Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » False positive admin account change

  • Resolved crunchybar

    (@crunchybar)


    We get an email about all admin accounts having been changed, when in fact only one admin account was updated. The same thing happens on two different WordPress installations. We are using the latest version and everything else is fully updated too.

    This is quite disturbing, since we don’t always know when someone updates their account. And if we were hacked and all accounts were changed, we would ignore it, thinking it was just one the admins who changed a small detail on their own account.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author nintechnet

    (@nintechnet)

    This is not a bug, but the way the detection works: it detects any change to admin accounts and will inform you about that. Because it does not know what was changed, it shows you the list of admin users + their account info so that you can double-check it.
    The protection is permanently working in the background, it has to be fast and thus relies on hashes. That way, it can detect any type of hack, for instance if someone connected directly to your DB and replace the admin password with their’s, it would be detected.

    • This reply was modified 5 months, 2 weeks ago by nintechnet.
    n381

    (@n381)

    Hello, I’m also getting alert “NinjaFirewall has detected that one or more administrator accounts were modified in the database”
    and after reading support response here, I would add to a question, could be that NinjaFireWall triggering alert is possible also during db server backup system, please confirm?
    Regards

    • This reply was modified 3 months ago by n381.
    • This reply was modified 3 months ago by n381.
    Plugin Author nintechnet

    (@nintechnet)

    Does your backup process lock the tables? If that was the case, then it could be possible to trigger a false alert.

    n381

    (@n381)

    Hello, thank you for your answer and I agree that database backup is rising the alert, still in NFW log these events are flagged with 403 forbidden server response so it could seems that event is comming from WP/NFW rather than db server process.
    [1571395474] [0] [www.domain.com] [#4958746] [0] [6] [0.0.0.0] [403] [N/A] [-] [Database changes detected] [hex:61646d696e6973747261746f72206163636f756e74]

    Please respond further if possible

    Plugin Author nintechnet

    (@nintechnet)

    This is a notice to inform you about the modification in the DB.
    It was not blocked, it’s wasn’t an HTTP request. The 403 is the default value always written to the log, you can ignore it.

    n381

    (@n381)

    Hello once again,

    Thank you for confirming this as false positive alert, thus as some other WP users asked similar I can suggest to mark this ticket request as solved that way informing WP community.
    Aside I’ve some proposal for additional feature and I know that I suppose to submit that to official page for it, yet as this topic evolved this, I’m going to post here that – improvement feature would be setting/blocking maximum requests per IP during interval as the method to prevent flood http and non-http traffic(if possible) as the security settings/setups are differing widely among server companies, so such flood control ip request feature can enable working WP more reliable at lower quality, shared hosting and DIY server installations(non for profit).
    Once again thank You and your Team for providing this software. Best regards

    • This reply was modified 3 months ago by n381.
    crunchybar

    (@crunchybar)

    Completely unrelated, @n381. Please create a separate thread in the future.

    n381

    (@n381)

    Understood, thank you.
    I’ve post it to NinTechNet, regards

    • This reply was modified 3 months ago by n381.
Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.