WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
File change emails won't stop (17 posts)

  1. svetoslavd79
    Member
    Posted 1 year ago #

    This has now happened twice today from 2 different websites. Suddenly the File change notification emails are constantly coming and won't stop.

    What's happening?

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Handoko
    Member
    Posted 1 year ago #

    To use these File Change Notification feature, in many cases we may need to white list some files or folders which are supposed to change.

    What's happening?
    No one can tell you, because you don't provide enough information. It might be hacker's activities or no problem at all but you just need to white list some items.

  3. hehafner
    Member
    Posted 1 year ago #

    I've had a similar problem. I get multiple emails telling me that files have changed on my server. These emails are duplicates telling me of the same event. And with those emails, I get general emails (in duplicate) stating that files have been changed, but without a list of which files changed.

    I've whitelisted some of the file names that I know change regularly and cannot be exploited, (i.e. error_log files) so that helps, but there are still a lot of emails pouring thru.

    I was getting emails for all the 404 lockouts too and finally shut that off because it was overwhelming. I would prefer not to shut of the file change log if at all possible.

    Thanks

  4. Handoko
    Member
    Posted 1 year ago #

    Hello hehafner.

    We like to help, but actually not much we can help. This plugin is working correctly, telling you there is something wrong in your website. You should find out what really has happened in your website.

    Also you both didn't provide enough information, like:
    - what files were changed
    - do you use any caching plugin
    - what are the IPs in the lockout
    - what URLs in the 404 messages
    - etc

    Whitelisting may seems like a quick fix, but it's not the best thing to do. You should understand why the notifications come out and where are the problem that cause them, and fix them based on the problem.

    404 errors are very common if your website is targeted by hackers. I have managed to make my websites (almost) free from errors, but I still get a few 404 warnings every several days. Reason? Hackers' bots that try to find security weakness in my websites. Well, I'm playing cop and bad guys, I analyze all the IPs, banning and releasing some.

    Without having enough infos, I just can give you some suggestions:

    - Some caching or image captcha plugins need frequently changing some files, this may trigger File Change Notification. You may need to whitelist the files or directories.

    - File changing might be an indication of infected by malicious code. To know about it, you need to examine the pattern of the notifications. Perhaps you can consider to use other plugin to scan your website from malicious code.

    - Many things can cause 404 errors. If you changed a permalink, deleted a page or image may cause 404 error if Google or others come back to get the resource. They will come back for old link even after some months, you can let them know the 'thing' has moved by using Redirection.

    - Apple device users too may cause 404 errors. To fix it, you need to understand how apple-touch-icon works.

    - Hackers' intrusions may generate 404 errors. You should check the IPs and ban them if they're bad bots. To learn about the IPs you can use:
    http://www.projecthoneypot.org/search_ip.php

    - More infos:
    http://wordpress.org/support/topic/files-modified-daily-report
    http://wordpress.org/support/topic/receiving-so-many-site-lockout-notifications
    http://wordpress.org/support/topic/plugin-better-wp-security-better-wp-blocking-googlebot

  5. hehafner
    Member
    Posted 1 year ago #

    Handoko, Thank you for your in depth response.

    My process is to first search through all the IPs that tried to log in as 'admin' or some other derivative of that. I check WHOIS,
    Spam Blacklist Lookup, ProjectHoneypot, etc. My policy is that if someone tries to log in as admin, they are auto-blocked. However, I do look them up to see whether I should ban more than just the IP... I've had problems with banning IP ranges and UAs... So banning individually is very time consuming.

    I then look over all the 404 errors. If it's a legitimate 404 error I take care of it by redirecting. That has helped a little. Any 404s I get from attempts to reach wp-login.php or long URIs that have a lot of characters in them, or pornstar names, I block the IPs.

    Most of the file changes that I see, have to do with plugin or theme updates. (i.e. Jetpack updates) I don't mind seeing that they updated, just don't need duplicates and triplicates of the same emails.

    This morning my log files were so full that my servers went down. I had to go in thru the myPHPadmin to empty out some of the tables in order to get back to doing my work. That worked up until all mySQL DBs stopped running completely.

    I do run BWPS with Wordfence. Both plugins run a lot of email. I was about to go shut of one plugin when I lost database contact.

    It was right after trying to block the UA for ezooms on BWPS that everything stopped. I've not heard whether that was this issue for the jam up yet. Still trying to get back online.

    Thanks again.

  6. Handoko
    Member
    Posted 1 year ago #

    I think, attempts to login as "admin" are 99% hackers' bots. But we still need to check to make sure before banning them. I have about 20 IPs are being banned, some are IP ranges, but I will release the IPs after 3 months. Too many banned IPs in .htaccess might slow down website loading a bit, I thought.

