An Introduction to Patchman

Patchman is a scanning service that scans some of the most popular web applications for out-dated applications, vulnerabilities, and malware scripts. It's purpose is to scan your site and fix any known vulnerabilities it finds without damaging your site.

Patchman currently supports the following applications with more applications and features to come:

  • Wordpress (3.x and later)
  • Joomla (1.5.x and later)
  • Drupal (5.x and later)
  • osCommerce (2.2) 
  • Magento (outdated version check only)
  • PrestaShop (outdated version check only)
  • Gallery (outdated version check only)
  • MediaWiki (outdated version check only)
  • MODx (outdated version check only)
  • ownCloud (outdated version check only)
  • phpBB (outdated version check only)
  • LimeSurvey (outdated version check only)

Please note that for certain applications, Patchman only notifies about outdated versions. These applications will not be automatically patched, and as such it is critical that you manually update the application whenever a new version is available.

What can Patchman do for me?

  • Out-Dated Application Checks

Keeping your applications up-to-date is essential to keeping your site secure.  New updates to applications not only provide you the latest features but they also provide patches to known vulnerabilities.  If you have multiple applications installed on your account, it can be easy to lose track of what's been updated and what has not.  Patchman offers the ability to, at a glance, show you any outdated versions of the applications it supports installed within your account.

  • Vulnerabilities

New vulnerabilities are found regularly in applications like Wordpress, Joomla, and Drupal. When this happens , the application developer works as quickly as they can to release an update to secure these vulnerabilities.Once released, the best course of action is to update your application as well. In the event that you are unable to update your application right away, Patchman will automatically patch the vulnerabilities for you after a period of time. This allows us to maintain a secure service environment.

  • Malware Scanning and Removal

Malware files are often injected into your web space through vulnerable PHP applications. These can remain in place even when your application is brought up to date, and can cause plenty of headaches from unwanted search keywords, to spam messages coming from your domain, and DDoS attacks against other domains/servers.  Patchman will scan your account for these malicious scripts and automatically quarantine them. This lets you focus on growing your business instead of cleaning up the mess.

  • Customer Notification

Education is an important aspect to security.  With Patchman, you will receive notifications for security incidents and outdated applications with detailed background information on the vulnerabilities that are plaguing your site.

  • Roll Back Changes

Patchman has been designed to fix issues without breaking your site. However should one of the patches cause any undesired effects, you can quickly roll back any patches to bring your site back online. 

Accessing Patchman via cPanel

The Patchman dashboard is available to access via cPanel.

To access Patchman, log into cPanel and scroll to the "Advanced" section. You will see a Patchman icon. Click this icon to access the Patchman user-level interface.

 

Once you have clicked the Patchman icon, you will be presented with your Patchman dashboard and a list of the current vulnerabilities in your account.

At the top, you will see two graphs. The bar/line chart will show you the new detections by date, and the number of unresolved issues on the account. The pie chart on the right will show you the number of outdated/up-to-date applications installed on your account. 

The aim should be to reduce the number of unresolved issues to 0, and increase the number of up-to-date applications so that 100% of your applications are up-to-date.

In the Patchman Portal, every detection has their own state. The following states are defined:

  • Unresolved: The detection is new or no action has been taken yet.
  • Resolved: The detection has been resolved. This is either by the script being updated and the vulnerability fixed, or when Patchman has applied a patch to the file.
  • Blocked: No actions will be automatically executed for this detection.
  • Reverted: The detection has been resolved, but the fix has been reverted back to the original state.

The following actions are available for detections, which are accessible by pressing the 'Actions' dropdown.

  • Patch: Resolve the vulnerability by patching the file immediately.
  • Block: Block all automated tasks of detection. This will prevent the file from being patched if patching is scheduled, and is not recommended.
  • Undo Quarantine: This will restore the quarantined file. This is not recommended, as this file is certified to contain malware and will leave your account vulnerable.
  • Undo Patch: Revert the patch file to its original state. We don't recommend this action unless absolutely necessary, as this will leave your account vulnerable.

