Support » Plugin: Wordfence Security - Firewall & Malware Scan » Modified plugin files flagged in the most recent version of Jetpack

  • Resolved Jeremy Herve

    (@jeherve)


    Jetpack Mechanic πŸš€

    Hi there!

    My name is Jeremy, and I work on the Jetpack plugin.

    Yesterday, we released Jetpack 4.3.2: we checked in all the new code in trunk, then copied all that code into a new tags/4.3.2 folder, and then changed the readme file’s stable version from 4.3.1 to 4.3.2 in both trunk and tags/4.3.2 to complete the release.

    Unfortunately, a few WordFence users started receiving reports from WordFence about “Modified plugin files” in Jetpack. You can find some examples in this thread.

    Is there anything we’ve done that triggered those warnings? Is there anything we can do to fix this, or that you can do on your end?

    Thanks a lot!

Viewing 10 replies - 16 through 25 (of 25 total)
  • Jeremy Herve

    (@jeherve)

    Jetpack Mechanic πŸš€

    Oh, that’s interesting. The first set of changes was meant to only be available to Beta testers, but it seems some people got the updated files anyway. I’m not sure how this happened since there was no tagged version in the tags directory until the release 2 days ago.

    @oakhillman Do you happen to use some sort of site / plugin manager on your site, something that would automatically update plugins for you in some way?

    I’ve got exactly the same warnings from Wordfence.

    So I rolled all (18) plugins back 4 days, using UpdraftPlus, ran another scan which came up green. It now said Jetpack and Wordfence needed updates, so I did that, and when I ran another scan, I got the same warnings again. I don’t have auto updates on, and I’m not signed up for beta testing, at least not that I know of…how would I find that out?

    • This reply was modified 2 years, 2 months ago by  Sean.
    • This reply was modified 2 years, 2 months ago by  Sean.
    • This reply was modified 2 years, 2 months ago by  Sean.

    Sounds like wfalaa has a bead on the problem. And I do run an update manager.

    https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/

    So it would stand to reason that my installations updated Jetpack early, when β€œ@1611465” revision was in the repository.

    Jeremy Herve

    (@jeherve)

    Jetpack Mechanic πŸš€

    I don’t have auto updates on, and I’m not signed up for beta testing, at least not that I know of…how would I find that out?

    You would have to install an additional plugin, Jetpack Beta, to be able to use Beta versions of Jetpack.

    I do run an update manager.

    https://wordpress.org/plugins/stops-core-theme-and-plugin-updates/

    So it would stand to reason that my installations updated Jetpack early, when β€œ@1611465” revision was in the repository.

    Thanks for the extra details.

    I’m not quite sure why your installation was updated early though, before a stable tag was made available.

    @wfalaa When Worfence scans compare plugin files, do they rely on what’s in trunk, or the files in the tags directory?

    @jeherve, I think you may have to bump the version so that our Jetpack installations are forced to update. I’m not a developer, but I believe what @wfalaa is saying is that early updates got revision β€œ@1611465” as 4.7.1, and then after all of my 60 installations updated, you must have mistakenly released revision β€œ@1614290” with the same 4.7.1.

    I think at this point you’re going to need to bump revision β€œ@1614290” up to 4.7.2 so that our installations will update and then WordFence will see that all is in sync. Yes, I suppose we could manually reinstalled Jetpack, but I do have 60 installs and well, that would be painful.

    Jeremy Herve

    (@jeherve)

    Jetpack Mechanic πŸš€

    I think at this point you’re going to need to bump revision β€œ@1614290” up to 4.7.2 so that our installations will update and then WordFence will see that all is in sync.

    That could indeed be an option, but I’m not sure it would solve the problem, if the scanner compares files in trunk against the files on your site. It may solve the problem this time around, but since we push Beta releases to trunk for each release the problem would happen again with the next release.

    @wfalaa Since we do not change anything in the tagged stable version after it’s released, and after marking that version number as the new stable version in trunk‘s readme.txt file, would it be possible for you to check the modified files against the version in the tags directory?

    Well, here’s something interesting. I deactivated Jetpack and then deleted it off of one of my websites. I confirmed that the Jetpack folder was gone from the plugins folder. I then reinstalled it and ran a WordFence scan. I did this process twice and both times it still shows file discrepancies. I used the “see how the file has changed” link and there are no differences showing now. I clicked “I have fixed this issue” for all the files and ran the scan again, and again they all show up but there are no differences. I’m thoroughly confused.

    @jeherve this is almost what we are doing right now, and I confirm you are doing it correctly too, but there is something that I missed and it should clear up the confusion over here, there has been a migration going on for a couple of days where the server that holds the mirror copy of the plugins repository didn’t pick up the changes in the repo yet and it seems that this was in that critical time after you created the tag but before the release, unfortunately we can’t keep -constantly- scanning for updates to existing tags because that would require an excessive load on wordpress.org, so we would normally get the update within a couple of days maximum, but our migration delayed that longer than usual.

    Since the migration is nearly done by now, these files will stop appearing in scans once they have been all re-indexed. @oakhillman that’s why they are showing no difference right now, and they will disappear later on.

    I apologize for the inaccurate information I mentioned in my previous reply, I wasn’t aware of the migration process by then.

    Thanks.

    So it looks like the solutions is that we just wait and the problem will clear itself up when the migration is done.

    The problem seems to have gone away.

    [Mar 18 22:12:38]Scan complete. Congratulations, no problems found.

    • This reply was modified 2 years, 2 months ago by  Sean.
Viewing 10 replies - 16 through 25 (of 25 total)
  • The topic ‘Modified plugin files flagged in the most recent version of Jetpack’ is closed to new replies.