I would like to give my sincere thanks and congratulations to the Virtualmin @staff for the release of “WP Workbench” for Pro users.
In my opinion this is a complete game changer.
We run 15 cPanel servers and 20 Virtualmin servers.
Needless to say, cPanel is SUPER expensive and post Covid has increased the licensing fees a lot. Virtualmin Pro on the other hand, which we’ve used for more than a decade, is just amazing!
The problem and why we still have so many clients on cPanel is almost 80% of our users use WordPress. When you have WordPress users in bulk and some coming along for more than a decade, you can’t but help need centralised WordPress administration.
Yes, sure, if you have 100s of clients it’s actually “their responsibility” to update their plugins and themes, but let me assure you, at least 50% don’t.
So you can pass the buck, but if their site gets infected the host often gets the first call. Also PHP is updated every year or three, and if you can’t do stuff centralised you sit with potentially thousands of plugins that need updating.
We’ve been saying what the only reason why we’re even still on cPanel is because their tool centralised tool “WP Toolkit”, which they inherited from Plesk.
But now we are saying Virtualmin is the only true competitor that offers a similar service.
I don’t if its possible, but I use Infinite Wordpress (IWP) to update all my managed Worpress sites with just one click (not just on Virtualmin btw). Maybe a centralized WP Workbench app that can do the same, just a thought.
Seems like a good start but would have to have more security features for me before I consider it useful. Thinks like blacklisting, whitelisting, change of admin page url, disabling API access to all users, disabling user accounts, just better hardening over all WP Workbench is neat but IDK just seems like quit an endevor for stuff that can already be done essentially albiet with maybe a bit less elegance the real worth while thing is the added security as long as it doesn’t introduce new security issues.
A centralised command centre for the WP could be quite useful. Sometimes you don’t want client to have access to things but want the automation abilities.
There are 3rd party apps out there to base it on. Definitely stick it on your list
Manually managing block and allow lists is a sucker’s game, a big time sink and they’ll just move to another IP, anyway. You have to automate it. Ilia already implemented fail2ban integration, which is probably sufficient for most folks.
We’re also looking at ModSecurity for Virtualmin in general, and WordPress specifically.
“security” gets used a lot to apply to things that don’t actually improve security and might make it worse. We’re trying to not do security theater. Deploying WordPress in a Virtualmin environment is already likely more secure than most shared hosting deployments (even if those others have a bunch of boondoggles with “security” in their name or description).
And, most WordPress “security” plugins are hogwash.
But, we’re happy to consider any Open Source security tools you’d recommend.
One thing I’d like to see is a git-based tool, like etckeeper (or maybe actually etckeeper with custom configuration) that allows tracking changes over time. Nothing makes it easier to spot an attack than seeing new files pop up with weird names or changes to core code or plugins that don’t coincide with version upgrades. git also provides a backup against “fat finger” breakages.
@Ilia oh the dynamic content engine of word press does have soft spots that need hardening I feel to protect from recon and attacks the ones I’ve already mentioned and server side request forgery type attacks could be improved by tools to improve referrer hardening. Other things are maybe blocking browser agents such as unknown. @joe yes there are no perfect plugins but there are some plugins that do seek to harden the soft spots one of what I consider the best attempts at doing so. Yeah but I’m not here to sell anyone or suggest plugins they may have their own issues as you say I think some are intentionally security weakening plugins or some themes are developed with recon and backdoor access in mind. We are seeing this with open source blobs are a favorite. etckeeper sounds interesting indeed!
I would pray for xmlrpc.php mitigation. We running 100s of WordPress sites across many servers and we observe CPU spikes for minutes, sometimes hours, as attackers brute for this particular WordPress API endpoint. Do yourselves a favour and put SNMP load and CPU monitors on your servers.
Here is a typical graph of CPU usage on a busy server being attached:
The problem is, of course, what does it break when blocked? This question is difficult to answer, but if you’re hosting for many clients protecting the whole is sometimes better than the individual.
I’m quite sure that fail2ban is more than powerful enough to kill stop this completely.
Yes. I guess to point is to use this as beneficial for security as well its only a suggestion.
This way we won’t need plugins lets say from possible nefarious actors we have a trusted source Virtualmin to provide these options.
The beauty of “Security Options” is they are OPTIONAL by default.
I mean when I look at logs sometimes I see cheesy script kiddie
requests other times I see more well thought out requests.
API/SMTP requests
/plugins/content/apismtp/apismtp.php.suspected
/wp-content/plugins/apikey/apikey.php.suspected
/plugins/content/apismtp/apismtp.php
Perl Based Requests?
/alfacgiapi/perl.alfa
/ALFA_DATA/alfacgiapi/perl.alfa
Server Side Request Forgery SSRF
/?redirect=http://169.254.169.254/latest/user-data
API
/index.php?rest_route=/oembed/1.0/embed&format=json&url=https://virtualmin.com
Interesting route attempts to wp-admin log in:
/wp-includes/fonts/wp-login.php
/wp-admin/js/about.php
/wp-admin/network/wp-login.php
/wp-content/plugins/dummyyummy/wp-signup.php
/wp-includes/pomo/wp-login.php
/wp-includes/images/wp-login.php
/wp-includes/IXR/wp-login.php
BASE64 ENCODED INJECTION ATTEMPTS -
[POST:l = whatever base64 code here...]
Also there is user enumeration requests via API which is used for recon in several fashions. But you get the idea knowing the username is half the battle. But you get the idea you can see what is going on with the requests where the weak spots are xmlrpc api and everything I have mentioned prior to this post.
These are pretty common attempts really some well thought some not so much had to remove a plugin that allowed a picture slider cause it was being attacked I thought sheesh nothing is sacred that thing worked for years without a single attack on it so the idea is to limit plugins and add security features in my way of thinking that would make it very useful!
If you don’t know what it breaks, it doesn’t break anything. That’s an XML-RPC remote API for WordPress. If you were using that remote API, you’d know that’s what it was.
You don’t need plugins to block it. You can block it with a rule in Apache, you could delete it (but you’d need to delete it every time you upgrade WordPress), you could make it not executable and mark it immutable, you could use a redirect to your front page, you could serve an error. And, so on.
Uff, wow! Their product prices alone are already way higher than what we currently offer.
And yes, I’ll start working on a centralized page for master administrators to overview, manage, and update all instances on the system. The services mentioned by @shoulders also support managing remote WordPress instances, and I believe that’s something we could offer in the future as well.
These days we are forcing our clients to install both WordFence and Sucuri to avoid those pesky PHP infections. We also turn on automatic updates centrally for all WordPress sites. Finally for users who “refuse” to upgrade from PHP 7.4, we put them all on a “throwaway” server so that they can be part of a special pool.
I’ve been using MainWP (https://mainwp.com) to administer WordPress sites. I got a lifetime license.i would consider using WP Workbench, if the functions were equivalent or better.
We truly hope you enjoy using WP Workbench and that it meets all your needs.
