Plugin Support
wfphil
(@wfphil)
Hello,
Can I ask you to double check please that on the “Options” page that you have enabled the scan option “Scan core files against repository versions for changes”
If it is not enabled then please enable it and run another scan.
If it is already enabled can you do the following please:
- Email me a copy of the
index.php file.
- Also forward the email from your hosting provider to me.
Please add your user forum name to the subject field of the email
Send to phil [@] wordfence [dot]com
Thank you.
Thread Starter
p4rker
(@p4rker)
Hi Phil,
after spending quite some time with fatcow’s support staff i figured out that thay had disabled ALL the rights on index.php, so it was – probably – invisible / unreadable to wordfence as well. Personally, I could not even see it using cyberduck ftp anymore.
through the fatcow ftp file manager I was able to see it (looked unsuspicious to me, and stated it had not been changed for almost 3 years), change all the permissions and – just to make sure (that there was no twist I have ignored) – replaced the entire content with the code of a new file.
happy to send you my host’s email anyway. thanks!
Thread Starter
p4rker
(@p4rker)
PS: I did enable the scan option “Scan core files against repository versions for changes” after I have had a similar issue a couple of weeks ago. At that initial point Wordfence did detect – and fix – a couple of changed files.
Plugin Support
wfphil
(@wfphil)
Hello,
Sorry for the delay in getting back to you. Thank you for sending the communication with your hosting provider.
Did adding a fresh index.php file solve the problem for you?
Did the modified file repair that you did after enabling the extra scan setting solve the problem for you?
If not can you makes sure the following scan options are enabled and run a new scan please:
Scan public facing site for vulnerabilities
Scan for publicly accessible configuration, backup, or log files
Scan for publicly accessible quarantined files
Scan core files against repository versions for changes
Scan theme files against repository versions for changes
Scan plugin files against repository versions for changes
Scan wp-admin and wp-includes for files not bundled with WordPress
Scan for signatures of known malicious files
Scan file contents for backdoors, trojans and suspicious code
Scan posts for known dangerous URLs and suspicious content
Scan comments for known dangerous URLs and suspicious content
Scan for out of date plugins, themes and WordPress versions
Scan for admin users created outside of WordPress
Check the strength of passwords
Scan for unauthorized DNS changes
Scan files outside your WordPress installation
Scan images, binary, and other files as if they were executable
Enable HIGH SENSITIVITY scanning (may give false positives)
Use low resource scanning (reduces server load by lengthening the scan duration)
Thread Starter
p4rker
(@p4rker)
Hi Phil,
thanks – yes, all options were activated, and in the meantime it got even more weird. While I was hoping / expecting that the fresh index.php would fix it, my host insisted that one particular post would keep on sending bulk email (truthfully I was unable to understand how a post would “send” spam).
After I deleted the post in question and logged out, WordPress kept on sending me to the install.php script (which I did not run, because I did not want to nuke the install). Bizarrely, everything went back to normal after I downloaded all the contents of the site via cyberduck ftp, without having to run install.php or even changing any of the other files.
I think the issue is impossible to reproduce at this point (also the responses fatcow is giving me vary strongly, depending on the support team members), and I will just close the thread as “resolved”… Thanks for your help.
Plugin Support
wfphil
(@wfphil)
Hello,
You’re welcome!
One common cause of the WordPress install page appearing is a corrupt database so you may be able to do a database integrity check in you hosting control panel.
If you do run into the same issues then please open the topic again and we will be happy to help.