    If you moved page you should do redirecting. But the best practice is to avoid any moving/renaming/deleting of any resource. Some plugins/themes might generate 404 errors if you enable the change "wp-content" feature in this plugin. You need to check if this is the cause.

    I suggest you to use Adminer plugin. It's a good tool to access/edit database without having to go through cPanel.

    I ever have ezooms in my log. Now they're gone, perhaps I have blocked it too.

    You might consider to tighter your rule. My setting:
    - 404 Detection > Check Period: 2 minutes
    - 404 Detection > Error Threshold: 3 times

    Normally, human won't repeated 3x to access a non-exist page. That's why I put 3. Some bad crawler did such stupid thing, I don't mind blocking them because they're bad crawler.

  7. hehafner
    Member
    Posted 1 year ago #

    I've finally got my website up... Although it is very slow and still times out. Tech support is still working on it. But BWPS says:

    Your database contains 21505 bad login entries.
    Your database contains 18 404 errors.
    This will clear the 404 log below.
    Your database contains 0 old lockouts.
    Your database contains 42 changed file records.

    Though it says there are 21,505 bad login entries, there is only 1 IP address listed twice in the All Lockout. It's odd to me that there is only one IP. I have it set that you're allowed to try 5x then you are locked out. So, this surprises me.

  8. hehafner
    Member
    Posted 1 year ago #

    FYI -- This is not my host, but my hosts confirmed... I thought it might help to understand what's going on with all the traffic too.

    http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

  9. hehafner
    Member
    Posted 1 year ago #

    BTW: How can I tell what UA is on these bad logins? I would like to block it.

  10. Handoko
    Member
    Posted 1 year ago #

    So, you mean you're under attack. The strange is why this plugin fail to block the them.

    I suggest you to tighten your rule further. I did experienced login attempts that come from wide range of IPs. So I change my settings to:
    - Max Login Attempts Per Host: 3 times
    - Max Login Attempts Per User: 10 times
    - Login Time Period: 10 minutes
    - Lockout Time Period: 30 minutes
    - Blacklist Repeat Offender: No

    You can see, I set the max login attempts to 3x, I do it because some loginbots are smart, they did only 2 or 3 times, and then will come back some days later. So because it's too tight it could block myself if I mistype my login, that's why I disable Blacklist Repeat Offender and prefer manual perform the banning.

    My setting is not proved to be the best, but it does greatly reduce their attempts. I got only a few every several days.

    And some times, I analyze the login IPs more further by login to cPanel > Latest Visitors and then put "wp-login" on the search query. This is a good way to learn their IPs.

  11. hehafner
    Member
    Posted 1 year ago #

    Handoko -- Yes, I have been under attack. Friday my databases all went offline from the log file notifications. I finally have them back up and running.

    My settings are tighter than yours :)
    - Max Login Attempts Per Host: 5 times
    - Max Login Attempts Per User: 5 times
    - Login Time Period: 5 minutes
    - Lockout Time Period: 720 minutes
    - Blacklist Repeat Offender: yes
    - Blacklist Threshold: 3

    I think my 404 errors settings need a new look though.

    - Check Period: 5
    - Error Threshold: 20
    - Lockout Period: 15 minutes
    - Blacklist Repeat Offender: No

    Now, as for 404 Errors, the URIs being hit on my specific site, http://hafnerdesigns.com, are
    - /2013/register.php
    - /2013/signup.php
    - /2013/reg.asp
    - /2013/login.php
    - /2013/01/hide-your-facebook-friend-list/fb-security-tips/function.preg-match
    - /2009/07/to-write-or-not-to-write/feed/function.preg-match
    - /logout/function.preg-match

    I'm getting a lot of requests for some post I have /function.preg-match... Not sure why... I did do a reinstall of WP today, so I hope that clears up.

    On another website, http://kidchefeliana.com, I currently have 17469 hits for

    - /wp-content/uploads/2009/08/8-1-09-Sucres-marvelous-macaroon-cake.jpg

    I've redirected this original post, I've checked and confirmed that the image is there. I can't tell why this gets such a high volume of 404 error hits.

    The files that I find changing are error_log files, sitemap.xml, and any updated plugins. I now whitelist the error_log files and the sitemap.

    My .htaccess files are making things run really slow because there are so many IP blocks. I wonder if blocking user-agent would be better?

