Wordfence flags changed file in plugin, then says plugin doesn’t exist

  • Resolved syzygist

    (@syzygist)


    2 years, 9 months ago

    For years, I have been receiving Wordfence “Modified plugin file” alerts about the JSM’s Force HTTP to HTTPS plugin. Invariably, when I log in to a WordPress installation to view scan results, then click the View Differences button, I get a white screen with the message “WordFence API error: We could not locate that plugin in our repository.” It may not be in the Wordfence repository, but it is, and always has been, in the WordPress.org repository (https://wordpress.org/plugins/jsm-force-ssl/).

    I have used hundreds of plugins, and have never seen the “Wordfence API error: not in our repository” message when viewing differences in changed files for ANY of them except JSM’s Force HTTP to HTTPS, where it ALWAYS occurs. I have attempted to contact Defiant (the Wordfence people) about this directly twice, and didn’t get so much as a courtesy response either time.

    I am aware that modified plugin file alerts are typically caused by plugin authors updating plugin files without going through the full process of creating a new version, but that would not explain why a plugin that has been in the WordPress.org repo for years has also for years apparently NOT ever been in the Wordfence mirrored version of that repository (and yet, Wordfence is able to identify modified files….).

    What is up with that, and is it ever going to be fixed?

    • This topic was modified 2 years, 9 months ago by syzygist.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    2 years, 9 months ago

    Hello @syzygist and thanks for reaching out to us!

    Can you send me a screenshot of what you’re seeing? It sounds like you are getting the API error in the scan log?

    I installed this plugin on my test site and ran a scan, I didn’t get any results pointing to this. I am thinking it might be something in your database that is causing it. Could be an issue with the slug of the plugin.

    Thanks again!

    Thread Starter syzygist

    (@syzygist)

    2 years, 9 months ago

    I have already described exactly the circumstances under which this issue occurs, and what I am doing that produces the error. I don’t see how you could expect to reproduce it, since it is related to file changes when made in a specific second plugin, which I doubt have occurred since yesterday. As for a screenshot of the error, I have quoted it exactly above, and it appears in an otherwise white screen.

    I manage many sites, running on different hosts, and this plugin is installed on several of them. When this error occurs, it always occurs in all of the sites where this plugin is installed, so it is clearly NOT an issue with a particular installation. As I also previously mentioned, this has been going on for years.

    I have always suspected the issue might be related to the apostrophe in the name of the plugin – i.e., JSM’s (while the slug of course does not contain the apostrophe, nor the pluralizing s). I mentioned this suspicion both times that I previously contacted Wordfence about this problem.

    Plugin Support WFAdam

    (@wfadam)

    2 years, 9 months ago

    I took a deeper look at this issue for you. It is because the apostrophe in the name is escaped too much. We check both the slug and the name to avoid slug conflicts with non-repo or custom plugins.

    We can fix this in an upcoming release as I have reported our findings to our QA team. They have opened a case for it.

    The reason the message comes up all the time is that this developer is putting the Tested up to: header in the main PHP file and updating it to show compatibility with the latest WP version periodically, but it should be only in the readme.txt.

    Thanks for reporting this issue!

    Thread Starter syzygist

    (@syzygist)

    2 years, 9 months ago

    I’m glad you were able to pinpoint the cause. I look forward to the WF update, as assuming file changes are not malicious without being able to easily check them is obviously not a best practice, but reinstalling the plugin on every site I manage every time this comes up just to make sure is not practical either.

    Has the SSL plugin developer been given a headsup about their role in this issue, or shall I do that?

    Thread Starter syzygist

    (@syzygist)

    2 years, 5 months ago

    This issue appeared to be resolved for awhile, but now it is occurring again. Can you please recheck whether the over-escaping of the apostrophe has recurred somehow?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Wordfence flags changed file in plugin, then says plugin doesn’t exist’ is closed to new replies.