cPGuard + Enhance

DracoBlue

Recently, I encountered an unfortunate situation on my server with WordPress sites that were infected with malware. Thanks to Adam's suggestion and help, I decided to implement cPGuard. I am very satisfied with how this tool works, and the price is also reasonable. Now, I can sleep peacefully. I didn't have any WAF protection before because it's a small VPS server where I host my own sites and a few client sites, but now I know that WAF is essential these days. It's great that cPGuard already integrates with the Enhance panel. Hopefully, we'll see more features in the Enhance panel in the future to manage such issues. What are your thoughts on this matter?

adil

DracoBlue the price is also reasonable

Can you please share the pricing?

pud

DracoBlue

Hi out of interest do you know how you got infected in the first place?

8Dweb

I started with cpGuard last Fall (2023) and have been very happy. There are some complaints about uploads being squashed by modsec rules, and it annoys those users, but overall, the experience with the product has been good. We run it on all production servers handling customer sites.

DracoBlue

8Dweb I also noticed that some files uploaded through the file manager in the Enhance panel are being blocked. I've already reported this, so hopefully, it can be resolved somehow.

opsshield

DracoBlue

Thank you for reporting the false positives. I was informed by the WAF team that they have added an exception for the reported cases. The updated WAF rules should load on your servers during the next web service restart. If you are facing any further issues, please feel free to each our support at any time.

Just to add, we already offer multiple options to secure your WordPress including the core files restore from a clean copy. The current version of cPGuard comes with CVE alerts included in the WordPress installations. The next version ( which will come out in the next 24 - 48 hrs ) will have the option to manually update the CVE affected or outdated components. Later we will add an option to automatically patch all WordPress components with a critical CVE status...it will trigger if the end-user does not patch them after X days of the first alert....server admin can optionally turn it ON/OFF. So we also prioritize WordPress security and add more things to it in new updates.

josedieguez

We use cpguard on 6 servers (not with Enhance at the moment), and can't complaint. false positives or issues have happened, but support has been fast enough.

ivansalloum

Their legal pages made me not use their service in production. I decided to use Monarx.

DracoBlue

ivansalloum In my case, Monarx is too expensive; I only have a VPS server.

slimx

ivansalloum Ivan how are you liking it, im considering Monarx too as 90% of my clients are wordpress.

DracoBlue

adil $5.5 billed yearly, $6 biled monthly.

ordinary

I've been using CPGuard with OLS since I began using Enhance in production last year.

It seems to be rock solid. I've not had any infections (yet) so hopefully it's doing it's job well!

I definitely recommend.

ivansalloum

slimx Their agent is smart and directly integrated into PHP, providing a complete and real-time view of web application activity. It knows exactly what is being executed, where, and by whom, with minimal resource usage.

I like that they offer two modes: inspect mode and active protection mode. In inspect mode, they identify malware and you take action manually. In active protection mode, they automatically clean compromised files and quarantine malicious ones. You can enable active protection on a per-user basis.

They also offer a malware cleaning service for infected WordPress websites. If a site is fully infected, they manually clean the files for a fee, which can be charged as an add-on.

Their dashboard is well-organized, and you can ask questions via live chat. A Web Application Firewall (WAF) is coming soon. Their support is helpful, and I’ve even discussed my thoughts and requirements with the CEO. It’s been great so far.

DracoBlue

pud https://bitninja.com/blog/monarx-malware/

Wwarrior

opsshield This comment looks like ads/spam

deydod

I am experiencing some problems with cPguard and VPS hosted on Vultr HF. From time to time (completely random) it seems it cannot reload apache for some reason. There are no logs in 'docker apache logs' that leads to any clue:

