Support » Plugin: Wordfence Security - Firewall & Malware Scan » 504 and 502 Errors

  • Resolved notawizard

    (@notawizard)


    Hi there – first I must congratulate you on an amazing plugin which really does much more than it says on the tin. The scans found most of the issues which needed to be fixed.

    Like one or two others I am getting a “504 Gateway Time-out The server didn’t respond in time.” This is followed on refreshing by “502 Bad Gateway nginx/1.9.12”.

    I renamed the wordfence folder to “xwordfence” and could regain access to WordPress and had to rename the wflogs folder in FTP as I could not delete it.

    I could then rename the wordfence folder to its correct name and activate it. The program replaced the wflogs folder and as it should but I now have many renamed wflogs folders which I cannot delete. They have CHMOD700 and I cannot modify them in FTP.

    After a couple of hours I got the 504 errors again both on the site and in WordPress and the same process restored it repeatably.

    It is in a Linux server with Cloud NX and Intelligent Load Balancing by Fasthosts. PHP 5.6 WP 4.8 WF 6.3.12. Happens in all browsers on Windows 10 (IE11, Edge, Chrome)

    This time I will try without activating the firewall. No wflogs folder has been produced, which I assume is also correct. I have set the refresh rate to 1 in 60 seconds in case that helps. I look forward to any thoughts anyone may have on this one.

    Many thanks

Viewing 10 replies - 1 through 10 (of 10 total)
  • Thread Starter notawizard

    (@notawizard)

    Correction wflogs has now been created though I have not actually activated the firewall – it may have kept the earlier settings though. So far it is still running.

    Thread Starter notawizard

    (@notawizard)

    Oops – I spoke too soon – stopped again and same process got it back.

    Thread Starter notawizard

    (@notawizard)

    Further update

    Increasing the number of hits allowed by any user to 480 (worked upwards in stages) and human hits to 60 per minute, reducing the display rate to once every 180 seconds seems so far to have stopped the 504 errors. Site activity in real-time is currently “on” and it seems OK. Each of the little flags seems to make a hit of its own so perhaps that put up the over all “hit” rate when scrolling through the logs.

    Thread Starter notawizard

    (@notawizard)

    Update from Service Provider from their error logs if that helps

    [Mon Jul 17 00:04:17.309838 2017] [fcgid:warn] [pid 56008] [client xxx.8.132.41:52932] mod_fcgid: stderr: Unable to open /home/xxxxx/xxx/xxxxx/user/htdocs/wp-content/wflogs/ips.php for reading and writing.

    Hi notawizard,
    With load balancing, the wflogs folder would best be placed in shared storage that the load balancers all have access to. It sounds like the process owner that creates the wflogs folder has different permissions than other processes on the server, including your own via FTP. If you make sure all the web server users involved are in the same group and set group read and write to be allowed on wflogs, you might get it to work.

    If you bounce that back to your host, they may be able to help you sort it.

    Thread Starter notawizard

    (@notawizard)

    Hi @wfasa

    Many thanks for your kind help. I have passed it to Fasthosts – hopefully it may go some way to providing a common solution to the problem.

    It really is a remarkable tool and I am very keen to keep it working (sadly the site got stuck again this evening).

    Its scan appeared to have missed an inserted file on the root called wp-images.php which had a nasty script inside, as well as many nasty script jpegs in the uploads folder which it controlled. It has, however, now caught two users trying to access it and will, I hope be blocking them. I only wish there were a way to track them down!

    Thread Starter notawizard

    (@notawizard)

    I realise I might have been able to block the scripts in the upload folder using “Disable Code Execution for Uploads directory” but unfortunately that also blocks the images from appearing in my page head “Featured content slider”.

    I had also blocked a persistent visitor by url before realising it was a valid bot. I could only remove the block by editing the database – removing it from the list did not remove it from operation.

    I have asked the Service provider to make the changes you recommend and hope to see it carry on without problems.

    Many thanks once again for your help

    Thread Starter notawizard

    (@notawizard)

    In case this might be of value in explaining for others what is happening, this is from my host. I had seen another similar post about permissions changing, which was attributed to a possible cron job but it may be due to this:

    All our cluster hosting packages i.e Momentum has a default 700 chmod permissions.

    You can change the settings via SSH as long as you have an “x” – execute portion on your chmod command. If you do not have an x execute bit, then permissions will revert to default in around a few seconds. The way the system works is that it will not allow you to change the mode on the files via FTP. It will revert your change to 700 (Linux wise) anyway as the permissions are secured on the backend storage. It’s quite complex storage model and the permissions you see in FTP or under Linux may not be relevant. It would be best if you could try to change and check the permission via SSH also.

    Hi notawizard!
    Thanks for getting back to us and explaining your problem and possible solution. That’s very helpful to others who might stumble on this thread in the future.

    For the wp-images.php we definitely should have caught that. If you still have the file, you can send it to samples@wordfence.com. Our analysts go through all samples that are sent there and check if we are detecting the particular malware. If we don’t detect it, they create a new rule for it which is then sent out to our customers in real time (free users get the new rules after 30 days).

    If you haven’t already, try scanning with the option “Scan images, binary, and other files as if they were executable” enabled. It’s quite a resource hungry scan option but it will help you detect malware that is hiding in images and other non-php files.

    Best of luck with your sites for now and thanks again for reporting back!

    Thread Starter notawizard

    (@notawizard)

    Thanks wfasa – I had that enabled and have now enabled the “Enable HIGH SENSITIVITY scanning” option. The only “Fail” now is that it cannot enumerate the drive and return disk size – possibly due to the load balancing: [Jul 20 11:20:20] Scanning to check available disk space – Failed.

    I have sent your sample folk an email with access to a lot of nasties they can play with.

    Still running today so perhaps I was looking at the logs a bit too often!

    • This reply was modified 4 years, 10 months ago by notawizard.
    • This reply was modified 4 years, 10 months ago by notawizard.
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘504 and 502 Errors’ is closed to new replies.