Brute Force Apache Log 503 Errors w/ Wordfence

June 19, 2018, 6:45 pm

≫ Next: Add to Cart stops working after server change

≪ Previous: False positive for ‘Page contains suspected malware’

Replies: 0

A few of my websites are being brute forced from time to time. Wordfence is doing a good job at blocking the IP, but what I’m seeing is that the IP address continues to hit the wp-login.php page and generates 503 errors in the Apache logs roughly every second. While this is taking place my server’s resource utilization shoots through the roof and it begins to cause OOM errors and dropping of services. When I block the offending IP (the one generating the 503 errors) in the server’s firewall, the server’s load reverts to normal and all is well again.

Question: When Wordfence blocks an IP for brute forcing against the wp-login.php page does it serve up 503 errors to said IP?

I’ve spoken with my server’s support techs on several occasions and they are recommending that I block bots and attempt to hide the wp-login.php file by moving it to a different location.

Any insights would be extremely helpful, thank you.

↧

Add to Cart stops working after server change

June 19, 2018, 8:51 pm

≫ Next: Conflict with HyperDB

≪ Previous: Brute Force Apache Log 503 Errors w/ Wordfence

Replies: 0

I moved from Siteground Shared to Cloud hosting. Now the Add to Cart buttons don’t work (Woocommerce) – this only happens when Wordfence is enabled. Wordfence is currently disabled so the page works.

Any ideas? I tried setting settings to default and also disabled the firewall whilst plugin was enabled but no luck.

Cheers,
Steve

↧

Conflict with HyperDB

June 20, 2018, 4:13 am

≫ Next: How to block malicious traffic from spoofed IP ?

≪ Previous: Add to Cart stops working after server change

Replies: 0

Since activating HyperDB v1.5 there has been a series of errors produced by Wordfence (and only wordfence) where it is attempting to write to the slave read only DB server.

[JUN 20 10:43:44] Error finishing writing value for adminNoticeQueue (MySQLi error: [1290] The MySQL server is running with the –read-only option so it cannot execute this statement)

[Jun 20 02:54:14:1529463254.305846:2:error] Error finishing writing value for wf_summaryItems (MySQLi error: [1290] The MySQL server is running with the –read-only option so it cannot execute this statement)

This topic was modified 28 minutes ago by shanemarsh28.

↧

How to block malicious traffic from spoofed IP ?

June 20, 2018, 4:21 am

≫ Next: Reset email taking too long

≪ Previous: Conflict with HyperDB

Replies: 0

Recently, I see some malicious traffic shown in Wordfence Live Traffic in my website. If I click on details, it shows as coming from my own server IP. Typically, they try to access some .php scripts to find out vulnerabilities. My question is, is there any way I can prevent this type of traffic ? Moreover, if such requests access any banned URL and gets blocked, what impact will it have on my server ?

↧

Reset email taking too long

June 20, 2018, 12:59 pm

≫ Next: wp-login unauthorized iframe recaptcha redirect prevents login

≪ Previous: How to block malicious traffic from spoofed IP ?

Replies: 0

I have installed Wordfence on a client site to which I do not have FTP access, and I was locked out by my own hard rules for using an old password. However, upon attempting to reset, the reset email is taking hours to arrive, and is invalid before I receive it. It’s quite urgent that I log in and take care of some security concerns — any thoughts on how we can fix this issue without being able to rename the plugin folder?

↧

wp-login unauthorized iframe recaptcha redirect prevents login

June 20, 2018, 6:32 pm

≫ Next: Amazon RDS Point-In-Time restore fails – wp_wfBlocks7 issue

≪ Previous: Reset email taking too long

Replies: 0

I have an iframe redirect in my wp-login page that I did not install. I talked with my host. They assured me that they did not install the iframe link on the page either.

When I scan my wp-login page with isithacked I get this:

That code doesn’t appear in the wp-login text file. How do I delete this iframe code?

I can FTP into the site, but even if I disable all of my plugins, the wp-login page iframe page link still redirects.

Wordfence latest version is installed, but I can’t log in to access it. Any suggestions?

↧

Amazon RDS Point-In-Time restore fails – wp_wfBlocks7 issue

June 20, 2018, 6:10 pm

≫ Next: Conflict with Divi

≪ Previous: wp-login unauthorized iframe recaptcha redirect prevents login

Replies: 0

Hi,

I’m hosting about 25 WordPress websites with Amazon RDS (MySQL) as a database provider. Recently I performed a Point-In-Time restore of my database server to get a website back into a certain state (not security related). Amazon RDS has this built in as a service feature.

