress.org/support/topic/maintenance-release-out-version-6020?replies=10
Hi @earshell,
Posted a full reply here where you cross-posted:
https://wordpress.org/support/topic/completely-unacceptable?replies=10
Regards,
Mark.
Hi @earshell,
I’ve checked and “Block access to the rest of the site (outside the login form):” is actually on by default. So yes in this case it reverted to default setting.
Thanks for your additional feedback. We’ll add it to our internal discussions.
Also just want you to know that we did see your cross-post here:
https://wordpress.org/support/topic/latest-update-turning-on-settings-that-were-uncheked?replies=2
Regards,
Mark.