Plugin Support
WFAdam
(@wfadam)
Hello @titala and thanks for reaching out to us!
It’s sad that when we stop getting attacked, were almost more suspicious than when we do. I get your point! 🙂
The best thing to test here would be to visit your Wordfence > Tools > Live Traffic page and make sure you’re still seeing hits to your site, possibly test via another browser while you watch it. Try to access pages like wp-admin to see the security hits. Its possibly the Live Traffic portion of the database has crashed.
Let me know what you find!
Thanks again!
Thread Starter
Attila
(@titala)
Hi @wfadam
Some background information: I only use Brute force protection (and login security). WAF and SCAN is switched off because of the incompatibility with the Hosting system (The Hosting partner is providing these services)
I switched Traffic logging to All traffic and quite some suspicious entries have been reported but not blocked while accessing the /wp-login page.
Some examples:
https://www.abuseipdb.com/check/66.55.76.17
https://www.abuseipdb.com/check/118.67.248.50
https://www.abuseipdb.com/check/217.160.130.107
….
So I have the strong feeling something is not OK. How could we further investigate this?
Plugin Support
WFAdam
(@wfadam)
Thanks for providing that information!
These would be blocked by premium protection due to the Real-Time IP Blocklist but might not be blocked in the free version unless they are doing something malicious. For those hits on the wp-login by those IPs, are they attempting any logins of any sort of just probing for the login page?
Just to double-check everything seems to be in order, could you also send in a diagnostic?
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
Thanks again!
Thread Starter
Attila
(@titala)
Diagnostics has been sent.
These IPs do not attempt to login.
Thanks for your help!
Plugin Support
WFAdam
(@wfadam)
It looks like you might have some overdue cron jobs that aren’t working. I recommend downloading and installing WP Crontrol(https://wordpress.org/plugins/wp-crontrol/).
You can delete any wordfence related cron jobs that currently aren’t working, then deactivate Wordfence and enable it again to repopulate the cron jobs.
Here is a list of the Wordfence cron jobs you will want to observe:
- wordfence_ls_ntp_cron
- wordfence_hourly_cron
- wordfence_daily_cron
- wordfence_start_scheduled_scan
- wordfence_email_activity_report
Let me know if you have any questions! Resend the diagnostic once you have corrected these!
Thanks again!
Thread Starter
Attila
(@titala)
Actually the only thing I see that wordfence_start_scheduled_scan does not exists
Thread Starter
Attila
(@titala)
Unfortunately the situation is not so nice. After deleting the jobs and restart there are quite some issues.
Diagnostic has been sent.
Plugin Support
WFAdam
(@wfadam)
The crons looks to be resolved, though enough time hasn’t gone by to know that for sure.
It might be best to reinstall Wordfence, just to make sure the database is working properly as well.
You can backup your Wordfence settings via the Export option. Navigate to Wordfence > Tools > Import/Export Options and click Export. You can also take note of the current Whitelisted URLs you have in Wordfence > Firewall > All Firewall Options > Whitelisted URLs as these are NOT included in the Import/Export, and will be lost during the re-install.
Here is what is exported: https://www.wordfence.com/help/tools/import-export/
During the export, you will be given a long string of text. Keep this safe, you’ll need it in a few minutes.
After that, enable the option to Delete Wordfence tables and data on deactivation in All Options > General Wordfence Options. You will want to remember to disable this after you reinstall Wordfence again.
After you enable that option, you can deactivate Wordfence from the Plugins area of your site, then delete it. Next, from the plugins area, search for and re-install Wordfence like normal.
It will be like setting Wordfence up for the first time. You will need to enter an email address, and then go into Tools > Import/Export Options and paste that string of text into the Import Wordfence Options field and click the button there.
The firewall will be in Learning Mode by default for 7 days. I would recommend switching this to Enabled and Protected as soon as possible.
Let’s see what this does!
Thanks again!
Thread Starter
Attila
(@titala)
How about Login Security and the 2FA other users? Will it be also exported and imported back incl. the existing codes?
Plugin Support
WFAdam
(@wfadam)
This will knock out all of the current 2FA codes in the database and they will need to be set back up again.
Do you have a large userbase on your site in which this would affect a lot of people?
Thanks again!
Thread Starter
Attila
(@titala)
Only one, but she is a sensitive one (my daughter :))
Plugin Support
WFAdam
(@wfadam)
Oh! haha! I was worried you had 30+ users with 2FA enabled.
Your issue actually sparked an idea for me to add as a feature request in with our Dev Team. A way to delete the tables but back up all 2FA codes and add them back once the reinstall is over. So I thank you for sparking that idea!
How did the process go? Thanks again!
Thread Starter
Attila
(@titala)
I did not reinstall the plugin yet but normal “attack activity” returned. I’m happy to support you with good ideas 🙂
