Support » Plugin: Wordfence Security - Firewall & Malware Scan » BUG: Scanner deletes repaired child theme files

  • Resolved shrewdies

    (@shrewdies)


    I hope this is the right place to report bugs. As I’ve searched here and via Google. But the bug reporting mechanism that was in place in 2013 is marked as closed (https://www.wordfence.com/blog/2013/08/wordfence-bug-bounty-get-a-146-wordfence-premium-5-year-license-per-bug/). Without mentioning a replacement bug reporting method.

    The error occurs as follows:
    Malware is found in a theme file (functions.php) then repaired using the “REPAIR ALL REPAIRABLE FILES” button. When you click “DELETE ALL DELETABLE FILES” the repaired file is ignored. So that works as expected for a regular WordPress Theme.
    But if the site has a child theme with an infected functions.php it is deleted. Even though it was repaired in the “REPAIR ALL REPAIRABLE FILES” routine.

    This is repeatable.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter shrewdies

    (@shrewdies)

    BTW, if anyone else has this problem, the workaround is:
    1. Click the ‘repair all’ button and wait for repair confirmation message.
    2. Ignore the child theme functions.php.
    3. Click the ‘delete all’ button and wait for the delete confirmation message.
    4. Remove the Ignore.
    5. Run Scan again.

    Plugin Support wfphil

    (@wfphil)

    Hi @shrewdies

    This is expected behaviour and how the scan options should work.

    If you are using a theme that is available at the wordpress.org theme repository and a theme file is modified with malicious code added to it then the scanner will detect that the theme file has been modified and you can use the repair options to replace that modified file with an original uninfected copy of that file.

    Child themes have to be created in a custom directory and we have no way of knowing what you are going to name that directory so the scanner is unable to match that custom directory name with the theme that is installed as the parent theme. Therefore any files in the child theme directory cannot be repaired as they will be treated as unknown files.

    Thread Starter shrewdies

    (@shrewdies)

    Oh dear @wfphil

    Therefore any files in the child theme directory cannot be repaired as they will be treated as unknown files.

    That is not how Wordfence works in the scan. It identifies all occurrences of infected files. Then it offers an individual repair option (which is not what I’m writing about). Or “REPAIR ALL REPAIRABLE FILES” which I have explained works absolutely fine and is truly wonderful.

    Now, without examining the code in detail, I assume Wordfence creates an array of deletable files as it scans. Then when it repairs repository files it removes them from the deletable array. But child theme files stay in the array. So they get deleted (unless you follow my workaround).

    Whoever deemed this “expected behaviour” needs to examine the logic. Or at least offer a realistic explanation. Because I cannot see any value in repairing a file only to subsequently delete it. And please don’t repeat that Wordfence cannot repair those files. Because I’ve examined them (before setting the Ignore flag in my workaround) and they are fully repaired – for which I thank you very much.

    Plugin Support wfphil

    (@wfphil)

    Hi @shrewdies

    You must have misunderstood my reply as the scanner cannot detect that your child theme is a child theme as the child theme directory slug will not match a known theme in the WordPress theme repository.

    Therefore child them files will always be treated as unknown files and cannot be repaired, they can only be deleted.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘BUG: Scanner deletes repaired child theme files’ is closed to new replies.