 

You can review a list of up-to-date and outdated applications installed in your account by clicking the "Applications" link at the top of the screen, disable notifications for the account by clicking the "Notifications" link or perform a manual scan of the account by clicking "Perform scan".

Will Patchman break my web site?

No - This is the unique part about Patchman. Patchman only patches the specific security vulnerabilities and won't touch anything else. In comparison, updating the application as a whole can often result in a broken website due to plugins and themes depending on a specific version of the application.

Understanding Account Vulnerabilities

Ensuring the security of our customers’ web sites is a top priority for us. In recent years we have seen a dramatic increase in malicious attempts to compromise an innocent web site. Generally these “attacks” are by hackers or spammers, who aim to control a web site in order to send out spam, distribute malware, host phishing content, or use the compromised site to launch attacks on other web sites or servers.

Whilst we maintain excellent server-side security, often these attacks continue due to insecurities in customer code which can leave a web site vulnerable to attack.

This article aims to outline:-

  • Why the vulnerabilities exist
  • What you should be doing regularly to ensure your sites are secure
  • What we are doing to ensure your sites (and our servers) are secure

 

Why are web sites vulnerable to attack?

A large proportion of our customers use CMS applications such as WordPress or Joomla, or shopping cart systems such as Magento or Prestashop (amongst others). Whilst it may not be apparent to end users, there is a constant arms race under way. Hackers and spammers are continually looking for new ways to exploit these applications in order to gain access to the underlying hosting service. Developers of these software solutions are equally constantly implementing new security fixes to counter these attacks and close any security holes that are found.

You may be wondering: “How can I protect my web site from such attacks?”

The answer is actually very simple: “Update, update, update!”

The moment you let the software that powers your web site fall behind the latest version, you deny yourself the security patches and enhancements that the developer is implementing, and leave your web site vulnerable to attacks. Your number one priority therefore is to always use the latest version of the software that powers your web site.

This applies equally to any plugins, themes, extensions or addon software that you may have also installed in your web site. Even a fully updated WordPress installation can be vulnerable to attack if it is using an out-dated theme or plugin.

Why should this matter to me?

The security of your site should be a high priority for you, because sites that are compromised can put you and your clients at risk, as well as cause general issues for the hosting infrastructure. If a vulnerability in your code results in your site being compromised, hackers will generally be looking to either:

  • Insert malware or a virus on your web site which could be passed onto your visitors.
  • Install covert pages on your site to create 'Phishing' pages - i.e. pages like fake online banking logins where they will then collect peoples credentials.
  • Gain access to the server to send spam messages. If spam messages are sent from the server, this then can have the knock on effect of causing your domain or the server itself to be blacklisted and result in email deliverability issues for your genuine emails.
  • Add links on your site to theirs - insecure sites often end up with links to pornography - definitely something your visitors won't want to see!
  • Use our server as the basis to attack other networks, web sites or servers.

... and these are just a few examples - there are many other malicious purposes hackers want to exploit your site for. 

If a site is compromised, the cleanup can be extremely arduous, especially if it goes unnoticed for a long time and there are now no recent 'clean' backups to restore from. Often the only way to fully recover is to re-upload your entire site from scratch. All of this will take a lot of time and effort - and if you're not doing it yourself, it might cost you a lot to have your developer set things straight again. 

Is there anything I can do to automate my script updates?

Absolutely. You have the option to do things automatically if you'd prefer not to go through the hassle of updating things manually. To do this, your application will need to have been installed using Softaculous, our application installer. When installing it, in the 'Advanced' options you can normally specify that Softaculous automatically updates your app when a new version is released. For some apps, such as WordPress, you can have Softaculous also update plugins and themes automatically.

What are we doing to help with all of this?

