Help with CSF Firewall — removing LFD process check for WF

October 18, 2016, 9:31 am

≫ Next: Exclude directories from scan

≪ Previous: Wordfence is slowing the loading of my website by more than 30 seconds

$

0

0

Replies: 0

I know it’s not directly a WordFence thing, but is there a way I can stop the server LFD from flagging these valid WordFence-related processes as “suspicious”?

—
Suspicious process running under user XXXX

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php /home/WEBSITEPATH/public_html/wp-admin/admin-ajax.php

Files open by the process (if any):
/var/cpanel/locale/en.cdb.2666 (deleted)
/dev/urandom
/home/WEBSITEPATH/public_html/wp-content/wflogs/ips.php
/home/WEBSITEPATH/public_html/wp-content/wflogs/config.tmp.Tn7EbT (deleted)
/home/WEBSITEPATH/public_html/wp-content/wflogs/attack-data.php
—

---

Exclude directories from scan

October 18, 2016, 1:21 pm

≫ Next: Contact Form 7 and Wordfence Conflict

≪ Previous: Help with CSF Firewall — removing LFD process check for WF

$

0

0

Replies: 0

Wordfence v6.2.2

I have a site on a cPanel-based hosting provider. My first site lives in /home/username/public_html.. my second and third sites live in /home/username/public_html/second_site and /home/user/public_html/third_site respecitvely. A WordFence scan initiated on my first site ALSO scans second_site and third_site. second_site and third_site are also using WordFence and have their own scans configured.

Is there a way to configure WordFence on first_site to ignore the directories second_site and third_site?

Thanks in advance for your assistance.

Steve

• This topic was modified 5 hours, 10 minutes ago by  .

Contact Form 7 and Wordfence Conflict

October 18, 2016, 1:50 pm

≫ Next: “Live Updates Paused” problem

≪ Previous: Exclude directories from scan

$

0

0

Replies: 0

I use Contact Form 7. I also use the document attachment option, and after narrowing it down, I have found it sources to Wordfence. I was working fine up until recently, so must be with a recent Wordfence update. If I turn on Wordfence, I can add the docs to Contact Form 7 and they send just fine. But If Wordfence is active, when I try to upload a doc to the contact form, it just “spins.” Do I need to whitelist this action?

“Live Updates Paused” problem

October 18, 2016, 1:51 pm

≫ Next: How to submit backdoor scripts to WordFence

≪ Previous: Contact Form 7 and Wordfence Conflict

$

0

0

Replies: 0

Boy, I sure don’t like the new “Live Updates Paused – click inside window to resume” feature. It makes searching in the window impossible. Any way to turn that message off?

How to submit backdoor scripts to WordFence

October 18, 2016, 4:31 pm

≫ Next: Options are not saving (admin-ajax.php)

≪ Previous: “Live Updates Paused” problem

$

0

0

Replies: 0

Hi,

I’ve found a backdoor script that was uploaded to one of my clients’ sites, and wasn’t picked up in a WordFence scan. How can I submit this for fingerprinting to improve WordFence scan?

Options are not saving (admin-ajax.php)

October 18, 2016, 6:23 pm

≫ Next: Social Type Website

≪ Previous: How to submit backdoor scripts to WordFence

$

0

0

Replies: 0

I am trying to save changes in the wordfence options page (ie adding premium key or anything else)

The console returns this:

load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,quicktags&ver=8a8f84f……:
4 POST http://vernpierson.us/blog/wp-admin/admin-ajax.php 403 (Forbidden)send @ load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,quicktags&ver=8a8f84f……:4ajax @ load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,quicktags&ver=8a8f84f……:4ajax @ admin.js?ver=6.2.2:935saveConfig @ admin.js?ver=6.2.2:1912onclick @ admin.php?page=WordfenceSecOpt:516

I have disabled all other plugins, disabled the wordfence firewall, checked the file permissions and the .htaccess file, all with the same result.

I tried to follow this page: HERE

but the “Disable config caching” does not exist.

Does anyone have any ideas?

Thank you! also, I have submitted a premium support ticket as well.

Social Type Website

October 18, 2016, 10:02 pm

≫ Next: Firewall Logs Location

≪ Previous: Options are not saving (admin-ajax.php)

$

0

0

Replies: 0

Hello,

I’m using a social type website. What is the best setup options for my website please?

I’m really confused on setting up my firewall because a while ago, I tried going to my admin login page and it blocked me unexpectedly. Why is that? This is the issue that I don’t want my members to be automatically blocked in the frontend like that.

Please advice!

Regards,
Jed

Firewall Logs Location

October 18, 2016, 11:56 pm

≫ Next: Keeping Falcon Engine For Caching

≪ Previous: Social Type Website

$

0

0

Replies: 0

Where are the firewall logs stored? Some users on my site are having issues with uploading some files. I want to check if the Wordfence firewall is blocking some connection for their IP. Where can I find the firewall and/or Wordfence logs?

