Support » Plugin: Wordfence Security - Firewall & Malware Scan » Scan fails on WordPress multisite

  • Hi,

    The scan fails on :

    Fetching core, theme and plugin file signatures from Wordfence

    This part of scan never ends !

    Regards

    mgregoire83

Viewing 12 replies - 1 through 12 (of 12 total)
  • Hi,
    Please go to (Wordfence > Tools => Diagnostics) and scroll down the page then choose “Enable debugging mode“, after that go to (Wordfence > Scan) and click on “Start a Wordfence Scan”, paste any errors you may get here to check and don’t forget to turn off the “debugging mode” after you finish this process.

    Also, can you confirm that Wordfence was installed and activated only on the main Network not on every single site?

    Thanks.

    Hi !

    Here are the Wordfence actuivity log :

    [Apr 27 10:48:44:1493290124.815510:4:info] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.7.4&s=http%3A%2F%2Fleslegislatives.fr&k=7dddcf5a48c8f21855878acd7b5e31fa6fc0cc9baba83137406dcd92d3e575c07db505bee3e46dd312a1e0330c535b69f872770486df47c86389441460defd453900e64ac3fcfa1b1c800f826d730ed6&openssl=268439647&phpv=5.6.30&betaFeed=0&cacheType=disabled&action=get_known_files
    [Apr 27 10:48:44:1493290124.812587:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
    [Apr 27 10:48:44:1493290124.800843:2:info] Found 2 themes
    [Apr 27 10:48:44:1493290124.799341:2:info] Getting theme list from WordPress
    [Apr 27 10:48:44:1493290124.796945:2:info] Found 49 plugins
    [Apr 27 10:48:44:1493290124.796122:2:info] Getting plugin list from WordPress
    [Apr 27 10:48:43:1493290123.560494:4:info] Scan process ended after forking.
    [Apr 27 10:48:43:1493290123.341103:4:info] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.7.4&s=http%3A%2F%2Fleslegislatives.fr&k=7dddcf5a48c8f21855878acd7b5e31fa6fc0cc9baba83137406dcd92d3e575c07db505bee3e46dd312a1e0330c535b69f872770486df47c86389441460defd453900e64ac3fcfa1b1c800f826d730ed6&openssl=268439647&phpv=5.6.30&betaFeed=0&cacheType=disabled&action=log_scan
    [Apr 27 10:48:43:1493290123.339279:1:info] Contacting Wordfence to initiate scan
    [Apr 27 10:48:43:1493290123.329252:10:info] SUM_ENDOK:Checking for the most secure way to get IPs
    [Apr 27 10:48:43:1493290123.321738:10:info] SUM_START:Checking for the most secure way to get IPs
    [Apr 27 10:48:41:1493290121.302361:10:info] SUM_PAIDONLY:Checking if your site is on the Google Safe Browsing list is for paid members only
    [Apr 27 10:48:39:1493290119.300355:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
    [Apr 27 10:48:37:1493290117.298283:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
    [Apr 27 10:48:35:1493290115.296437:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
    [Apr 27 10:48:35:1493290115.284861:4:info] getMaxExecutionTime() returning default of: 15
    [Apr 27 10:48:35:1493290115.284626:4:info] Got max_execution_time value from ini: 0
    [Apr 27 10:48:35:1493290115.284381:4:info] Got value from wf config maxExecutionTime:
    [Apr 27 10:48:35:1493290115.284046:10:info] SUM_PREP:Preparing a new scan.
    [Apr 27 10:48:35:1493290115.281684:4:info] Setting up scanRunning and starting scan
    [Apr 27 10:48:35:1493290115.281420:4:info] Setting up error handling environment
    [Apr 27 10:48:35:1493290115.281147:4:info] Requesting max memory
    [Apr 27 10:48:35:1493290115.280108:4:info] Checking if scan is already running
    [Apr 27 10:48:35:1493290115.279876:4:info] Done become admin
