WP AutoShield®: One-Click WordPress Security from cPFence: Page 10 - Enhance Control Panel

WP AutoShield®: One-Click WordPress Security from cPFence

ivansalloum

cPFence Oh, I missed those! I didn’t see them, sorry about that. Thanks for the updates!

MediaServe

cPFence Thanks! Would you be willing list the plugins you like to blacklist?

cPFence

MediaServe Thanks! Would you be willing list the plugins you like to blacklist?

You're welcome! Here’s an example blacklist:

wp-file-manager
file-manager-advanced
filester
filebird
file-manager
real-media-library-lite
wpide
folders
fileorganizer
media-library-organizer
nmedia-user-file-uploader
shared-files
softdiscover-db-file-manager
cm-download-manager
wp-file-manager-pro
wp-file-download
wpide-pro
hide-my-site
disable-admin-notices
call-now-icon-animate
wp-copyprotect
wordpress-social-login
simple-csv-xls-exporter

To blacklist them, just add them to the file:
/var/log/cpfenceav/blacklisted-wp-plugins.txt

As a rule of thumb, any vulnerable plugin that has no patches available should not be allowed on your server. WP-AutoShield sends weekly vulnerability reports every Monday morning for each server. Just check these reports regularly, look at the "Remediation" row, and grab all the plugins that say "No known patch available" , then manually review and add them to the blacklist.

If you are like us and prefer not to manually review them, and instead want to automatically blacklist all vulnerable plugins with no patch available on all your servers in one go, you can do the following:

1- Run cPFence Multirun Tool

cpfence --multirun

2- List vulnerable plugins with no patch available:

grep "No known patch available" /var/log/cpfenceav/vulnerabilities_*.csv | awk -F',' '$1 == "plugin" {print $2}' | sort -u

3- If the output looks good, append them to the blacklist automatically for all your servers in one go :

grep "No known patch available" /var/log/cpfenceav/vulnerabilities_*.csv | awk -F',' '$1 == "plugin" {print $2}' | sort -u >> /var/log/cpfenceav/blacklisted-wp-plugins.txt

MediaServe

cPFence Thanks again! You guys have built a comprehensive but also complex system! Hard to keep track of so many option lol. But I love what you've done for Enhance and considering requests and making them happen so quickly is perfectamundo!

cPFence

MediaServe

I understand that rolling out so many features so quickly can be overwhelming and hard to keep up with. For the average user, we always recommend sticking to the default settings and simply activating these three modules:

cpfence --wp-autoshield-on  
cpfence --owl-automysql-on  
cpfence --monitorpro-on

This setup provides solid security on autopilot without any extra effort.

For advanced users with many servers who want to take full advantage of the bulk and advanced tools, diving into our knowledge base and using the cheat sheet will be the best way to explore all the possibilities.

MediaServe

cPFence After cPanel migrations of full servers, we see lots of errors cleaning up WP sites with your bulk tools. Most of them are database connections that seem to be WP files left behind while the DB has been deleted. It would be nice to simply have a command to provide a list of WP sites producing obvious errors like this so we can more easily resolve these problems.

cPFence

MediaServe

Many clients copy full WordPress installation files for quick backups or testing purposes, so you need to be careful when dealing with WP files without databases to avoid removing private files.

MediaServe

cPFence Yeah I have to review each one, but these are long term cPanel users with old files missing the database completely as far as I've seen so far.

rdbf

cPFence

I tried to whitelist an ipv6 range, or address, but this wasn't possible. Does that mean the blacklisting also doesn't support ipv6? Could ipv6 support for DDoS and Brute Force Protection be implemented?

My current country is a world leader on ipv6, and sucks majorly on ipv4 (especially with CGNAT and extra especially with ipv4 routing - shoutout to Telekom Malaysia.....), so I always love to see proper ipv6 implementations in everything I use. Fail2ban does do ipv6 properly btw.

cPFence

rdbf

IPv6 support is already in the works and will be implemented once Enhance releases its new Firewall management interface to ensure full compatibility.

MediaServe

cPFence With cPanel we use cPGuard and CSF and block IPs for email authentication failures, eventually permablocking those IPs after 4 blocks in a small time frame. Many of our members get a bit frustrated with this because they have a difficult time, especially when the failure happens from a <> (user missing entirely.)

I've started encouraging our members to migrate to Enhance, but https://my.cpfence.app/knowledgebase/21/Does-cPFence-Provide-Protection-for-Mail-Servers.html provides means for excluding email, but I'd really like to know what actually happens with email authentication failures like these. I'd prefer not to exclude email protection.

pratik_asabe

we're using cpfence on our production server, cPFence i'd like to see a seperate thread confirming full compatibility with v12 after its release, because we're going to migrate to v12 only after confirmation from you!

wrapper

I would love a way to hook notifications into something like Gotify - I use Matrix / Synapse to get notifications from Uptime Kuma at the moment and find it pretty handy

8Dweb

wrapper I agree. Add Telegram.

cPFence

wrapper

8Dweb

Thank you for your suggestion. We will try to consider this in the future.

pratik_asabe we're using cpfence on our production server, cPFence i'd like to see a seperate thread confirming full compatibility with v12 after its release, because we're going to migrate to v12 only after confirmation from you!