---

Keeping Falcon Engine For Caching

October 19, 2016, 12:57 am

≫ Next: WordFence 6.2.1 stops BP Gallery 1.4.0 from uploading images

≪ Previous: Firewall Logs Location

$

0

0

Replies: 4

Hi there,

After hearing that you guys are removing the falcon engine completely from Wordfence, I tried to replace it with other caching plugins. Unfortunately I have not manage to get the same results (after almost a year of trying hundreds of settings and following so many tips and tricks, with almost any caching plugin) as Falcon Caching.

So I’m thinking of keeping an outdated Wordfence purely for Falcon Engine so I can keep my network running fast and I’ll replace the security with another plugin.

Just wondering if it was possible to detach Falcon Engine into a separate plugin or use a code snippet to remove all the other options from Wordfence, so I’m only having Falcon caching options?

Cheers.

WordFence 6.2.1 stops BP Gallery 1.4.0 from uploading images

October 19, 2016, 8:05 am

≫ Next: [Resolved] wpForo User File Upload error 403

≪ Previous: Keeping Falcon Engine For Caching

$

0

0

Replies: 2

Hi there,

The latest version of wordfence has stopped my BP Gallery from working, could you fix it please?

I can get you the plugin file if needed.

[Resolved] wpForo User File Upload error 403

October 19, 2016, 10:16 am

≫ Next: DB Import Error for WF-Config

≪ Previous: WordFence 6.2.1 stops BP Gallery 1.4.0 from uploading images

$

0

0

Replies: 0

Hello
My members could not upload images to forum they were getting error 403 Forbidden,i had to disable in Firewall settings.
Malicious File Upload (PHP)
And it worked after.

DB Import Error for WF-Config

October 19, 2016, 10:30 am

≫ Next: [Resolved] Unable to open /wp-content/wflogs/ips.php

≪ Previous: [Resolved] wpForo User File Upload error 403

$

0

0

Replies: 0

I’m getting the following error when trying to import the DB to work on my local server:

Error
SQL query:

INSERT INTO wp_wfConfig (name, val, autoload) VALUES
(‘wfsd_engine’, 0x4f3a31323a2277665363616e456e67696e65223a31383a7b733a32303a220077665363616e456e67696e6500686173686572223b4f3a31333a22776f726466656e636548617368223a31393a7b733a383a2273747269706c656e223b693a32373b733a31303a22746f74616c46696c6573223b693a323531313b733a393a22746f74616c44697273223b693a3338313b733a393a22746f74616c44617461223b693a3235333634303835333b733a31303a226c696e65734f66504850223b693a3135373038323b733a31303a226c696e65734f664a4348223b693a3234313535353b733a31333a2273746f707065644f6e46696c65223b733a36363a2277702d636f6e74656e742f706c7567696e732f6a735f636f6d706f7365725f73616c69656e742f6173736574732f76632f76632d77656c636f6d652f30322e706e67223b733a32363a2200776f726466656e63654861736800636f7265456e61626c6564223b623a313b733a32393a2200776f726466656e63654861736800706c7567696e73456e61626c6564223b623a313b733a32383a2200776f726466656e636548617368007468656d6573456e61626c6564223b623a313b733a32393a2200776f726466656e636548[…]
MySQL said: Documentation

#2006 – MySQL server has gone away

I tried following these instructions on both the web server and the development server but didn’t work:

http://piwik.org/faq/troubleshooting/faq_183/

I also try splitting the DB import, so the file size is small, but it didn’t work either

• This topic was modified 8 hours, 35 minutes ago by  Halex Productions.

[Resolved] Unable to open /wp-content/wflogs/ips.php

October 19, 2016, 10:50 am

≫ Next: Firewall – Malicious File Upload (PHP) blocking users from uploading images

≪ Previous: DB Import Error for WF-Config

$

0

0

Replies: 1

One of my sites is getting this error:

“Unable to open/wp-content/wflogs/ips.php for reading and writing.”

Thousands of times an hour – it seems to be lagging the site and even once caused the server to overload and crash.

/wp-content/wflogs/ looks like this:

-rwxr-wr-x 1 ec2-user www attack-data.php
-rwxr-wr-x 1 ec2-user www config.php
-rwxr-xr-x 1 ec2-user www .htaccess
-rwxrwxr-x 1 ec2-user www ips.php
-rwxr-xr-x 1 ec2-user www rules.php
-rwxr-xr-x 1 ec2-user www wafRules.rules

As you can see, ips.php is set to 775 – any less restrictive and it would be freely editable by the public… what more does Wordfence want?