    [Apr 27 10:48:35:1493290115.279588:4:info] Scan authentication complete.
    [Apr 27 10:48:35:1493290115.278822:4:info] Scan will run as admin user ‘legis-admin’ with ID ‘1’ sourced from: multisite get_super_admins() function
    [Apr 27 10:48:35:1493290115.275881:4:info] Becoming admin for scan
    [Apr 27 10:48:35:1493290115.275302:4:info] Checking saved cronkey against cronkey param
    [Apr 27 10:48:35:1493290115.275072:4:info] Exploding stored cronkey
    [Apr 27 10:48:35:1493290115.274799:4:info] Fetching stored cronkey for comparison.
    [Apr 27 10:48:35:1493290115.274570:4:info] Checking cronkey
    [Apr 27 10:48:35:1493290115.274205:4:info] Scan engine received request.
    [Apr 27 10:48:30:1493290110.544210:4:info] Starting cron with normal ajax at URL http://leslegislatives.fr/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=1148422249973e4976e6b46a
    [Apr 27 10:48:30:1493290110.542568:4:info] Test result of scan start URL fetch: array ( ‘headers’ => Requests_Utility_CaseInsensitiveDictionary::__set_state(array( ‘data’ => array ( ‘x-powered-by’ => ‘PHP/5.6.30’, ‘set-cookie’ => ‘wfvt_731343965=5901cc7e45dea; expires=Thu, 27-Apr-2017 11:18:30 GMT; Max-Age=1800; path=/; httponly’, ‘content-type’ => ‘text/html; charset=UTF-8’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘content-length’ => ’32’, ‘content-encoding’ => ‘gzip’, ‘vary’ => ‘Accept-Encoding’, ‘date’ => ‘Thu, 27 Apr 2017 10:48:30 GMT’, ‘accept-ranges’ => ‘bytes’, ‘server’ => ‘LiteSpeed’, ), )), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set
    [Apr 27 10:48:27:1493290107.135757:4:info] getMaxExecutionTime() returning default of: 15
    [Apr 27 10:48:27:1493290107.135560:4:info] Got max_execution_time value from ini: 0
    [Apr 27 10:48:27:1493290107.135335:4:info] Got value from wf config maxExecutionTime:
    [Apr 27 10:48:27:1493290107.134872:4:info] Entering start scan routine
    [Apr 27 10:48:27:1493290107.133840:4:info] Ajax request received to start scan.
    [Apr 27 10:48:09:1493290089.674712:10:info] SUM_KILLED:A request was received to kill the previous scan.
    [Apr 27 10:48:09:1493290089.674224:1:info] Scan kill request received.
    [Apr 27 02:02:48:1493258568.346980:1:info] Scheduled Wordfence scan starting at Thursday 27th of April 2017 02:02:48 AM
    [Apr 26 07:29:32:1493191772.712243:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
    [Apr 26 07:29:32:1493191772.693897:2:info] Found 4 themes
    [Apr 26 07:29:32:1493191772.684863:2:info] Getting theme list from WordPress
    [Apr 26 07:29:32:1493191772.672048:2:info] Found 49 plugins
    [Apr 26 07:29:32:1493191772.671357:2:info] Getting plugin list from WordPress
    [Apr 26 07:29:31:1493191771.580683:1:info] Contacting Wordfence to initiate scan
    [Apr 26 07:29:31:1493191771.577706:10:info] SUM_ENDOK:Checking for the most secure way to get IPs
    [Apr 26 07:29:31:1493191771.575937:10:info] SUM_START:Checking for the most secure way to get IPs
    [Apr 26 07:29:29:1493191769.572214:10:info] SUM_PAIDONLY:Checking if your site is on the Google Safe Browsing list is for paid members only
    [Apr 26 07:29:27:1493191767.569817:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
    [Apr 26 07:29:25:1493191765.559942:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
    [Apr 26 07:29:23:1493191763.532571:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
    [Apr 26 07:29:23:1493191763.527634:10:info] SUM_PREP:Preparing a new scan.

