Does the ‘files outside WP installation’ option include parent dir?

Resolved ellmann creative
(@ellmanncreative)

4 years, 5 months ago
Hey.

I’m seeing scan results that I don’t understand.

WordFence says it scanned 40017 files at 5.06 GB. The site in question has 1.7 GiB of content:
```
public$ du -h -d 1
5,3M  ./wp-admin
80K   ./favicon
17K   ./.well-known
1,6G  ./wp-content
22M   ./wp-includes
1,7G  .
public$ find . -type f | wc -l
40026
public$
```
Where does it find the additional 3.01 (or 3.36? is it GB or GiB?) GB of data? It can’t be in the database, that’s limited to 2 GiB of space.

It would make SOME sense if it counted ../.backups/ (which is a subdirectory of the WP installation’s parent directory – hence my question) as well, but then it should come out to about 6.3 GiB.

I assume I don’t understand something. Can you help me out?

I should note that the scan takes some 27 minutes, 10 of which it spends on file analysis. It also scans “additional files”, a count of 25497 – that alone takes 15 minutes, and I assume it’s the binary files scan (which the help page says could take overly long…).

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter ellmann creative
(@ellmanncreative)

4 years, 5 months ago

Hmm… I clearly don’t understand how the scanner works.

When I disabled the binary scan option, it scanned 21448 files (194.1 MB), and additional 6928 files afterwards. So the “additional” files clearly aren’t the additional scan. It also took significantly less time (2.5 minutes).

Can you please clarify how this works?

Bonus question: does it make sense to have it generally enabled on live sites? Or is it too much load vs too little gain, based on your observations of threats?
Plugin Support wfpeter
(@wfpeter)

4 years, 5 months ago
Hi @ellmanncreative,

Disabling the scan for image/binary/other is usually fine, it’s off by default when Wordfence is installed.

Sometimes symlinks can cause files to be read more than once, although not immediately easy to confirm. Often, a caching plugin or database problem could cause files to be scanned more than once, because Wordfence is not getting consistent responses.

If you have a database caching plugin installed, I’d recommend disabling that first to see if it makes a difference.

You could also take the following steps for me:
- Go to the Wordfence > Tools > Diagnostics page
- In the “Debugging Options” section check the circle “Enable debugging mode”
- Click to “Save Changes”.
- CANCEL any current scan and start a NEW scan
- Copy the log after 5 minutes (click the “Show Log” link), then copy again after a further 5 minutes and paste them in this post.
Wordfence > Tools > Diagnostic > Debugging Screenshot

Thanks,

Peter.
Thread Starter ellmann creative
(@ellmanncreative)

4 years, 5 months ago

I would like to provide these as two .txt files (one for a short scan w/ the binary option disabled, one for a longer one with it enabled).

As I would not like to have this info public, where/how can I pass this info on?

(also, one of the files will be in my local language, because WordFence at some point decided it’ll partially use the site’s language, not the /wp-admin language).

Thread Starter ellmann creative
(@ellmanncreative)

4 years, 5 months ago

From what I can see, it is indeed getting bogged down in Hummingbird assets.

Is there some way I could tell it to skip scanning /wp-content/uploads/hummingbird-assets/*?

————–
I have the log files ready for you. How do I pass them to you securely?

Plugin Support wfpeter
(@wfpeter)

4 years, 5 months ago

Hi @ellmanncreative,

Feel free to send the txt files to wftest @ wordfence . com. Please add your forum username to the subject line and respond here after you have sent it.

You can skip scanning locations by visiting the Wordfence > Scan page. Scroll down to Advanced Scan Options > Exclude files from scan that match these wildcard patterns (one per line). If you enter wp-content/uploads/hummingbird-assets/* all files in the folder will be excluded from a scan.

Thanks,

Peter.

Thread Starter ellmann creative
(@ellmanncreative)

4 years, 5 months ago

Okay.

The text files are a tad big, so I sent you two links hidden behind HTTP basic auth instead. Hope that isn’t an issue.

I’ll check out scanning exclusions. I hope it works recursively (you did say “all files“, not “all files and directories“), so that I don’t have to specify subdirectories manually (since they’re auto-generated and all).

Plugin Support wfpeter
(@wfpeter)

4 years, 5 months ago

Hi @ellmanncreative,

Thanks for sending those links over. I was able to access them and see that there could potentially be an issue with your execution times causing the scan to slow down or stall due to server timeouts. Go to your Wordfence > Scan > Manage Scan and locate the “Performance Options” section. Set “Maximum execution time for each scan stage” to 20.

You could also set max_execution_time = 60 in php.ini, Wordfence’s scan only attempts to use half of this value by default.

Your WP_MEMORY_LIMIT should be set to 128M or 256M in wp-config.php. WooCommerce (as a common example) recommend 64M minimum, so if you have many hits on the site at once especially during a scan, a lower limit here could be reached fairly easily. Your PHP memory_limit value should be set to 128M or 256M also to accommodate this change otherwise there won’t be enough room for WordPress to use the higher value it is requesting.

You were correct with your assumption that the wp-content/uploads/hummingbird-assets/* line will exclude files AND folders in that location, that was an accidental exclusion on my part. This should certainly help things judging by the amount of lines related to this in your logs.

Thanks again,

Peter.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Does the ‘files outside WP installation’ option include parent dir?’ is closed to new replies.