Title: webdeepak's Replies | WordPress.org --- # webdeepak [ ](https://wordpress.org/support/users/webdeepak/) * [Profile](https://wordpress.org/support/users/webdeepak/) * [Topics Started](https://wordpress.org/support/users/webdeepak/topics/) * [Replies Created](https://wordpress.org/support/users/webdeepak/replies/) * [Reviews Written](https://wordpress.org/support/users/webdeepak/reviews/) * [Topics Replied To](https://wordpress.org/support/users/webdeepak/replied-to/) * [Engagements](https://wordpress.org/support/users/webdeepak/engagements/) * [Favorites](https://wordpress.org/support/users/webdeepak/favorites/) Search replies: ## Forum Replies Created Viewing 10 replies - 1 through 10 (of 10 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Pods - Custom Content Types and Fields] Create 800 customer post type pages](https://wordpress.org/support/topic/create-800-customer-post-type-pages/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years ago](https://wordpress.org/support/topic/create-800-customer-post-type-pages/#post-14485199) * I went on the Slack support channel yesterday and asked the question. Did get told that the WordPress internal import can handle this. I’m not sure how but will investigate and update here. * Also got told that the free version of these plugins can carry out the import, I’ve looked at the descriptions to “Import Custom Post Type” you would need a license. Will check and report back. * Also fell into a rabbit hole with the data structure of WordPress and Pods for the first time. post and podsrel seem to be the table of interest. Not sure I have the time to do the detail investigation here. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Pods - Custom Content Types and Fields] Create 800 customer post type pages](https://wordpress.org/support/topic/create-800-customer-post-type-pages/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years ago](https://wordpress.org/support/topic/create-800-customer-post-type-pages/#post-14481827) * Thanks [@bkantique](https://wordpress.org/support/users/bkantique/), Would you be able to share the mappings and the link to the plugin. * Regards * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13533317) * As per my understanding WordFence might not be getting the request with the Malware at all. It is not picking up the request ahead of the PHP/WordPress. The AV is picking up the Malware and killing it, and it breaks the request hence a 403. * One final thing, I’m trying here for IIS users using Request Filtering I do not want the requests to even get processed and the malware dropped. So testing with the following now. * Please close the ticket if not already done so * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13529881) * [@wfadam](https://wordpress.org/support/users/wfadam/) Thanks for the update. This is exactly what is happening. * In my understanding a WAF Web Application Firewall picks up the request before the application and forwards or stops it based on the rules. Also when I read the documentation when it said that let WordFence load before wordpress I thought that is what it meant. * WAF -> Application (PHP) * But in this case all the items are a bit mixed. WordFence is picking up the request too late in the process to stop the malware through. In this case the AV software stopped the malware but there is no guarantee that WordFence can do that and consistently and I would not expect it to as its not a AV product. * But its not also a true WAF either and that’s fine with me. Also I can also see that it does not learn from the type of calls being made. If I have to jump in each time then I can add the same items to RequestFilter attribute in web.config which is what I’ve resorted to do. * For anyone else having these issues, you can try the following 1) Install Microsoft Security Essentials 2) Install a Malware protector and bad IP protector. 3) Use WordFence and use it as a WAF and it will Log to IIS Logs as 503 4) Use LogReader( 15 year old software) Still good to use to scan the logs and a simple powershell script to block the IPs from the server. * Job Done. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13525219) * Also when WordFence stops the request I get a 503 in the logs. So when the request was moved from IIS to WordPress/WordFence the request was carried out/executed. The Payload / Malware was dropped but the AntiVirus was able to pick and clean this up. * It seems WordFence was not able to stop the request even though the rules does say to reject the request to this end point. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13523117) * 404 are stops by IIS 403 calls where the calls that went through and dropped the Malware. * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13523073) * To confirm the following rules were in place WordFence under Immediately block IPs that access these URLs * /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php /.env /wp- content/plugins/wp-file-manager* * As of the above attack I’m using WordFence Version 7.4.11 and WordPress 5.5.1 * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13523051) * [@wfadam](https://wordpress.org/support/users/wfadam/) Your explanation is correct to the far the 404 19 are IIS request filtering which can stop the requests when there is no post data. When there is payload the request goes through to WordPress/ WordFence and here it is not stopping it * 2020-10-12 13:04:31 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/ connector.minimal.php – 443 – 27.75.24.8 Mozilla/5.0+(Macintosh;+Intel+Mac+OS +X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 404 19 0 250 2020-10-12 13:04:33 IPaddress POST /wp-content/plugins/wp-file- manager/lib/php/connector.minimal.php – 443 – 118.173.220.248 Mozilla/5.0+(Macintosh; +Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 404 19 0 187 2020-10-12 13:04:37 IPaddress POST /wp-content/plugins/wp-file-manager/ lib/php/connector.minimal.php – 443 – 103.70.130.238 Mozilla/5.0+(Macintosh;+ Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 2250 2020-10-12 13:04:56 IPaddress POST /wp-content/plugins/wp-file-manager/ lib/php/connector.minimal.php – 443 – 123.25.218.6 Mozilla/5.0+(Macintosh;+Intel +Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 843 2020-10-12 13:05:01 IPaddress POST /wp-content/plugins/wp-file-manager/ lib/php/connector.minimal.php – 443 – 113.181.100.89 Mozilla/5.0+(Macintosh;+ Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 625 2020-10-12 13:05:03 IPaddress POST /wp-content/plugins/wp-file-manager/ lib/php/connector.minimal.php – 443 – 223.229.253.0 Mozilla/5.0+(Macintosh;+Intel +Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 453 2020-10-12 13:05:04 IPaddress POST /wp-content/plugins/wp-file-manager/ lib/php/connector.minimal.php – 443 – 188.163.22.193 Mozilla/5.0+(Macintosh;+ Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 265 * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13510396) * [@wfadam](https://wordpress.org/support/users/wfadam/) To also confirm, I do not use wf-file-manager. This folder does not exists under plugins. And I have seen the link you have provided, the IP addresses are not the ones in the above log and also I have setup the rules that would block the requests. * THanks * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WAF rules not followed consistently](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/) * Thread Starter [webdeepak](https://wordpress.org/support/users/webdeepak/) * (@webdeepak) * [5 years, 8 months ago](https://wordpress.org/support/topic/waf-rules-not-followed-consistently/#post-13510344) * Hi WFAdam, Sorry for the late response I only got a notification today when responded to [@mongobongo](https://wordpress.org/support/users/mongobongo/). * The 3 logs are as follows * 2020-09-29 10:34:29 POST /wp-content/plugins/wp-file-manager/lib/php/connector. minimal.php – 443 – 192.82.65.72 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15; +rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 404 19 0 125 * 2020-09-29 10:34:30 POST /wp-content/plugins/wp-file-manager/lib/php/connector. minimal.php – 443 – 188.234.192.55 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15; +rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 404 19 0 93 * 2020-09-29 10:34:35 POST /wp-content/plugins/wp-file-manager/lib/php/connector. minimal.php – 443 – 112.207.96.23 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15; +rv:77.0)+Gecko/20100101+Firefox/77.0 [https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php](https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php) 403 0 0 656 * The return code for the first two was 404 the third one was 403 and this is what deployed the malware which did get picked up by the AntiVirus and killed it. It was deployed in /tmp folder as suggested. * I do have a couple of rules for this as they started calling in readme etc files as well. /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php / wp-content/plugins/wp-file-manager* * Similar to as stated before I do not have wp-file-manager plugin. Windows 2012 with IIS 8.0 Wordpress 5.5.1 Viewing 10 replies - 1 through 10 (of 10 total)