We appreciate that not everyone gets around to updating their site, or setting up automatic updates and backups. Most people simply aren't aware that their site is vulnerable if they don't keep things updated. In a recent audit of our servers, over 65% of accounts contained outdated applications - meaning that there were thousands of web sites that were open to attack. 

This is something that we had to put right. Not only do vulnerable sites pose a risk to the web sites themselves, but they also pose a risk to the stability of our hosting service. We decided it was important to take a very proactive approach to ensure that peoples web sites (and our servers) are safe.

What's more, with certain applications, we'll even patch the vulnerability to ensure that no harm can be caused by it.

Eek. Won't patching my site cause it to break?

This is where the real magic happens. Rather than automatically update web sites, our patching system only patches the specific files that are vulnerable. What we do is take the security patches from the latest version of the application or plugin, and we back-port it so that it fully functions with the version of the application you currently have installed. This means that the patch is applied safely, without affecting your web site.

This patching system will help ensure that sites hosted with us are safe from a huge number of vulnerabilities.

If you're patching my site, do I still need to update?

We still recommend that you do update your software, as there may be some vulnerabilities we cannot detect or patch. Think of the patch as a plaster (or band-aid). It fixes most of the immediate problems, but in the long term, you'll want to ensure that your site is operating natively on the latest version of its software. Not only will this help ensure your site is secure, it will also allow you access to all the new features that the developer will be implementing aside from just security patches.

What if you find malware on my site?

Again, if your site is up to date and patched, the chances of malware is almost zero. However bear in mind that hackers and spammers are always looking for new ways to get access to your site - so sometimes even if you've been super vigilant malware can still creep in. This is where we have your back again. In addition to scanning sites for out of date software and known vulnerabilities, we also scan for known malware. If we find malware, we will quarantine it so that it can do no (further) damage. You'll receive an email from us whenevr this happens, and at that time we'd normally suggest that you examine the site for any evidence of other issues and double check everything that needs updating has been updated.

The fight against hackers and spammers is a long one, and is constantly evolving, however with our automated notifications, security patching and malware removal, your hosting account is about as secure as things get. 

Reverting Patchman Patches

In the unlikely event that Patchman's patches cause any adverse effect to your site, you can easily revert any of the patches it has made.

To do so, you first need to log into the Patchman dashboard by clicking on the Patchman icon in cPanel.

By default, the page will listing a maximum of 10 patches per page. If more than 10 patches were applied which needs reversing, use the drop down at the bottom right of the screen to display all the relevant patches on one page.

Place a tick in the box at the top left to select all the patches, and then with the Bulk Actions dropdown menu next to it, select 'Reverse'.

Patchman will then revert all of the patches applied.

What we'd recommend that you do then is to apply patches one by one, and re-load the site after applying each one. This will help identify the particular patch that may have caused an issue so that this can be reported to Patchman.

We recommend applying all the patches that you are able to to ensure that your site is as secure as can be.

Please note that your site will still be vulnerable to any patches that could not be applied, so it will be important to address these vulnerabilities by ensuring that your application is updated to a secure release. 

Help! My WordPress site has been compromised, what should I do?

Remember - it's not personal. Generally if your site has been compromised, in 99% of the time it is not your specific site or business that is being targeted. Spammers and hackers run highly automated systems to probe sites on the Internet for vulnerabilities and often work in highly automated ways to compromise them and then use them for a malicious purpose. 

However, if your site has been compromised, in almost every circumstance it means that there was software installed in your account that was insecure. If your site has been found to be compromised, either by sending spam messages or hosting phishing content for instance, there is a simple solution and a hard solution. 

The simple option.

If you have a backup of your site that pre-dates the compromise, restore from this backup point. One of the issues here is that often malware is injected into a site well in advance of it actually being triggered to be used for a malcious purpose. If you do restore from your own backup then we recommend that you carefully inspect that backup to ensure that any files that we may have identified as malware in our report to you do not exist in this backup. 

The complex option. 

