WordPress 6.0.3

WordPress.org has a new security update. This is a very important release because it fixes most of the XSS (Cross Site Scripting) vulnerabilities.

  • Widget block
  • Feature Image block
  • RSS Block
  • Search Block
  • Stored XSS via wp-mail.php
  • customizer

Another is the sanitation of the class WP_Date_Query. Be sure to update to the latest release. Download the latest version or update via WordPress dashboard.

Add a Section on WordPress Settings Page

The primary location to set up settings for various WordPress website parts is the Settings tab in the WordPress Admin sidebar.

Settings Sub-menu

Listed is the sub-menu for Settings Tab, these are:

  • General
  • Writing
  • Reading
  • Discussion
  • Media
  • Permalinks
  • Privacy

Fields can be added to these pages by creating a simple plugin.


The WordPress functions which would be used are:

register_setting() – this would register our additional options.

add_settings_section() – this would be the section belonging to our custom settings field

add_settings_field() – this would be the custom field

First, we need to use a function that would initialize our plugin.

function wpl_settings_init() {
	// register a new setting for "reading" page.
	register_setting(
		'reading',              // $option_group
		'wpl_setting_example',  // $option_name
		array(
			'array',
			/** 'callback',         // $sanitize_callback. */
		),
	);

	// register a new section in the "reading" page.
	add_settings_section(
		'wpl_settings_section',           // $id
		'WPL Settings Section',           // $title
		'wpl_settings_section_callback',  // $callback
		'reading'                         // $page
	);

	// register a new field in the "wpl_settings_section" section, ins.
	add_settings_field(
		'wpl_settings_option1',           // $id
		'Option 1',                      // $title
		'wpl_settings_option1_callback',  // $callback
		'reading',                       // $page
		'wpl_settings_section',          // $section
	);

	// register a new field in the "wpl_settings_section" section, ins.
	add_settings_field(
		'wpl_settings_option2',           // $id
		'Option 2',                     // $title
		'wpl_settings_option2_callback',  // $callback
		'reading',                      // $page
		'wpl_settings_section',         // $section
	);

}
add_action( 'admin_init', 'wpl_settings_init' );

In my example code, I have added two fields, and here are the callbacks.

function wpl_settings_section_callback() {
	echo '<p>WPL Section Introduction</p>';
}

function wpl_settings_option1_callback() {
	$setting = get_option( 'wpl_setting_example' );
	?>
	<input type="text" name="wpl_setting_example[option1]" value="<?php echo isset( $setting['option1'] ) ? esc_attr( $setting['option1'] ) : ''; ?>">	
	<?php
}

function wpl_settings_option2_callback() {
	$setting = get_option( 'wpl_setting_example' );
	?>
	<input type="text" name="wpl_setting_example[option2]" value="<?php echo isset( $setting['option2'] ) ? esc_attr( $setting['option2'] ) : ''; ?>">	
	<?php
}

Here’s the visual output.

That’s all to it. Happy coding.

Block IPs in WordPress on Pantheon

This article is about blocking IPs in Pantheon for sites using the WordPress CMS. Prevent unwanted traffic incidents that might result in site outages and billing overages.

Review the nginx-access.log.

Download the nginx-access.log on the LIVE environment. The logs can be accessed using SFTP or by using the provided script from Pantheon’s documentation. Be sure to combine all the logs for a day if the site plan has multiple application containers. Identify the IP that has the highest number of visits and verify it with https://www.abuseipdb.com/

$ cat ~/site-logs/nginx-access.log | awk -F\" '{print $8}' | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

Use a WordPress Plugin to Block IPs

Be sure to install the plugin WP Traffic Jammer that can be downloaded at WordPress.org https://wordpress.org/plugins/traffic-jammer. The plugin has a wp-cli command that can be used on a remote wp-cli call using Terminus. It also has a settings page to add a single IP or an IP range.

Block the IP using Terminus.

Use remote wp-cli via terminus to block the IP.

$ terminus wp <sitename>.<env> -- jam block <ip>

To unblock the IP.

$ terminus wp <sitename>.<env> -- jam unblock <ip>

Block the IP on the WordPress Admin Dashboard.

On the Admin Dashboard, you would see the left side menu, click “Traffic Jammer” and add a single IP or IPs, CIDR format can be also used for IP ranges.

