Quantcast
Channel: WordPress.org Forums » [Wordfence Security - Firewall, Malware Scan, and Login Security] Support
Viewing all 33141 articles
Browse latest View live

How to search live traffic for browser: undefined

March 17, 2019, 8:23 am
$
0
0

Replies: 1

Hi, we recently had scrapers steal some of our best posts. I found that they appear in the live traffic as

browser:undefined
badwebsite.example.com WordPress …

How do I search for “browser:undefined” in the live traffic? I have blocked all of the network following your instructions, checking whois then blocking the network as several of the sites on that host stole our content. But I think what they’ve currently taken will still be visible on their site.

More importantly how do we block any traffic that has “browser:undefined” I added a custom pattern to the block browser agent field undefined* but I’m not sure that is the correct method.

Thank you

Search

The last rules update for the Wordfence Web Application Firewall was unsuccessfu

March 17, 2019, 2:12 pm
$
0
0

Replies: 0

The last rules update for the Wordfence Web Application Firewall was unsuccessful. The last successful update check was…

I keep seeing that error and dismissing it only works temporarily. What’s the fix?

False Positive or Real?

March 17, 2019, 9:19 pm
$
0
0

Replies: 0

This is my first website and I just recently set it up two days ago. I apologize for my lack of knowledge but I would like to know if this is something I need to worry about, and what should I do, or is it a false positive. Thanks.

Filename: default.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <title>Default page</title>\x0d\x0a <meta charset=”utf-8″>\x0d\x0a <meta content=”IE=edge,chrome=1″ http-equiv=”X-UA-Compatible”>\x0d\x0a <meta content=”Default page” name=”description”>

The issue type is: Suspicious:HTML/spampattern
Description: Suspicious code pattern commonly seen in generated spam pages

Wordfence: File Viewer page
https://pastebin.com/CjaMSm8g

Wordfence Google Captcha

March 17, 2019, 11:55 pm
$
0
0

Replies: 0

Dear support,

We do have couple of questions/ issues we need to address.

1. We did installed wordfence to our wordpress websites.
Furtnermore, one of our websites google captcha didnt seem to work and wordfence was still logging failed login activities.

2. Secondly a member of the website was blocked out and couldnt get back in. We did try to unblock him but he was not listed in the blocklist. Is this a bug you need to fix?

Custom block message

March 18, 2019, 12:47 am

LiteSpeed, noabort and security implications

March 18, 2019, 8:33 am
$
0
0

Replies: 0

Hi,
On recently changing my hosting to a new host with a LiteSpeed server (and installing LiteSpeed Cache), I received the standard WordFence alert advising me to edit my .htaccess file with the Litespeed noabort section.

Before making the change I ran it past the host support team who said:

I’ve taken a closer look at WordFence’s advice. It seems a bit extreme, as it would completely disable a feature of LiteSpeed which prevents certain types of DoS attack (and other wasting of system resources).

There is probably a middle-ground that would achieve what they want, without completely disabling the feature, but I am unsure of how Wordfence works, so I can’t be sure what that would be.

[# BEGIN…]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-cron.php$ – [E=noabort:1]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin
RewriteCond %{HTTP_COOKIE} ^.*wordpress_logged_in_.*$
RewriteRule .* – [E=noabort:1]
</IfModule>
[# END…]

You could either add the above to the website’s .htaccess file, and hope that it works,
or you could try contacting Wordfence themselves to see if they think the above would work.

It seems odd to me that nobody here (as far as I can tell) has raised the question of security issues. Any thoughts on the above comment and proposed solution?

  • This topic was modified 13 minutes ago by nicksloan.

Exclude Directories from Wordfence

March 18, 2019, 7:32 pm
$
0
0

Replies: 0

Hello –

I am back with a similar yet different issue. I have a self-hosted CRM in a sub-directory off of my root directory where my WP install is that is running WF. Just recently, and coincidentally around the same time frame the last update came out, I began to experience issues with my CRM being able to make IMAP connections on my own server to be able to send mail.

I kept checking server logs, mail logs, my CRM logs, and WF logs and there was no trace that WF was blocking these connections, however once I deactivated and deleted WF from my WP site in the root directory, my CRM went back to normail and was able to make IMAP connections again. As a test, I re-enabled WF on my site and sure enough within 12-14 hours of doing so, the same errors started showing up again in my logs with failed IMAP connections. Deactivated and deleted the plugin again and once cron cleared, my CRM went back to normal.

That said, I am now without WF on my WP site because I need my CRM to run. These issues are surely being caused by WF somehow but nothing is showing up in logs to determine exactly what the issue is. Is there anywhere to completely disable WF from having ANY control over an app installed in a sub-directory?

Thank you.

