Support » Plugin: Asset CleanUp: Page Speed Booster » Wordfence file changes

  • Resolved Kieran

    (@kierantaylorio)


    Hi Gabe,

    I’ve noticed an issue with WP Asset Cleanup where Wordfence is reporting file changes. The file contents appear to be the same before the report, however, they do differ from the repository – which is what it is checking against.

    Is it possible you’re making changes to the SVN trunk / tags folder without bumping the version number?

    I’m just trying to figure out of this is a genuine security issue or not.

    All the best,

    Kieran

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Gabe Livan

    (@gabelivan)

    Hi, Kieran!

    Sometimes, files do differ as changes are made to the SVN without changing the version number, especially when no new features are added or some cosmetic changes or code cleanup was performed. There are situations when functionality is updated, but it’s only made official when the tag is updated. The development version (trunk) is usually updated first when people want to test a new feature.

    I used to change the number all the time, but people complained about too many updates (plus, the changelog will be too large and not so easy to go through), sometimes two in a day, thus I’ve decided to change the way the plugin is updated.

    If you have suggestions about this process, let me know!

    Best wishes,
    Gabe

    Thread Starter Kieran

    (@kierantaylorio)

    Hi Gabe,

    No worries, this is what I suspected and just wanted to confirm.

    Thanks,

    Kieran

    Hi Gabe,

    Wordfence has picked up various file changes for me too, and wanted to check that they are all legit. Can you confirm that the following changes have been made by yourself:

    /classes/OptimiseAssets/OptimizeJs.php
    /classes/OwnAssets.php
    /classes/Tools.php
    /classes/Update.php
    /early-triggers.php
    /templates/_admin-page-getting-started-areas/_video-tutorials.php
    /templates/_admin-page-settings-bulk-changes/_bulk-unloaded.php
    /templates/_admin-page-settings-plugin-areas/_combine-loaded-files.php
    /templates/_admin-page-settings-plugin-areas/_common-files-unload.php
    /templates/admin-page-child-pages-info.php
    /templates/admin-page-settings-plugin.php
    /templates/meta-box-loaded-assets/_asset-script-single-row.php
    /templates/meta-box-loaded-assets/_asset-style-single-row.php
    /templates/settings-frontend.php
    /assets/script.min.js
    /assets/style.min.css
    /classes/CleanUp.php
    /classes/ImportExport.php
    /classes/Main.php
    /classes/Menu.php
    /classes/Misc.php
    /classes/OptimiseAssets/MinifyCss.php
    /classes/OptimiseAssets/MinifyJs.php
    /classes/OptimiseAssets/OptimizeCommon.php
    /classes/OptimiseAssets/OptimizeCss.php

    Apologies for posting a big list of files, but I just wanted to make sure that each one is a legitimate change from yourself.

    Many thanks,

    Dannii

    Plugin Author Gabe Livan

    (@gabelivan)

    @danniimartin All these files were changed in the past month. You might see this kind of things once in a while as sometimes files are updated without releasing a new tag. I suggest you use a malware scanner if you’re worried these files were updated by a 3rd party source (e.g. a hacker) which is less likely (other plugins could have their files updated too). Or, just re-download the plugin (latest tag) and Wordfence shouldn’t pick up on them. Does that help?

    Hi Gabe,

    I’ve had some hacking issues recently and it’s quite disconcerting and doesn’t help the troubleshooting process when frequently getting false positives like this in wordfence.

    If I uninstall your plugin and re-install it will I lose all my configured settings and optimisations?

    Thanks.

    Plugin Author Gabe Livan

    (@gabelivan)

    Hi, Robin!

    Absolutely, if you just uninstall the plugin (without resetting anything of course, from “Tools” – “Reset”) and install it later, all the settings and optimizations will be preserved. Are the Wordfence notices that frustrating that you need to deactivate Asset CleanUp? Is there a way to filter them or make them less obtrusive?

    Regards,
    Gabe

    Hi Gabriel,

    Not OP, but I just uninstalled your plugin because of the wordfence alerts, even though I didn’t want to believe it, especially not when the plugin Author is called Gabriel!

    I would prefer the official updates before functionality is changed so that people know it’s a trustworthy plugin.

    yours sincerely,

    Nick

    Plugin Author Gabe Livan

    (@gabelivan)

    @birdbrainsolutions I understand your concern and as you probably noticed, there was more than one update on the same tag, indeed!

    It rarely happens nowadays, hopefully, this will end very soon so no one would get any “false” Wordfence alerts again. Wordfence doesn’t check the official updates for the same tag and I don’t blame them because it’s not that easy.

    I hope you’ll be using the plugin again someday. If you read the posts from this topic, you’ll probably understand why these updates were made. Thanks for your honest feedback!

    Hi Gabriel,

    It’s mostly for troubleshooting as of now because wordfence limited access to the site, and on recovering the site, the scan showed issues with only your plugin, which led me to believe that that was the cause.

    If you check your reviews, I recommended your plugin just a little while before that 🙂

    If you can check and confirm that there are no vulnerabilities with your plugin, I would love to test it further (since I am already using it on multiple sites for the past 7-10 days).

    yours sincerely,

    Nick

    Plugin Author Gabe Livan

    (@gabelivan)

    @birdbrainsolutions The reason why Wordfence reported this (which is not a security breach) is because the version of the file OptimizeCommon.php that you have there is not the same as the one for the tag 1.3.4.5. Reason being that two updates were made to this file for the same tag which is a practice that will end very soon as I said earlier.

    The same thing was discussed here: https://wordpress.org/support/topic/wordfence-detect-files-changed/

    You can actually check the contents of OptimizeCommon.php (latest change) here: https://plugins.trac.wordpress.org/changeset/2167573/

    All the updates are public and visible in the WordPress repository. Let me know if this is clear or if you have further questions and I would gladly assist you!

    Thanks Gabriel,

    I understood that by reading your earlier messages, I just wanted confirmation that there were no vulnerabilities within your plugin as I want to use it on all the sites 🙂

    And would definitely prefer if all changes were made only after the official update. And thank you once again for creating this plugin!

    Have a great day!

    yours sincerely,

    Nick

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Wordfence file changes’ is closed to new replies.