1. Immediately change your WordPress admin password

If you have more than one admin user, i.e. a user with full admin priveleges, and they can't also immediately change their password, set them to a user level where they don't have administrator level access until such a time as they can log in and change their own password. You can then set them back to administrator level after their passwords have been changed.

2. Install the WordFence security plugin

Install the WordFence plugin - this is a Firewall plugin for WordPress that will greatly enhance the security of your WordPress install. Once installed, one important final step is to go to your Wordfence options in the side menu and configure it according to this article. This is very important to ensure that WordFence is configured to properly protect your site and also run optimally (so your site isn't slow).

3. Enable CloudFlare in cPanel

CloudFlare is a company we have partnered with to add additional security benefits to your site. It will help keep malicious users at bay, as well as add speed enhancements to your web site. CloudFlare can be enabled in cPanel in a single click and is highly recommended.

Once these steps are all done, your site should be clean and better protected for future ...but now you need to keep it secure!

Your site is only as secure as you keep it going forward. We do everything possible to try and ensure that you are protected. But we can only do so much - the ultimate responsibility for keeping WordPress and any other software installed in your account secure ultimately lies with you OR your web design agency, if you are paying them to keep your site maintained. The important thing going forward is to keep it from being hacked again. For WordPress, this comes down to actively ensuring that you keep plugins, themes and WordPress itself running on the latest secure releases. Generally this process takes a matter of minutes every now and again, and is much, much less time consuming than the process you have just followed to clean it.

How to Configure the WordFence Plugin

WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site - with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.

However, WordFence has a lot of configuration options. The following article outlines how we would recommend that you configure WordFence.

Once you have installed WordFence as a plugin in WordPress, click on WordFence > Options in the side menu. On this page, configure the settings as follows:

Basic Options 

  • Uncheck "Live Traffic View". Live traffic view is a nice feature that lets you see realtime activity on your site, but it causes a slow down in speed, particularly on high traffic sites. It is not essential and we strongly recommend that you turn this feature off.

  • How does WordFence Get IPs: From the drop-down menu, select "Use PHP's Built In REMOTE_ADDR". 

 

Advanced Options: Alerts

  • Under Alerts, select all options except "Alert me when someone with administrator access logs in". This is probably over the top for most web sites, and will result in unnecessary email flow if you are regularly logging in ayway.

 

Advanced Options: Live Traffic View

  • No changes

 

Advanced Options: Scans to Include

  • Select All Options

 

Advanced Options: Firewall Rules

The Firewall Rules are an important part of protecting your site. This controls how quickly various activity can take place on your blog and will ensure that a) your site is protected from malicious traffic that might be trying to 'brute force' attack your site. It also controls how quickly bots and other traffic can access your site - generally this traffic is best throttled if too aggressive to ensure that your site operates without interruption.

The following screenshot shows how we would recommend that you set this up. These are guidelines only, if your site is being adversely affected by bot traffic (i.e. we have notified you of such traffic or your site has been 'temporarily limited' by our resource managemnet systems, then you may wish to lower these limits. 

Advanced Options: Login Security Options

These settings will ensure that any brute force login attempts on your WordPress installation are restricted. When setting these options, it's important that you ensure that you use the correct admin username, and that you remember your password so you don't lock yourself out. We'd therefore also recommend that you follow the next step to whitelist your own IP address as well, to help ensure you don't get locked out yourself.

Advanced Options: Other Options

  • Enter your IP address in the first box. If you have multiple admins, enter each of their IP addresses in this box. This will ensure that your own connection is excluded from any firewall processes. 
  • Ensure all the other boxes outlined in red below are checked.
  • In "Maximum execution time for each scan stage" - enter 30

 

Click on Save Changes

Once saved, it's usually a good idea to run a WordFence scan on your site now. To do this, under the WordFence menu on the left, click 'Scan' and then on the page that loads, click 'Start a WordFence Scan'.

 

If problems are found, you will be alerted in the bottom. For instance, the scan may show that a plugin needs updating, as shown in the example below. You should follow the advice of the scan report.