Starting with Auto PHP Licenser 2.3, all phpmillion scripts will receive new security features and performance enhancements this month.
Today, just 2 months since last big update, we introduce a new major release of our PHP license manager software. Auto PHP Licenser 2.3 is the first script to get important security updates along with other privacy-focused enhancements and performance improvements. Next week, we plan to deliver the same update to all PHP Auto Update Script users. Finally, at the end of current month, you will enjoy the same security and performance improvements in your Dead Man Switch installation. Now, when we got your attention, let us tell a bit more about new releases.
First of all, these updates are not security fixes. In other words, all your installations have no known security flaws and are secure, so there is nothing to worry about. At the same time, we understand that you use phpmillion scripts to store extremely sensitive data. Hence, these updates ensure your data gets an additional layer of protection for ultimate security. With this in mind, let’s see what new features you get…
Additional security headers.
Added: additional HTTP security headers;
These new security headers are now enforced in every installation: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options.
The Strict-Transport-Security header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Due to obvious compatibility reasons, your website will run on HTTP if there is no SSL certificate installed,
The X-Frame-Options header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. We implemented sameorigin option, so page can only be displayed in a frame on the same origin as the page itself.
The X-XSS-Protection header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. We implemented 1; mode=block option, so rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
The X-Content-Type-Options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
Session monitoring and auto-banning.
Added: admin session monitoring system;
Added: option to allow administrator logins from specified IPs only;
Added: option to auto-ban hosts after a specified number of failed login attempts;
New session monitoring system takes authentication system to the next level by ensuring login cookies don’t reveal any sensitive information. In other words, software generates random cookies for every login and stores sensitive data (such as user’s email address, etc.) in server instead of cookie itself. When user visits administration dashboard again, system looks for previously generated cookie with random data, compares it against server, validates additional data, and only returns success if every single bit of data matches.
While we always recommend to protect administration dashboard with a .htaccess protection, we found that 9 out of 10 users ignore this security measure, leaving their installations open to brute-force attacks. With this in mind, new version adds and automatically enables auto-banning to stop possible brute-force attacks. Once someone enters invalid login credentials for 3 times, system automatically bans his IP. In order to increase overall security, software doesn’t allow banned users to access any single section of software; let it be installer, password recovery page, API, etc. Sure enough, administrators can change failed logins limit and/or disable auto-banning via Advanced Settings section. Here they can also enter a custom message to be display for banned hosts.
Additionally, administrator can define custom IP(s) to only accept logins from. Once enabled, system will apply this restriction to all existing sessions as well. In other words, if a 3rd party intercepted administrator’s old login cookie somehow and uses it for unauthorized access, login system will destroy such cookie immediately, resulting a forced logout for 3rd party.
And even more new features.
For the full list of new features, see version changelog. Looks good? Click Maintenance >> Software Updates in your administration dashboard and apply this update in seconds!
P.S. If you use Envato Purchase Verification Plugin, download and update this plugin too; it adds compatibility with Auto PHP Licenser 2.3.
2018-11-20 Update – PHP Auto Update Script 1.5 Released!
A major update to PHP updates manager is now available to download! See all the new features and improvements in changelog page.
2018-11-30 Update – Dead Man Switch 1.3 Released!
As promised, we release the biggest update to Dead Man Switch ever. In addition to all the new features and improvements described above, Dead Man Switch 1.3 introduces new options that are not available in Auto PHP Licenser and PHP Auto Update Script yet. Discover them in changelog page and get ready for some serious updates next month!