Hosting on Pantheon.io wflogs no write access

  • rdanamcd

    (@rdanamcd)


    7 years, 3 months ago

    I’m hosting several sites on Pantheon with Wordfence. They restrict write access to code directories and only allow write access to the uploads directory on both TEST and the LIVE servers. DEV server you have write access in SFTP mode.

    With all that said, I’m getting errors in my PHP Log every few seconds:
    [29-Dec-2016 19:41:12 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:12 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:15 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:15 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:17 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:17 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:23 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:23 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:24 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:24 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:26 UTC] Unable to open /srv/bindings/322373741aeb4b26ac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:38 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:38 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:38 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.
    [29-Dec-2016 19:41:38 UTC] Unable to open /srv/bindings/322373741aac809f1bfc8a0c43/code/wp-content/wflogs/ips.php for reading and writing.

    I’ve created a symlink for the wfcache directory to the uploads folder but problems come up when using a symlink for the wflogs folder. I’ve Disabled the WordFence Firewall but it’s still trying to write to the wflogs directory. It’s not causing any problems but just an annoyance.

    Any suggestions to prevent the continual checking of writing to the wflogs folder?

    Thanks
    Dana

    • This topic was modified 7 years, 3 months ago by rdanamcd.
Viewing 6 replies - 1 through 6 (of 6 total)
  • wfalaa

    (@wfalaa)

    7 years, 3 months ago

    Hi Dana,
    Disabling the firewall should be enough to stop these warnings, are you sure you’ve set the “Firewall Status” to “Disabled” in (Wordfence > Firewall) and still getting these warnings in the log files?

    Knowing that if the “wflogs” path changed to (/uploads) directory, this may open a risk as well by allowing attacker to write to this folder if he managed to exploit any vulnerability in your installed plugins that allow him to write to a sub-directory in “/uploads” directory.

    Thanks.

    Thread Starter rdanamcd

    (@rdanamcd)

    7 years, 3 months ago

    Hi Wfalaa,

    Thanks for replying. When I go to Wordfence:firewall I get an error saying wflogs is not writable. On my DEV server I can switch to SFTP mode ( wflogs is now writable ). I now have access to Wordfence:firewall and I verified Firewall is DISABLED.

    Rechecked my PHP error log and an error was logged about every 5 seconds saying unable to open wflogs for read or write access.

    Pantheon recommends for WordFence: Disabling Firewall and Disabling Cookies: https://pantheon.io/docs/unsupported-modules-plugins/#wordfence Unfortunately an error is still logged even though Firewall is disabled.

    Thanks
    Dana

    wfalaa

    (@wfalaa)

    7 years, 3 months ago

    I have re-checked this one with our team and unfortunately, there is currently no option that you can activate to hide these warnings from the error log, unless you change the “wflogs” directory path in “wordfence-waf.php” file in your website root directory to a writable directory, but this isn’t recommended due to the security risk I mentioned in my previous reply here.

    Thanks.

    Thread Starter rdanamcd

    (@rdanamcd)

    7 years, 2 months ago

    Hi Wfalaa,

    Are there any plans for WordFence to work with Pantheon.io hosting structure? I’ve got a lot of sites on Pantheon with Wordfence and wflogs is trying to write to a read-only code directory in all of them… causing the PHP errors. Not just for me but I guess for all Pantheon hosted sites with WordPress. As you see in the previous post, the PHP Errors are around the clock only seconds apart.

    Feature Request
    Pantheon suggests: https://pantheon.io/docs/unsupported-modules-plugins/#wordfence to turn OFF Firewall because not supported. That’s fine, I turned it OFF, BUT Wordfence is not honoring that the Firewall is DISABLED and still trying to write to WFLOGS. Feature Request: No Errors or checking of Read-Only WFLOGS if Firewall is Disabled.

    Thanks
    Dana

    jnorell

    (@jnorell)

    6 years, 11 months ago

    I’d love for wordfence firewall to work on pantheon as well.

    @wfalaa, your point about exploiting some plugin to write to uploads subdirectories has some merit, but consider: if the wordfence plugin can write to the wflogs directory, then any other plugin can as well. So you are not eliminating the potential for other plugins to be exploited in that manner; you are merely limiting it to plugins which could be exploited to write under uploads/ but not be exploited to write one level higher up.

    How about this for an easy-to implement middle ground: use a php constant (maybe WORDFENCE_WFLOGS_PATH?) to specify the wflogs location. Then site owners who wish to run wordfence’s firewall on a platform like pantheon can choose to define that in wp-config.php, while everyone else gets the default/current behavior.

    wfalaa

    (@wfalaa)

    6 years, 11 months ago

    Hi @jnorell,
    Well, I mean that there are many plugins/themes creating sub-directories in “/wp-content/uploads/” path and imagine if any of them had a vulnerability allowing the attacker to upload/modify files in other sub-directorates as well? the possibility would increase since the uploads directory is very common to be used by plugins/themes.

    There is already “WFWAF_LOG_PATH” defined in “wordfence-waf.php” file as I mentioned in my previous reply and I think I elaborated the security concern regarding changing this path at the beginning of my reply.

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hosting on Pantheon.io wflogs no write access’ is closed to new replies.

Tags