This point in time restore failed and we were not sure of the cause of it, some ideas were discussed here: https://serverfault.com/q/914332/81774

However, since then I have worked with AWS to identify a reproducible case of this issue and it is this database statement:

create table IF NOT EXISTS wp_wfBlocks7 (
      id bigint(20) unsigned NOT NULL AUTO_INCREMENT,
      type int(10) unsigned NOT NULL DEFAULT '0',
      IP binary(16) NOT NULL DEFAULT '\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@\^@',
      blockedTime</code> bigint(20) NOT NULL,
      reason varchar(255) NOT NULL,
      lastAttempt int(10) unsigned DEFAULT '0',
      blockedHits int(10) unsigned DEFAULT '0',
      expiration bigint(20) unsigned NOT NULL DEFAULT '0',
      parameters text,
      PRIMARY KEY (id),
      KEY type (type),
      KEY IP (IP),
      KEY expiration (expiration)
    ) DEFAULT CHARSET=utf8

I have confirmed this is the schema used in one of the sites hosted, which uses Wordfence 7.1.3

Can you advise if this is a known issue? What is the reason for this specific default value and how can I make sure PIT restore works in the short term?

This topic was modified 1 hour, 51 minutes ago by managedhostingpartners.

↧

Conflict with Divi

June 20, 2018, 11:51 pm

≫ Next: A regex Wordfence received from its servers is invalid.

≪ Previous: Amazon RDS Point-In-Time restore fails – wp_wfBlocks7 issue

Replies: 0

Hi I’m having an issue with Wordfence conflicting with Divi.

Here’s a screenshot, showing Firefox console.

https://www.backtofrontdesign.co/wp-content/uploads/2018/06/Screen-Shot-2018-06-21-at-4.37.14-pm.png

Updated everything.

Disabled all other plugins, deactivated Wordfence removing settings from the database and reactivated.

Reverted to the Divi parent theme, which also causes this error.
Reverted to default twenty something theme, which fixes the issue.
Tested on another site running latest Divi and Wordfence, works fine!

No errors in Network tab either :/

I’ve disabled Wordfence for now so we can edit the site!
But please give me any further tips how I can debug this conflict.

↧

A regex Wordfence received from its servers is invalid.

June 21, 2018, 3:01 am

≫ Next: Block spamvertising attacks

≪ Previous: Conflict with Divi

Replies: 0

Seeing these crop up in the scan log:

[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Valtrex\s*?Online\s*?Uk\s*?-\s*?Valacyclovir\s*?Buy\s*?Uk\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Buy\s*?Doxycycline\s*?Online\s*?Uk\s*?-\s*?Doxycycline\s*?100mg\s*?Cost\s*?Uk\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Mirtazapine\s*?Tablets\s*?45mg\s*?-\s*?Mirtazapine\s*?15mg\s*?Tablets\s*?Used\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Buy\s*?Pantoprazole\s*?Online\s*?Uk\s*?-\s*?Buy\s*?Pantoprazole\s*?Uk\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Clomid\s*?Tablets\s*?For\s*?Sale\s*?Uk\s*?-\s*?Will\s*?My\s*?Doctor\s*?Prescribe\s*?Clomid\s*?Uk\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Coupon\s*?For\s*?Nexium\s*?From\s*?Astrazeneca\s*?-\s*?Nexium\s*?Price\s*?Costco\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Nexium\s*?Drip\s*?Dose\s*?Gi\s*?Bleed\s*?-\s*?Nexium\s*?40\s*?Mg\s*?Price\s*?In\s*?Egypt\s*?<\s*?\/rdf:li\s*?>
[Jun 20 14:23:39] A regex Wordfence received from its servers is invalid. The pattern is: <\s*?rdf:li\s*?xml:lang\s*?=\s*?”\s*?x-default\s*?”\s*?>\s*?Finasteride\s*?Prescription\s*?Uk\s*?-\s*?Propecia\s*?Prescription\s*?Cost\s*?Uk\s*?<\s*?\/rdf:li\s*?>

Looks like spam?? But is it on my sote or something to do with wordfence servers?

↧

Block spamvertising attacks

June 21, 2018, 7:23 am

≫ Next: Wordfence shows my server ip as blocked

≪ Previous: A regex Wordfence received from its servers is invalid.

Replies: 0

Hi,

We have a site that keeps getting attacked with the same spamvertising code.
We are considering using the paid for version of Wordfence but we cant figure out if Wordfence would block these attacks, or if it would just be able to let us know when it happens. Please could you clarify?

Thanks,
Vauneen

↧

Wordfence shows my server ip as blocked

June 21, 2018, 5:00 pm

≫ Next: File appears to be malicious

≪ Previous: Block spamvertising attacks

Replies: 0

Hi guys
I have a wordpress site built and installed wordfence plugin. I am able to reach my website from any device but on the wordfence dashboard it shows me

IP Block Count
104.236.55.169 84 <<<<< This is my server IP
185.13.112.126 7
95.84.161.27 7

Why my server IP shows up on wordfence dashboard as blocked?

↧

File appears to be malicious

June 23, 2018, 2:13 am

≫ Next: If I choose to receive monthly email reports, what day are they sent?