    At this time, the scan still runnig and seem to be blocked !

    The wordfence plugin is Network activated, no sub-sites !

    For your information !

    Regards !

    Note : As we are a NGO non-profit organization we have a real low budget, ans go to a Premium version is very hard for us ! For your information !

    MG

    Some more logs have appeared :

    [Apr 27 11:00:06:1493290806.296110:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:06:1493290806.295681:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:06:1493290806.293335:4:info] Checking cronkey
    [Apr 27 11:00:06:1493290806.288467:4:info] Scan engine received request.
    [Apr 27 11:00:06:1493290806.231380:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:06:1493290806.231104:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:06:1493290806.230875:4:info] Checking cronkey
    [Apr 27 11:00:06:1493290806.230408:4:info] Scan engine received request.
    [Apr 27 11:00:06:1493290806.156881:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:06:1493290806.156639:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:06:1493290806.156403:4:info] Checking cronkey
    [Apr 27 11:00:06:1493290806.155855:4:info] Scan engine received request.
    [Apr 27 11:00:01:1493290801.275103:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:01:1493290801.274787:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:01:1493290801.274507:4:info] Checking cronkey
    [Apr 27 11:00:01:1493290801.274031:4:info] Scan engine received request.
    [Apr 27 11:00:01:1493290801.067912:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:01:1493290801.067318:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:01:1493290801.066700:4:info] Checking cronkey
    [Apr 27 11:00:01:1493290801.065485:4:info] Scan engine received request.
    [Apr 27 11:00:01:1493290801.064966:4:error] Wordfence could not find a saved cron key to start the scan so assuming it started and exiting.
    [Apr 27 11:00:01:1493290801.064769:4:info] Fetching stored cronkey for comparison.
    [Apr 27 11:00:01:1493290801.064558:4:info] Checking cronkey
    [Apr 27 11:00:01:1493290801.063638:4:info] Scan engine received request.
    [Apr 27 10:48:44:1493290124.815510:4:info] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.7.4&s=http%3A%2F%2Fleslegislatives.fr&k=7dddcf5a48c8f21855878acd7b5e31fa6fc0cc9baba83137406dcd92d3e575c07db505bee3e46dd312a1e0330c535b69f872770486df47c86389441460defd453900e64ac3fcfa1b1c800f826d730ed6&openssl=268439647&phpv=5.6.30&betaFeed=0&cacheType=disabled&action=get_known_files
    [Apr 27 10:48:44:1493290124.812587:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
    [Apr 27 10:48:44:1493290124.800843:2:info] Found 2 themes
    [Apr 27 10:48:44:1493290124.799341:2:info] Getting theme list from WordPress
    [Apr 27 10:48:44:1493290124.796945:2:info] Found 49 plugins
    [Apr 27 10:48:44:1493290124.796122:2:info] Getting plugin list from WordPress
    [Apr 27 10:48:43:1493290123.560494:4:info] Scan process ended after forking.
    [Apr 27 10:48:43:1493290123.341103:4:info] Calling Wordfence API v2.23:https://noc1.wordfence.com/v2.23/?v=4.7.4&s=http%3A%2F%2Fleslegislatives.fr&k=7dddcf5a48c8f21855878acd7b5e31fa6fc0cc9baba83137406dcd92d3e575c07db505bee3e46dd312a1e0330c535b69f872770486df47c86389441460defd453900e64ac3fcfa1b1c800f826d730ed6&openssl=268439647&phpv=5.6.30&betaFeed=0&cacheType=disabled&action=log_scan
    [Apr 27 10:48:43:1493290123.339279:1:info] Contacting Wordfence to initiate scan
    [Apr 27 10:48:43:1493290123.329252:10:info] SUM_ENDOK:Checking for the most secure way to get IPs
    [Apr 27 10:48:43:1493290123.321738:10:info] SUM_START:Checking for the most secure way to get IPs
    [Apr 27 10:48:41:1493290121.302361:10:info] SUM_PAIDONLY:Checking if your site is on the Google Safe Browsing list is for paid members only
    [Apr 27 10:48:39:1493290119.300355:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
    [Apr 27 10:48:37:1493290117.298283:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
    [Apr 27 10:48:35:1493290115.296437:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