[Thu Jun 20 12:53:19.925764 2024] [mpm_event:notice] [pid 8:tid 140233241827200] AH00493: SIGUSR1 received. Doing graceful restart AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 199.99.88.3. Set the 'ServerName' directive globally to suppress this message [Thu Jun 20 12:53:22.504702 2024] [ssl:warn] [pid 8:tid 140233241827200] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Thu Jun 20 12:53:22.577646 2024] [ssl:warn] [pid 8:tid 140233241827200] AH01906: default:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Jun 20 12:53:22.578154 2024] [security2:notice] [pid 8:tid 140233241827200] ModSecurity: Loaded 1471 rules from: 'https://rules.malware.expert/download.php?rules=generic&extra=cpgrecaptcha,webshell,scanner'. [Thu Jun 20 12:53:22.578541 2024] [mpm_event:notice] [pid 8:tid 140233241827200] AH00489: Apache/2.4.59 (Unix) OpenSSL/3.0.11 configured -- resuming normal operations [Thu Jun 20 12:53:22.578553 2024] [core:notice] [pid 8:tid 140233241827200] AH00094: Command line: 'httpd -D FOREGROUND' [Thu Jun 20 12:57:11.488103 2024] [security2:error] [pid 824526:tid 140233148868288] [remote 54.36.149.37:45527] [client 54.36.149.37] ModSecurity: Access denied with connection close (phase 1). Pattern match "ahrefsbot" at REQUEST_HEADERS:User-Agent. [file "remote server"] [line "-1"] [id "913125"] [msg "Malware.Expert - Found User-Agent associated with Ahrefs Bot"] [hostname "www.w********.com"] [uri "/robots.txt"] [unique_id "ZnQnJzT9QfysaXANs3SabQAAWAE"] [Thu Jun 20 12:57:12.765000 2024] [security2:error] [pid 824526:tid 140233140475584] [remote 51.222.253.16:58414] [client 51.222.253.16] ModSecurity: Access denied with connection close (phase 1). Pattern match "ahrefsbot" at REQUEST_HEADERS:User-Agent. [file "remote server"] [line "-1"] [id "913125"] [msg "Malware.Expert - Found User-Agent associated with Ahrefs Bot"] [hostname "www.w********.com"] [uri "/projects/up****/"] [unique_id "ZnQnKDT9QfysaXANs3SabwAAQQI"] [Thu Jun 20 13:03:20.485646 2024] [mpm_event:notice] [pid 8:tid 140233241827200] AH00493: SIGUSR1 received. Doing graceful restart AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 199.99.88.3. Set the 'ServerName' directive globally to suppress this message [Thu Jun 20 13:22:51.518776 2024] [ssl:warn] [pid 7:tid 139735328696192] AH01906: default:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Jun 20 13:22:51.519278 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured. [Thu Jun 20 13:22:51.519290 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: APR compiled version="1.7.2"; loaded version="1.7.2" [Thu Jun 20 13:22:51.519295 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14" [Thu Jun 20 13:22:51.519298 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: LUA compiled version="Lua 5.3" [Thu Jun 20 13:22:51.519300 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: YAJL compiled version="2.1.0" [Thu Jun 20 13:22:51.519302 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: LIBXML compiled version="2.9.14" [Thu Jun 20 13:22:51.519304 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 199.99.88.3. Set the 'ServerName' directive globally to suppress this message [Thu Jun 20 13:22:53.145876 2024] [ssl:warn] [pid 7:tid 139735328696192] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Thu Jun 20 13:22:53.214543 2024] [ssl:warn] [pid 7:tid 139735328696192] AH01906: default:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Jun 20 13:22:53.215040 2024] [security2:notice] [pid 7:tid 139735328696192] ModSecurity: Loaded 1471 rules from: 'https://rules.malware.expert/download.php?rules=generic&extra=cpgrecaptcha,webshell,scanner'. [Thu Jun 20 13:22:53.229271 2024] [mpm_event:notice] [pid 7:tid 139735328696192] AH00489: Apache/2.4.59 (Unix) OpenSSL/3.0.11 configured -- resuming normal operations [Thu Jun 20 13:22:53.229364 2024] [core:notice] [pid 7:tid 139735328696192] AH00094: Command line: 'httpd -D FOREGROUND'

My sites were offline for 10 min (from 13:10 to 13:22) and I had to restart the Apache container in order to get it back. We had a discussion about this a few months back and they said its an Apache issue. Everything is updated since then and still getting those issues. Strangely my other estate (EU based) does not have such issues.