Title: wordfence misses php attacks?
Last modified: September 6, 2018

---

# wordfence misses php attacks?

 *  Resolved [sguk](https://wordpress.org/support/users/sguk/)
 * (@sguk)
 * [7 years, 10 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/)
 * Hi, we are testing mod security OWASP v3 due to certain websites not having wordfence
   installed.
    On those we develop noticed that on comparison with one site tonight:
 * Modsecurity – picked up on injection attack / script file upload etc and blocked
   with a 403
 * Wordfence – only picked up on an “autolog” attempt 30 seconds later.
 * I was just surprised that Wordfence did not detect the php injection? Or am I
   reading something wrong?

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [7 years, 10 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10691938)
 * Hi [@sguk](https://wordpress.org/support/users/sguk/)
 * Please send this file to “samples [at] wordfence [dot] com”, our team would like
   to take a look at this file, mention all the details you can in this email.
 * Thanks.
 *  Thread Starter [sguk](https://wordpress.org/support/users/sguk/)
 * (@sguk)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10711947)
 * Emailed.
 * Note
    I used incorrect wording in the post above, I am new to OWASP so I did 
   not realise when posting that when rule 949 is turned off, it does not block,
   I found out later from the creator of OWASP.
 * I should have said
    Modsecurity – picked up on injection attack / script file
   upload etc and showed a warning.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10759417)
 * Hi [@sguk](https://wordpress.org/support/users/sguk/),
    Just catching up on unresolved
   threads here. Reading your initial post it looks like Modsec may have blocked
   something that Wordfence subsequently did not block? If something is blocked 
   by Modsec it will never reach Wordfence, because it would already have been blocked.
   Do you think that is what happened?
 *  Thread Starter [sguk](https://wordpress.org/support/users/sguk/)
 * (@sguk)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10760331)
 * Mod Security is not blocking the attacks, it’s a warning. The block rule is turned
   off as it causes too many issues with WordPress editor.
 * If 949 is off, it’s just a warning, so on this basis, Wordfence would see it.
 * From cpanel knowledgebase
    REQUEST-949-BLOCKING-EVALUATION The configuration 
   file path: modsec_vendor_configs/OWASP/rules/REQUEST-949-BLOCKING-EVALUATION.
   conf The rules in this configuration file blocks traffic that various other configuration
   files request. Warning: Other rules in the rule set depend on this configuration
   file to block incoming attacks. If you disable this configuration file, other
   rules will detect, but not block, incoming attacks.
 * I haven’t looked any further into this myself as we re too busy on other work,
   it may not be as we thought, just something we thought we noticed.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10773309)
 * Hi [@sguk](https://wordpress.org/support/users/sguk/)!
    Okay thanks for elaborating.
   I’ll forward this information to the team in case it’s something we need to have
   a closer look at!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘wordfence misses php attacks?’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 5 replies
 * 3 participants
 * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/)
 * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-misses-php-attacks/#post-10773309)
 * Status: resolved