Company IPs Blocked by Wordfence Security Network

March 18, 2019, 9:56 pm
$
0
0

Replies: 0

One of our organization IP is blocked Wordfence Security Network. How to unblock?

Search

WordFence blocks restore

March 19, 2019, 2:17 am
$
0
0

Replies: 0

Hi, I am trying to restore from the Duplicator backup, but I get blocked from WordFence plugin. I deleted it from FTP, as I am unable to access it from WordPress – I get a maintenance error message – but it still blocks me!

Can you please advise how to override it?
Thanks

Is jQuery 1.12.4 safe?

March 19, 2019, 4:22 am
$
0
0

Replies: 0

HI,

Penetration testing on our servers has revealed that our site(s) are using jQuery 1.12.4, which is used by Wordfence. The Pen-testers have said that there are XSS vulnerabilities with this version of jQuery. (which is also reported here:
https://snyk.io/test/npm/jquery/1.12.4)

My question is:
1) Are the vulnerabilities reported in jQuery 1.12.4 *really* an issue, considering Wordfence is sitting in the way?

If so, do I have to update the version of jQuery currently in use by Wordfence? (Or will there be an upcoming patch soon?)

Many thanks in advance,

Anthony

Free plugin found to be malicious in scan by host

March 19, 2019, 4:56 am
$
0
0

Replies: 0

My host Afrihost has found your plugin to be malicious in a scan, please let me know if you are aware of this and what I can do about it. This was also found by Sucuri

See below from my hosts scan.

The files listed as malicious in the scan are mentioned below:

===
/home/tinacaam/public_html/beaware/wp-content/plugins/wordfence/lib/wfScanEngine.php
/home/tinacaam/public_html/beaware/wp-content/plugins/wordfence/waf/bootstrap.php
/home/tinacaam/public_html/soultour/wp-content/plugins/wordfence/lib/wfScanEngine.php
/home/tinacaam/public_html/soultour/wp-content/plugins/wordfence/waf/bootstrap.php
/home/tinacaam/public_html/transformtoday/wp-content/plugins/wordfence/lib/wfScanEngine.php
/home/tinacaam/public_html/transformtoday/wp-content/plugins/wordfence/waf/bootstrap.php
/home/tinacaam/public_html/wp/wp-content/plugins/inclu/l
/home/tinacaam/public_html/wp/wp-content/plugins/inclu/ol.php
/home/tinacaam/public_html/wp/wp-content/plugins/inclu/wp-includes.php
/home/tinacaam/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php
/home/tinacaam/public_html/wp-content/plugins/wordfence/waf/bootstrap.php
/home/tinacaam/public_html/wp-content/uploads/mc4wp-debug-log.php
===

You can cross check these files. As updated the scan has tagged some filed related to the plugins wordfence, inclu.

Thanks
Tina Cornish

No rules were updated.

March 19, 2019, 5:43 am
$
0
0

Replies: 0

Hi!

When i clic Manually refresh rules, there are “No rules were updated. Please verify you have permissions to write to the /wp-content/wflogs directory.”

This is a site I duplliced to a new server. He was in an old WordPress and Wordfence. I updated all the plugins, themes, wordpress and I also switched to PHP 7.2.

After the error, I correctly deleted Wordfence “FTP + BBD” but the error is still there.
Now I’m using Wordfence 7.2.3 (1551370846) on my WordPress 5.1.1.

Diagnostics :

Filesystem: OK.
MySQL: OK.
PHP : ok
Connectivity: everything is OK.
/wp-content/wflogs : 775 permissions.
Files attack-data.php, config.php and ips.php have 660 permissions; rules.php has 664;.

I tried to remove the folder /wp-content/wflogs, it is recreated with the same result.

I did not understand the verification to be done on the user or owner, can you explain to me?

Thanks so much.

Blocking issues

March 19, 2019, 5:54 am
$
0
0

Replies: 0

Dear support,

We do have an issue. The plugin locked out a user from signing in (check email below).
Furthermore, when We tried to login to unlock the user, we saw a page saying that we were temporarily locked out as well. We found a workaround but this is not how it should work. Why did we get locked out ( we do have different ip address).

Can you please advise? Any help would be much appreciated.

We received an email saying that:
User IP: xxx.xx.x83.67
User hostname: ec2-xxx-xx-x83-67.eu-west-1.compute.amazonaws.com
User location: Dublin, Ireland

The image below shows all users to have the same ip address which that is not true

https://imgur.com/a/nAYsE65

Blocking usenames CAPS important or not?

March 19, 2019, 8:06 am
$
0
0

Replies: 1

Immediately block the IP of users who try to sign in as these usernames:

Do I need to specify also words in CAPS or not?