    [Apr 27 10:48:35:1493290115.284861:4:info] getMaxExecutionTime() returning default of: 15
    [Apr 27 10:48:35:1493290115.284626:4:info] Got max_execution_time value from ini: 0
    [Apr 27 10:48:35:1493290115.284381:4:info] Got value from wf config maxExecutionTime:
    [Apr 27 10:48:35:1493290115.284046:10:info] SUM_PREP:Preparing a new scan.
    [Apr 27 10:48:35:1493290115.281684:4:info] Setting up scanRunning and starting scan
    [Apr 27 10:48:35:1493290115.281420:4:info] Setting up error handling environment
    [Apr 27 10:48:35:1493290115.281147:4:info] Requesting max memory
    [Apr 27 10:48:35:1493290115.280108:4:info] Checking if scan is already running
    [Apr 27 10:48:35:1493290115.279876:4:info] Done become admin
    [Apr 27 10:48:35:1493290115.279588:4:info] Scan authentication complete.
    [Apr 27 10:48:35:1493290115.278822:4:info] Scan will run as admin user ‘legis-admin’ with ID ‘1’ sourced from: multisite get_super_admins() function
    [Apr 27 10:48:35:1493290115.275881:4:info] Becoming admin for scan
    [Apr 27 10:48:35:1493290115.275302:4:info] Checking saved cronkey against cronkey param
    [Apr 27 10:48:35:1493290115.275072:4:info] Exploding stored cronkey
    [Apr 27 10:48:35:1493290115.274799:4:info] Fetching stored cronkey for comparison.
    [Apr 27 10:48:35:1493290115.274570:4:info] Checking cronkey
    [Apr 27 10:48:35:1493290115.274205:4:info] Scan engine received request.
    [Apr 27 10:48:30:1493290110.544210:4:info] Starting cron with normal ajax at URL http://leslegislatives.fr/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=1148422249973e4976e6b46a
    [Apr 27 10:48:30:1493290110.542568:4:info] Test result of scan start URL fetch: array ( ‘headers’ => Requests_Utility_CaseInsensitiveDictionary::__set_state(array( ‘data’ => array ( ‘x-powered-by’ => ‘PHP/5.6.30’, ‘set-cookie’ => ‘wfvt_731343965=5901cc7e45dea; expires=Thu, 27-Apr-2017 11:18:30 GMT; Max-Age=1800; path=/; httponly’, ‘content-type’ => ‘text/html; charset=UTF-8’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘content-length’ => ’32’, ‘content-encoding’ => ‘gzip’, ‘vary’ => ‘Accept-Encoding’, ‘date’ => ‘Thu, 27 Apr 2017 10:48:30 GMT’, ‘accept-ranges’ => ‘bytes’, ‘server’ => ‘LiteSpeed’, ), )), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set
    [Apr 27 10:48:27:1493290107.135757:4:info] getMaxExecutionTime() returning default of: 15
    [Apr 27 10:48:27:1493290107.135560:4:info] Got max_execution_time value from ini: 0
    [Apr 27 10:48:27:1493290107.135335:4:info] Got value from wf config maxExecutionTime:
    [Apr 27 10:48:27:1493290107.134872:4:info] Entering start scan routine
    [Apr 27 10:48:27:1493290107.133840:4:info] Ajax request received to start scan.
    [Apr 27 10:48:09:1493290089.674712:10:info] SUM_KILLED:A request was received to kill the previous scan.
    [Apr 27 10:48:09:1493290089.674224:1:info] Scan kill request received.
    [Apr 27 02:02:48:1493258568.346980:1:info] Scheduled Wordfence scan starting at Thursday 27th of April 2017 02:02:48 AM
    [Apr 26 07:29:32:1493191772.712243:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
    [Apr 26 07:29:32:1493191772.693897:2:info] Found 4 themes
    [Apr 26 07:29:32:1493191772.684863:2:info] Getting theme list from WordPress
    [Apr 26 07:29:32:1493191772.672048:2:info] Found 49 plugins
    [Apr 26 07:29:32:1493191772.671357:2:info] Getting plugin list from WordPress
    [Apr 26 07:29:31:1493191771.580683:1:info] Contacting Wordfence to initiate scan
    [Apr 26 07:29:31:1493191771.577706:10:info] SUM_ENDOK:Checking for the most secure way to get IPs
    [Apr 26 07:29:31:1493191771.575937:10:info] SUM_START:Checking for the most secure way to get IPs
    [Apr 26 07:29:29:1493191769.572214:10:info] SUM_PAIDONLY:Checking if your site is on the Google Safe Browsing list is for paid members only
    [Apr 26 07:29:27:1493191767.569817:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
    [Apr 26 07:29:25:1493191765.559942:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
    [Apr 26 07:29:23:1493191763.532571:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
    [Apr 26 07:29:23:1493191763.527634:10:info] SUM_PREP:Preparing a new scan.