    These are some of the IPs I've blocked:

    101.66.88.202
    109.1.137.192
    110.85.105.49
    110.85.68.159
    112.111.186.191
    117.26.193.127
    117.26.85.98
    117.26.86.94
    119.7.221.135
    121.205.197.2
    121.205.247.144
    142.4.127.20
    175.206.187.135
    176.123.0.111
    176.123.0.231
    176.31.61.97
    177.40.176.96
    177.43.160.197
    186.42.121.10
    188.143.232.144
    188.143.232.147
    193.17.208.86
    195.62.25.253
    201.55.31.14
    202.93.143.194
    204.93.60.*
    204.93.60.128
    204.93.60.182
    204.93.60.185
    204.93.60.207
    204.93.60.57
    209.73.151.229
    209.73.151.64
    209.73.151.97
    216.38.216.101
    219.234.82.84
    220.181.89.135
    221.229.119.186
    221.232.247.27
    222.186.26.7
    27.153.160.24
    31.184.238.38
    31.202.217.135
    31.202.231.5
    36.251.43.51
    37.221.162.29
    37.99.29.50
    46.165.222.228
    59.178.41.105
    60.36.84.49
    65.202.199.3
    67.159.44.55
    67.229.59.202
    74.62.205.194
    80.249.166.104
    80.25.95.249
    80.59.85.94
    82.117.234.78
    85.103.30.159
    85.25.140.68
    87.229.103.235
    88.230.184.131
    88.252.107.219
    89.160.60.196
    89.163.166.234
    91.191.207.18
    91.224.160.135
    93.186.115.188
    94.199.51.7
    94.59.206.185
    94.75.208.167
    95.168.204.226
    95.211.58.114
    95.66.143.43
    96.127.170.110

    Thank you for your help!

  12. another-webmaster
    Member
    Posted 1 year ago #

    @hehafner

    My .htaccess files are making things run really slow because there are so many IP

    Just some hints (don't take it personal I just hope this helps you some more, and gives you info you maybe was not aware of ?!)to "speed up" some browsing for your sites.

    Taken both links you mentioned and did a fast check. It is not the (only) .htaccess which (could) slowing down your sites it is the combination of missing (a lot easy code)some important code which could help.

    Your site(s) are not using gzip for example, check with this link shows it innerhalve 5 seconds: Gzip test

    Make sure you have made backups before adding your files.

    You could try to compress by adding following code at the top (must be the first line!!) of your header.php:

    <?php if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) ob_start("ob_gzhandler"); else ob_start(); ?>

    Note: If it cause problems on your server you should remove it (it is just a quick "dirty" help which already could solve some)
    Or drop following in your .htaccess (don't add in header.php and .htaccess at same moment, try one at a time!!!):

    ########## Begin - Automatic compression of resources
    # Compress text, html, javascript, css, xml, kudos to Komra.de
    # May kill access to your site for old versions of Internet Explorer
    # The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
    # mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
    ########## End - Automatic compression of resources

    Note: If it cause problems on your server you should remove it

    Using Etags are also a little help, sample code you could use/add into your main .htaccess:

    FileETag MTime Size

    Note: If it cause problems on your server you should remove it

    There are many ways to speed up sites (even without using plugins), slow loading sites also could have other reasons. (think about your webhoster) A few blocked ip's aint slowing down that much.

    Another help could be GTmetrix to analyze performanze!(Used this one to check your links and it explained already some, as mentioned above)

    You showed some blocked ip's, to prevent mass block ip lists inside your .htaccess there is no need to give in ip's more then once!
    The list shows for example:

    204.93.60.*
    204.93.60.128
    204.93.60.182
    204.93.60.185
    204.93.60.207
    204.93.60.57

    Using 204.93.60.* is already enough to block those other 5 so no need to have them overthere. (The asterisk is already telling the server that every number at the place of your asterisk should be blocked)

    To block some hacking tools they use following in your .htaccess could not harm:

    # Block most common hacking tools
    SetEnvIf user-agent "Indy Library" stayout=1
    SetEnvIf user-agent "libwww-perl" stayout=1
    deny from env=stayout
    ##########

    Another cause of slowing down a site is "misusing" social share buttons. (I don't want to be nasty but on http://kidchefeliana.com there is a reason to look over again imho)

    There is nothing worse then being under attack but some code could indeed help to prevent them keeping going on.
    Above mentioned code is just an example to do some quick tricks and may/or may not help you solving some issues.

    Cheers.

  13. Handoko
    Member
    Posted 1 year ago #

    @hehafner

    My internet connection is not slow, but it did take me minutes to completely loading your website. Sorry to say, but it's true: your website is slow. Ghostwriter already shared many useful tips that you should consider.

    @Ghostwriter

    Thanks for sharing the Gzip test tool and GTmetrix. I use GTmetrix, but I would recommend WebPageTest which is no registration required and will give you very detail information: http://www.webpagetest.org.