≪ Previous: Wordfence shows my server ip as blocked

Replies: 0

Hi there

I use latest version of the free Wordfence plugin.

Since a couple of weeks I get this critical message:

File appears to be malicious: wp-content/cache/scripts/be19c6b374ea47b51783e35f2c94e322-deanedwards.js
Type: File

I am wondering if indeed this is malicious code and I should delete it. Or could it be a minified JS a plugin has made.

And is there a place where malicious code is listed which I could check maybe?

Thanks in advance for your help.

↧

If I choose to receive monthly email reports, what day are they sent?

June 23, 2018, 6:35 am

≫ Next: Unable to activate

≪ Previous: File appears to be malicious

Replies: 0

Just curious to know what part of the month the report is emailed if I change it to monthly instead of weekly.

↧

Unable to activate

June 23, 2018, 3:31 pm

≫ Next: Curious – does this protect, or just warn?

≪ Previous: If I choose to receive monthly email reports, what day are they sent?

Replies: 0

I have tried several times to activate the plugin but all I get is:
Plugin could not be activated because it triggered a fatal error.
Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/parser/lexer.php on line 503

↧

Curious – does this protect, or just warn?

June 23, 2018, 5:50 pm

≫ Next: Installation after hacked

≪ Previous: Unable to activate

Replies: 0

The domain above is the main domain on my account. On June 17th, I got emails telling me that I’d had many attacks on my site. In reviewing the event, I saw over 450 attacks on my site within minutes. Your email said it had protected me from those attacks (and I subsequently blocked that IP from my server’s cpanel). However, yesterday, on logging into a wordpress site of mine, I saw a Wordfence warning that there was one issue on my wp-config file for one of my sites.

What it didn’t tell me, and I’ve subsequently found out from my hosting company – an attack on June 20th got through and my entire site and subsites are now showing a great many hacks. In fact, even images were hacked. This was neither reported NOR blocked by Wordfence. I didn’t get a single email about this – only visibility when I happened to log into one of my sites.

Clearly, this wasn’t blocked, and I understood that was a function of the free version. I’ve considered the paid version, but if this can happen where it shouldn’t, how am I to know my paid version would protect me any better?

↧

Installation after hacked

June 24, 2018, 9:00 pm

≫ Next: What’s The Worst That Could Happen If I Tried To Block Everything From AWS?

≪ Previous: Curious – does this protect, or just warn?

Replies: 0

Hello everyone!
My wordpress site has been attacked by hackers and get blank URL direction. After fixing this issue I installed and activate Wordfence but it notify me that I have to upgrade to premium account for scanning

↧

What’s The Worst That Could Happen If I Tried To Block Everything From AWS?

June 25, 2018, 2:03 pm

≫ Next: error message on install

≪ Previous: Installation after hacked

Replies: 0

A huge amount of blocked traffic is coming from Amazon AWS servers. Are there legitimate humans who would be visiting my site from an AWS IP address? What would happen if I blocked them all?

↧

error message on install

June 26, 2018, 6:01 am

≫ Next: Wordfence 7.1.8

≪ Previous: What’s The Worst That Could Happen If I Tried To Block Everything From AWS?

Replies: 0

Hi,
I installed the free version of WordFence, and I get this error message: “Wordfence could not register with the Wordfence scanning servers when it activated”

But, in the Wordfence dashboard, I do get information from Wordfence. So I suppose the connexion with database could be made after all ?
Should I ignore this message ? Or what should I do ?
Thanks

↧

Wordfence 7.1.8

June 26, 2018, 10:58 am

≫ Next: Whitelisted IP still being blocked from logging in

≪ Previous: error message on install

Replies: 0

Greetings all. We have a point release for Wordfence today, version 7.1.8. Please update as soon as you are able.

Improvement: Better detection of removal status when uninstalling the WAF’s auto-prepend file.
Improvement: Switched optional mailing list signup to go directly through our servers rather than a third party.
Fix: Fixed the dashboard erroneously showing the payment method as missing for some payment methods.
Fix: If a premium license is deleted from wordfence.com, the plugin will now automatically downgrade rather than get stuck in an intermediate state.
Fix: Changed some wording to consistently use “License” or “License Key”.

Thanks everyone for great comments and suggestions. Send any of those you might have to feedback@wordfence.com and someone will get back to you.
Keep in mind, the feedback address is not a place to request support.
Also, no support questions will be answered in this thread.
Free support requests can be posted at https://wordpress.org/support/plugin/wordfence
Our premium customers can open a ticket at http://support.wordfence.com

↧

Whitelisted IP still being blocked from logging in

June 26, 2018, 1:02 pm

≫ Next: How to whitelist AWS?

≪ Previous: Wordfence 7.1.8

Replies: 0

I have a client who’s IP is being blocked and she currently cannot login. So I went to the WF settings and placed her IP in the ‘Whitelisted IP addresses that bypass all rules’ area and she still can’t login even after that took hold. Was that the right place to do it?

↧