    Thanks @mgregoire83 for providing the scan activity log, however, in future please use “Pastebin” for sharing these logs.

    After checking these logs, I found an interesting information regarding “max_execution_time”, it seems to be set to “0” in php.ini file, check this entry:
    [Apr 27 10:48:35:1493290115.284626:4:info] Got max_execution_time value from ini: 0

    Please check (Wordfence > Tools => Diagnostics) and scroll down the page then open this link “Click to view your system’s configuration in a new window”, after that search for “max_execution_time” value there, if it was reported as “0” also, then you should get in contact with your hosting provider regarding this issue.

    Let me know how it goes,
    Thanks.

    Hi !

    Thanks for your answer and the info for Pastebin !

    Bad new: since the last update (6.3.7), Wordfence have disapeared f rom the Admin back-office menu ! Impossible to check if “max_execution_time” change have a good influence on Wordfence behaviour !

    Regards

    MG

    Since you are running WordPress Network, please make sure you are looking at the main network dashboard menu? also, do you still have “wordfence” directory in (wp-content/plugins/)?

    Thanks.

    Hi !

    I’ve had to reinstall last Plugin version to recover it in back-office !

    I’ve increased the “max_execution_time” to 600, but no change. The scan don’t ends and execute untill I kill the process !

    Another idea ?

    Regards

    MG

    Please kill the current scan if there is one running, then start a new scan with “debug mode” turned on, and click on “Email activity log”, make sure to send the email to “alaa [at] wordfence [dot] com”.

    Also, go to (Wordfence > Tools > Diagnostics) and scroll down the page till “Send Report by Email” and send the report to “alaa [at] wordfence [dot] com” as well, make sure to include your forum username, I will take a look at those reports and let you know my findings.

    Thanks.

    Done !

    Expecting for your answer !

    Regards.

    MG

    • This reply was modified 2 years, 7 months ago by mgregoire83.
    • This reply was modified 2 years, 7 months ago by mgregoire83.

    I’m afraid I didn’t receive any emails from your website yet, could you please resend them again?

    Thanks.

    Hi !

    Email resent ! Have you receved them ?

    Regrds

    MG

    Hi,
    Yes, I got both emails, thanks!

    After checking these reports, I still can see “max_execution_time” is set to “0” there, you can check that in (Wordfence > Tools => Diagnostics => Click to view your system’s configuration in a new window) and search for “max_execution_time”.

    I suggest reporting this issue to your hosting provider, and let them change this value for you, also, I recommend increasing the memory allocated to PHP in WordPress to something like 256MB.

    Let me know how it goes,
    Thanks.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Scan fails on WordPress multisite’ is closed to new replies.