  14. hehafner
    Member
    Posted 1 year ago #

    I will be completely honest. Some of what is suggested here is foreign to me. I have asked my host about the gzip suggestion. However, I am at a loss on what you mean about "misusing" social share buttons. Could you clarify? All my client is using is a plugin for the social share buttons. There was one point where there were multiple social share plugins. Until we decided which social plugin to use, it was a mess. However, now there is only one plugin for that--- actually 2, but we do not use the social plugin from Jetpack.

    I appreciate your insight. I don't claim to have all the answers & try to accept advice humbly. I must also take into account that although this is my client's website, my client has put in a lot of plugins herself. I've go thru and deactivated plugins periodically that I feel are either not useful to her site or duplicating something else in place.

    When I ran both tests, GTmetrix and WebPageTest, I do see a lot of failed tests. However, I'm not understanding what I'm looking at. How would I begin tackling these problems?

    I appreciate your feedback and your patience as I try to wrap my head around what this all means.

    Thank you both @Ghostwriter & @Handoko

  15. another-webmaster
    Member
    Posted 1 year ago #

    @hehafner

    Assuming http://hafnerdesigns.com/ is your website?! If so only reply with yes it is, or another link I can contact you (Ofcourse only if you want!).
    Clarifying why: I will respond there by e-mail so it is not off-topic here. (Mods don't like that, and it is not confusing others).

  16. Handoko
    Member
    Posted 1 year ago #

    @hehafner

    I tried many webhost companies. Previously, my websites weren't compressed. But now, they are automatically gzip enabled by default. You should ask if they have gzip enabled feature when looking for a good webhost. Manually enabling it is not easy, don't do it yourself if you don't understand the technical things.

    Using 2 social share plugins isn't a good things. Visitors are rarely click/share a page unless your the page has really informative infos, surprising facts or very funny jokes.

    Social share button may increase loading time especially if it includes counters. I'm using a theme that have a simple sharing button feature. It is good to avoid to use too many plugins because it can decreasing memory usage, increase loading speed, good for SEO. You should tell your clients about it.

    I see one of the video (kidchefeliana) is autoplay, you may consider to disable it. Autoplaying a video on slow internet connection users is a pain.

    Fully loading time (tested using WebPageTest) of your website kidchefeliana is 21.008s/11.943s, while my website is only 2.963s/1.046s. What a big different.

    Another test:
    Your hafnerdesigns.com - full load 5.756s, size 1,269 KB
    My GraphicsLearning.com - full load 2.890s, size 292 KB

    On home page, your website load twice the time than mine and it seams it's loading many things (1,269 KB). But if you visit and compare the both sites, my site has a bit more contents (text and images). You should check where the extra (1,269-292 = 977 KB) data go to.

  17. hehafner
    Member
    Posted 1 year ago #

    @Ghostwriter: Yes, that is my website.

    @Handoko: My web host company is very flexible with me and works with me through just about everything. I've been told that they do not have anything automatic set up on the servers, but the servers do understand gzip. So, they will work with me on it too.

    Here is what my host's tech support had me try first:

    I created two files, gzip_start.php & gzip_stop.php.

    gzip_start.php:

    <?php
    ob_start("ob_gzhandler");
    ?>

    gzip_stop.php:

    <?php
    ob_flush();
    ?>

    Then I added two lines to my .htaccess

    # dual file includes for PHP compression
    php_value auto_prepend_file /home/user/public_html/gzip_start.php
    php_value auto_append_file /home/user/public_html/gzip_stop.php

    He said, "These two lines ensure proper inclusion of both files to every PHP document subject to their influence (i.e., the containing directory and all subdirectories). The auto_prepend_file function literally prepends data, while the auto_append_file function appends."

    So, I put it all over to my server and then reloaded my site. The site crashed with a 500 Internal error. I had remove the lines from .htaccess for now.

    The next step suggested by my tech guys and @Ghostwriter is adding this code before the (X)HTML content in any PHP script (@Ghostwriter suggested the header.php):

    <?php if (substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) ob_start("ob_gzhandler"); else ob_start(); ?>

    However, I cannot find a "header.php" in any of my folders. I am familiar with it... I've used it before... Is it possible that it is renamed now to "wp-blog-header.php"?

    The theme I am using has a custom_function.php file for all custom php code. However, when I tried this, the gzip did not work. This php file is more like the functions.php file for wp.

    Thanks for working with me on this. If you want to take this convo off the thread, you can email me at hehafner at hafnerdesigns dot com.

    Thank you!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.