Web Application Firewall was unsuccessful.

March 19, 2019, 9:04 am
Search

How to Override wfLockedOut.php to remove admin link

March 19, 2019, 12:36 pm
$
0
0

Replies: 0

Is it possible to override within my Child’s theme wfLockedOut.php?
Possibly create wordfence folder and place the modified copy in there?

The Lockout page includes the link to my admin login in which I have changed to a custom one; however, wordfence negates this security measure by displaying a link when a user gets locked out.

For over a year now, other topics that are similar where they have to re apply their changes after every update.

This is the line I want removed from the lockout screen. If I can override, then I can do it myself.

<li><a href="<?php echo esc_url(admin_url()); ?>"><?php _e('Attempt to return to the admin login page (you may still be locked out)', 'wordfence'); ?></a></li>

other closed tickets from a year ago need something similar:
https://wordpress.org/support/topic/customizing-block-locked-messages-from-wordfence/

New user alert

March 19, 2019, 1:10 pm
$
0
0

Replies: 0

Hi

The above site is recently hacked. I restored it from backup and all is fine. I also have a backup of the hacked site.

The hacker had changed the home URL for starters to a hack site. When I restored it the site was still forwarding the visitor to spam sites. That is why I opt to a full restore.

At time of the hack I have received the standard new user created email, however, there seems to be no such option on WordFence and hence I have not received any alert.

The WordPress email does not say if the new user was an admin or not and WordFence do not show any admin logins at the time.

In what scenario a hacker can by-pass WordFence like in this case?

My SQL server can only be accessed locally. Remote hacking is out of the question. That is why the hacker had to create an account to get access.

Any help is appreciated.

Error reading Wordfence Firewall config data

March 19, 2019, 3:15 pm
$
0
0

Replies: 0

Hi there,
I’m seeing the following error in my debug log:

[19-Mar-2019 08:03:32 UTC] Error reading Wordfence Firewall config data, configuration file could be corrupted or inaccessible. Path: /wp-content/wflogs/config-transient.php

I’m also seeing a huge amount of the following errors:

[19-Mar-2019 08:43:30 UTC] PHP Warning: mysqli_real_connect(): (42000/1203): User xxxxxxxx already has more than ‘max_user_connections’ active connections in /wp-includes/wp-db.php on line 1612

Not sure if they’re connected, but if you have any suggestions on how I can fix the ‘Wordfence Firewall config data’ error please, that would be very much appreciated.

Kind regards,
JP

  • This topic was modified 12 minutes ago by JapeNZ.

404error added at the website when adding to Wordfence Central

March 19, 2019, 6:42 pm
$
0
0

Replies: 1

We’ve added our websites to Wordfence Central but after confirming Wordfence is installed at the websites, the site URL been added at wordfence central has 404 error. Any ideas why? We can see the wordfence details per site but we can’t figure out why it has 404 error on the site URL.

https://drive.google.com/open?id=1ZYNTFZj_aPoQLrBTaGf7EFMA1zji81wv

Site compromised

March 19, 2019, 8:47 pm
$
0
0

Replies: 0

HI,

I want to talk about my website which is e-commerce website,

Yesterday night I got the email from the website that

1.
9:56 pm, March 19 – New user registration on your site Pizza Home:

Username: devidpentesting99

Email: devidpentesting@yandex.ru

2
Then I got the email
Password changed for user: devidpentesting99 at 4:05 am

3
at 5:30 AM, March 20
This email was sent from your website “Pizza Home” by the Wordfence plugin at Wednesday 20th of March 2019 at 01:00:36 PM
The Wordfence administrative URL for this site is: https://www.pizzahome.co.nz/wp-admin/admin.php?page=Wordfence
A user with username “devidpentesting99” who has administrator access signed in to your WordPress site.
User IP: 185.212.131.46
User hostname: jacksonblue1.ptr1.ru
User location: Netherlands

4
at 6:58 AM, March 20
This email was sent from your website “Pizza Home” by the Wordfence plugin at Wednesday 20th of March 2019 at 02:28:26 PM
The Wordfence administrative URL for this site is: https://getmyfreetraffic.com/n90sab35473/wp-admin/admin.php?page=Wordfence
A user with username “devidpentesting99” who has administrator access signed in to your WordPress site.
User IP: 185.212.131.45
User hostname: jacksonblue.ptr1.ru
User location: Netherlands

and then my site is hacked it is redirecting to some blog, please tell me how someone created him as an administrator, yes it is a shopping cart, the user can create an account, the user can change the password.
but how someone did this, what type of hacking is this.! my hosting company is also investigating this. I am using wordfence since two years,never happened this kind of hack, Suggest me so that i will be careful next time.

Viewing all 33141 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>