Block the IP using a PHP Snippet

Use a PHP snippet that can be added to wp-config.php file. This offers an advantage since it would be triggered before loading all the plugins and themes.

if ( $_SERVER['REMOTE_ADDR'] == '154.84.133.8' ) {
  header( 'HTTP/1.0 403 Forbidden' );
  exit;
}

Terminus 3

What a great way to start a new year with releases, as this is the same for the company offering the best WebOps SAAS (Software as a Service) Platform which is Pantheon. During the last week of December, a new version tag of Terminus has been released, comes version 3.

What is Terminus?

The Terminus command-line interface provides advanced interaction with Pantheon. Terminus enables you to do almost everything in a terminal that you can do in the Pantheon Dashboard, and much more. In practice, some of the features missing on the Dashboard are included in Terminus. Developers can also include in development workflow or as part of a script for deployment using continuous integration.

Operating System Compatibility

As of this writing tested to work on the following platforms

  • MacOS
  • Windows 10 – WSL 2 Ubuntu 20.0
  • Ubuntu 20.0 – this would include Ubuntu under Docker or VirtualBox

Before getting frustrated, included also are the list of platforms that Terminus would not work:

  • Windows 10 – Command Line
  • Windows 10 – Git Bash (MingW)
  • Ubuntu 18.0 and later versions
  • Linux system with coreutils equal to or less than 8.28

Prerequisites Library

  • PHP 7.4 or above
  • PHP Extensions (mbstring, xml, curl, cli)
  • curl
  • git (if you need to include plugins)

Installation

As for the prior version of Terminus, it can be installed in many ways, the new version is limited to work only on the standalone PHAR package. Assuming all the requirements are met. Start the installation on the home folder

cd ~
mkdir ~/terminus && cd ~/terminus 
curl -L https://github.com/pantheon-systems/terminus/releases/download/`curl --silent "https://api.github.com/repos/pantheon-systems/terminus/releases/latest" | perl -nle'print $& while m#"tag_name": "\K[^"]*#g'`/terminus.phar --output terminus
chmod +x terminus
sudo ln -s ~/terminus/terminus /usr/local/bin/terminus

Plugins

The new version of Terminus comes with a plugin manager, installation now can be done using the terminus command

terminus self:plugin:install pantheon-systems/terminus-build-tools-plugin

That would work if the plugin is added to packagist, don’t worry you can add an old plugin by means of adding the path.

terminus self:plugin:install <plugin_name> <path>

To update the latest version of the plugin from packagist:

terminus self:plugin:update <plugin_name>

To remove the plugin:

terminus self:plugin:uninstall <plugin_name>

Log4j vulnerability new variants

The security team from Cloudflare did continue to investigate and found additional flaws in the 2.15.0 version of Apache Log4j, which allows adversaries to initiate denial-of-service (DoS) attacks (CVE-2021-45046). The issue has been addressed on the newly available version which is 2.16.0. All companies which include Log4j on their infrastructure stack are suggested to patch to the updated version.

Cloudflare is known for its DDOS protection and is used by more than seven million websites, they have advised their customers to modify the WAF configuration to mitigate the exploit.

Rule IDDescriptionDefault Action
100514 (legacy WAF)
6b1cc72dff9746469d4695a474430f12 (new WAF)
Log4J HeadersBLOCK
100515 (legacy WAF)
0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF)
Log4J BodyBLOCK
100516 (legacy WAF)
5f6744fa026a4638bda5b3d7d5e015dd (new WAF)
Log4J URLBLOCK
Source: https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

The mitigation is divided into three rules that look at HTTP headers, body, and URL, in that order.

They have also introduced a fourth rule that will guard against a far broader variety of assaults at the cost of a greater false-positive rate. As a result, they have made it available, but it’s not set to BLOCK by default:

Rule IDDescriptionDefault Action
100517 (legacy WAF)
2c5413e155db4365befe0df160ba67d7 (new WAF)
Log4J Advanced URI, HeadersDISABLED
Source: https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

Cloudflare was the preferred choice of Kinsta, to make client websites faster and more secure. The reason they are not affected by log4j vulnerability. Kinsta is a managed WordPress hosting company that offers feature-rich, cost-effective services. They received the highest rating this year from the G2 review.

Source: https://kinsta.com

The Microsoft Threat Intelligence Center (MSTIC) which is behind the famous Windows Defender, is also acting proactively on new threats in relation to the Apache log4j vulnerability. They posted new updates regularly in regards to log4j, here in this URL https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

The cyber security experts from Praetorian posted on their youtube channel showing the 2.15.0 version of log4j still allows fetching of sensitive data.

Website owners are also worried that the vulnerability might be affecting their business. As the holidays are coming near, hopefully, vacation plans for this year’s end would not be canceled.