Firewall – Malicious File Upload (PHP) blocking users from uploading images

October 19, 2016, 12:17 pm

≫ Next: slew of worrisome logins as “”

≪ Previous: [Resolved] Unable to open /wp-content/wflogs/ips.php

$

0

0

Replies: 0

Hi,

I’m in the middle of trying to make my WordPress/BuddyPress site more secure. I have run WordFence for a while with no problems but today I notice that non-admin users cannot upload images to the site anymore. An HTTP error occurs when a non-admin uploads a photo.

I narrowed it down to the last entry in the firewall settings – the Malicious File Upload (PHP) entry. When I deselect this setting the problem is fixed, though this is making the site much more vulnerable to malicious files.

Is there a way to fix this issue so that I can keep the last firewall entry selected?

Thanks!

slew of worrisome logins as “”

October 19, 2016, 1:10 pm

≫ Next: Unable to Access Wordfence in Dashboard

≪ Previous: Firewall – Malicious File Upload (PHP) blocking users from uploading images

$

0

0

Replies: 0

I can’t tell if its something wrong with wordfence, wordpress or a hacker. I’ve seen it start to come up on other sites and then vanish but this one it just keeps going. I’ve turned off caching in every plugin and its a monster now, every few seconds.

unknown location at IP arrived from and left and tried to access non-existent page visited was at logged in successfully as “”. logged out successfully. requested a password reset. attempted a failed login as “”. attempted a failed login using an invalid username “”. changed their password.
Invalid Date Invalid Date (NaN seconds ago) IP: [unblock] [unblock this range] [block]
Browser:

How do I make it STOP?

• This topic was modified 5 hours, 56 minutes ago by  Starhorsepax2.

---

Unable to Access Wordfence in Dashboard

October 19, 2016, 2:54 pm

≫ Next: Firewall stopping form submissions with upload

≪ Previous: slew of worrisome logins as “”

$

0

0

Replies: 0

Hello All,

I have been using the free version of Wordfence since January with no issues, however, since yesterday, I have not been able to access it through my admin dashboard. I am using WordPress 4.6.1 and the Wordfence version 6.2.2. I have disabled all my plugins but the issue persists. The Wordfence pages are unresponsive and will not open for me. I had been using the Basic Caching and had not disabled it yet as requested. Not sure if that might be the problem. Has support stopped for the caching?

Other than this, all else is working on my site with no issues with the other plugins. I am still receiving Wordfence alerts about admin logins and WF Blog postings so I hope that my site is still being protected. I do have access to Cpanel through my hosting provider (InMotion Hosting) but don’t have alot of experience! Any advice? Thanks!

Firewall stopping form submissions with upload

October 19, 2016, 10:14 pm

≫ Next: The plugin crashed my site

≪ Previous: Unable to Access Wordfence in Dashboard

$

0

0

Replies: 2

Hi,

Getting several 403 errors triggered by WF Firewall since Oct 19 for a page with an entry form that includes an image upload field, example below

xx.xx.xx.xx - - [19/Oct/2016:00:19:59 +1100] "POST /enter/ HTTP/1.1" 403 226 "http://www.zzz.com/enter/" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1"
yy.yy.yy.yy - - [19/Oct/2016:00:20:13 +1100] "POST /?wordfence_syncAttackData=1476796813.81 HTTP/1.1" 200 - "http://www.yourhealthlinkphotocomp.com.au/?wordfence_syncAttackData=1476796813.81" "WordPress/4.6.1; http://www.zzz.com"

I’m seeing several other posts here over the last few days with similar issues around file upload so suspecting your firewall is being overzealous around anything involving uploads from non-admins? Please can you confirm this is likely cause?

Thanks.

The plugin crashed my site

October 20, 2016, 1:16 am

≫ Next: Scan stops scanning files and keeps checking host keys and comments

≪ Previous: Firewall stopping form submissions with upload

$

0

0

Replies: 5

Hi, I installed this plugin and now any time I try to do anything in the admin side I just get this error message:
Fatal error: Call to a member function get() on null in /home/timberw1/public_html/timberwoodoffroad.com/wp-content/object-cache.php on line 52
I can’t even get in to uninstall the plugin now, any ideas about what I can do about it?
Thanks

Scan stops scanning files and keeps checking host keys and comments

October 20, 2016, 2:40 am

≫ Next: [Resolved] Preview for custom post type no longer working

≪ Previous: The plugin crashed my site

$

0

0

Replies: 0

Hello,

I suspect there is an infection running amok on a website of a customer: the site is sending a crazy amount of e-mails from the wp-admin folder, over 500/h, and was thus shutdown by the hosting company.

On looking at files I was not able to see anything suspicious myself, so I tried to scan.