Thank you! We already have a thread dedicated to v12 and cPFence compatibility, and we’ll update it once full compatibility is confirmed. This is our top priority, and we’ve been planning for it for months. As soon as v12 is out, our team will be working on it nonstop until everything is fully ready.

mbe81

Welcome to cPFence! Glad to hear you’re finding it useful. Lots of exciting features and tools are coming, especially now that we’re moving beyond Docker. This will open up possibilities for many innovative features on our roadmap. Stay tuned!

For auto-updates, it really depends on your setup. If you’re managing personal sites or directly handling client sites where you only use high-quality, up-to-date themes and plugins, enabling auto-updates is usually safe, especially if you are using cPFence MonitorPro to keep an eye on your sites and be the first to know when issues arise. But for shared hosting, it’s not recommended. Instead, the best approach is to use the amazing cPFence bulk WordPress update tool:

cpfence --bulk-update-wordpress

You can choose between Fully Automatic or Semi-Automatic modes, allowing you to update hundreds or even thousands of sites in minutes!. It also performs automatic site health checks post update, ensuring pages load properly and content remains intact. It will even attempt to fix issues for you! Definitely worth giving it a try!

Regarding the Auto Quarantine, I recommend disabling Auto Quarantine and running a full scan. After that, whitelist any false positives. Here are some examples:

Whitelist a file name server-wide on all sites in one shot:

cpfence --exclude-path ./whitelisted_file_name.php

Whitelist a path, plugin, or theme server-wide on all sites in one shot:

cpfence --exclude-path /wp-content/plugins/my_whitelisted_plugin/

Whitelist a client site completely:

cpfence --exclude-path /var/www/site_id/

Once done, you can enable the auto quarantine features as you will receive only very few false positives following these steps.

mbe81

Since a few weeks I also use cPFence and I am impressed with the possibilities!

In the mean time I enabled almost everything except the Auto Quarantine functions for files: I got an alert twice on some PHP files which was a false positive (Message: Pattern commonly seen in malicious mailers). Today I also disabled the disablement of theme and plugin files in WP AutoShield as often customers want to add something to their functions.php of which I think they should be able to do so.

I am still in doubt of enabling the WordPress Auto update feature. Installing updates is, of course, important but can also break the site. And if that is to solve a high or medium vulnerability I think that's an acceptable risk but I think this risk is not acceptable for plugins which are not vulnerable. There I would like the customer to decide if and when he wants to update those plugins.

How do other people think of this? If more people think the same, it could be a nice feature to add this option to cPFence as well. The list of plugins which are vulnerable and require an update are known. They are already listed in the Weekly Vulnerability Report I receive.

cPFence

Version 3.3.32 (15th February 2025)

Give your databases some love with cPFence! – WP-Autoshield now shields and optimizes your databases on autopilot!

Added
1- Wordpress Database Malware Scan (auto-enabled):
WP-Autoshield now scans all your wordpress databases daily for malware and injection attacks. If anything suspicious is found, you’ll receive an instant email alert.
Want to see it in action? set up a test wordpress site and intentionally inject this malware test code: https://gist.github.com/cPFence/a2dea38f60a5ccc051f5b386c848fb59
Scan your databases manually anytime:

Admin UI: threat and malware detection → scan all wordpress databases
CLI command: cpfence --bulk-scan-wp-databases

2- Wordpress Database Bulk Optimization Tool:
Boost your site’s performance with automatic daily database optimization. off by default, but you can enable it from the ui or run it manually:

Admin UI: system settings → WP-AutoShield → Daily Optimize All WP databases
CLI command: cpfence --bulk-optimize-wp-databases

Fixed

Several minor bug fixes and performance improvements.

rdbf

cPFence If anything suspicious is found, you’ll receive an instant email alert.

The email alert contained a 60MB logfile attachment, which looked like a database dump to be honest. All marked SEO Spam. Which makes sense, considering one of the services offered is SEO optimisation. But maybe a bit too aggressive on the malware detection? And the logging?

pratik_asabe

cPFence Wordpress Database Bulk Optimization Tool:

What kind of optimization is done by this exactly?

mbe81

cPFence
This morning I got the first automatic mail from the database malware scan. For just 10 WordPress sites it reports about 6000 lines as suspicious.

A lot of lines marked as SEO Spam, while it is no SEO Spam (and even if it is, SEO Spam is content which should be managed by the webmaster, not the system administrator). Only a few real SEO Spam lines were reported, but again, this is not something I care about as system administrator
A lot of lines that Javascript is detected on a page, which in this case, is all valid javascript from a newsletter provider added by the site owner.

So thanks for your effort here, but I disabled the database scan due to the number of false positives/ irrelevant checks.

cPFence

rdbf

Thank you for the feedback. The next version will improve this, it will include a 5MB limit for log file attachments, along with an option to exclude database from scans.

cPFence

mbe81 rdbf

Can you please try a manual DB scan with the latest 3.3.33 version? You can use cpfence --bulk-scan-wp-databases or run it from the UI. Let us know how it goes. If you still notice any false alarms, please attach the log file to a support ticket.

We’ve tested this version on busy shared hosting servers, and it successfully detected all our known malware DB injection patterns while keeping false positives to a minimum.

cPFence

pratik_asabe

It simply runs the native wp cli db optimize command, which safely optimizes your WordPress database tables to improve performance and reduce overhead.

pratik_asabe

cPFence is it safe to run on heavy woocommerce sites? and is this like cleaning drafts and transients etc.?

pratik_asabe

xyzulu agreed.. like litespeed plugin has this already..

as per my knowledge innodb doesn't require optimization as such, correct me if I'm wrong.. cPFence

« Previous Page Next Page »