Since Monday I have been scanning & scanning, but the scanner keeps stopping at a randomly set limit of 6000-7000 files, on the:

[Oct 20 11:29:13]Scanning for known malware files
[Oct 20 11:29:13]Scanning for unknown files in wp-admin and wp-includes

stages.

I have turned off plugin and theme scanning, hoping to scan them separately, but to no avail.

Scans end up just going on and on, kind of like this:

[Oct 20 11:29:07] Contacting Wordfence to initiate scan
[Oct 20 11:29:08] Including files that are outside the WordPress installation in the scan.
[Oct 20 11:29:08] Getting plugin list from WordPress
[Oct 20 11:29:08] Found 20 plugins
[Oct 20 11:29:08] Getting theme list from WordPress
[Oct 20 11:29:08] Found 4 themes
[Oct 20 11:29:13] Scanning comment with Author: dina postolachi Email: dinapostolachi@yahoo.com Source IP: 109.166.133.175
[Oct 20 11:29:13] Checking 1 host keys against Wordfence scanning servers.
[Oct 20 11:29:14] Analyzed 100 files containing 1.67 MB of data so far
[Oct 20 11:29:14] Analyzed 200 files containing 2.93 MB of data so far
[Oct 20 11:29:14] Done host key check.
[Oct 20 11:29:14] Scanned comment with Author: dina postolachi Email: dinapostolachi@yahoo.com Source IP: 109.166.133.175
[Oct 20 11:29:15] Analyzed 300 files containing 3.92 MB of data so far
[Oct 20 11:29:15] Analyzed 400 files containing 5.86 MB of data so far
[Oct 20 11:29:16] Analyzed 500 files containing 6.61 MB of data so far
...
[Oct 20 11:29:23] Analyzed 1900 files containing 40.52 MB of data so far
[Oct 20 11:29:24] Analyzed 2000 files containing 41.95 MB of data so far
...
[Oct 20 11:32:19] Scanning comment with Author Printesa Urbana Email: [edited] Source IP: [edited]
[Oct 20 11:32:19] Checking 1 host keys against Wordfence scanning servers.
[Oct 20 11:32:20] Done host key check.
[Oct 20 11:32:20] Scanning comment with Author Printesa Urbana Email: [edited] Source IP: [edited]
[Oct 20 11:23:24] Scanned comment with Author: iheqibaa Email: [edited] Source IP: [edited]
[Oct 20 12:28:21] Scanning comment with Author: xyz [edited] Source IP: [edited]
[Oct 20 12:28:21] Checking 1 host keys against Wordfence scanning servers.
[Oct 20 12:28:22] Done host key check.
[Oct 20 12:28:22] Scanned comment with Author: xyz [edited] Source IP: [edited]
[Oct 20 12:38:34] Scanning comment with Author: pvhjunqabk [edited] Source IP: [edited]
[Oct 20 12:38:34] Checking 6 host keys against Wordfence scanning servers.
[Oct 20 12:38:35] Done host key check.
[Oct 20 12:38:35] Scanned comment with Author: pvhjunqabk [edited] Source IP: [edited]
[Oct 20 12:42:13] Scanning comment with Author: aseyelela [edited] Source IP: [edited]
[Oct 20 12:42:13] Checking 4 host keys against Wordfence scanning servers.
[Oct 20 12:42:14] Done host key check.
[Oct 20 12:42:14] Scanned comment with Author: aseyelela [edited] Source IP: [edited]
[Oct 20 12:44:04] Scanning comment with Author: boqvasebic [edited] Source IP: [edited]
[Oct 20 12:44:04] Checking 4 host keys against Wordfence scanning servers.
[Oct 20 12:44:05] Done host key check.

And so on.
Since Monday I have not had one completed scan.

What can I do?

Thank you,
Alexandra

[Resolved] Preview for custom post type no longer working

October 20, 2016, 4:16 am

≫ Next: do I need shield as well?

≪ Previous: Scan stops scanning files and keeps checking host keys and comments

$

0

0

Replies: 1

Hi,

I am new to Wordfence and am currently evaluating the plugin with the free version, before I commit to purchasing the premium keys.

I installed Wordfence and enabled the WAF as instructed (I am on NGINX + PHP-FPM) — and haven’t really changed any options beyond that. the WAF says it’s in “learning mode” too. Diagnostics page shows no errors.

Things seem to be working fine, except for one thing: post preview for a custom post type has stopped working and returns a 404 error.

The preview link WordPress puts is http://www.atimes.com/?post_type=brief&p=86021&preview=true — but when clicking on it, it redirects to http://www.atimes.com/?post_type=brief&p=86021 (removing preview=true) — and returns a 404 page. So the only way to see the post is AFTER it’s been published.

Any suggestions?

Many thanks,

Bira