wfmark
Forum Replies Created
-
Hello @kunjal123, and thanks for reaching out to us!
I would suggest changing the Wordfence Web Application Firewall into Learning Mode. From the Wordfence Dashboard, click on Manage WAF. Then, you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Try uploading media files using a subscriber role and also make changes using your editor role and check whether it reflects on the frontend side. Once done, switch the WAF from Learning Mode back to Enabled and Protecting and test to see that you can still view the Login Security page.
https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.
Let me know how in case this doesn’t solve your issue.
Thanks,
Mark.
Hi @udarakalana, Thanks for reaching out.
The wp_wfls_role_counts temporary table was added to Wordfence to improve the performance of the user count calculation that drives the table at the top of the Wordfence>Login Security > Settings page.
Temporary tables should be dropped automatically when all connections disconnect from the database, so there should be cause for concern.
You can also safely change the storage engine on this table manually if needed — it may make performance slower only on the Login Security menu pages for admins where users are counted, but assuming you don’t have tens of thousands of users, the speed is usually tolerable. Wordfence only recreates this table if it is missing, but it does not change the storage engine if you manually change it.
Thanks,
Mark
Hello @alanrogers, and thanks for reaching out to us!
When the scan is catching files like that, its always best to ask the theme developer about the contents. Some themes will rewrite files to orig but it’s always safe to double-check with them first.
If you have no way of contacting them, I would recommend backing up these files, then removing them to see if it has a negative effect.
Let me know what you do find!
Thanks!
Mark
Hello @techsoldd, Thanks for reaching out and sharing the troubleshooting steps you have taken so far.
By default, Cloudflare should not be caching wp-login.php, unless you have changed that setting.
I suspect this may have been caused by the reCAPTCHA human/bot threshold score set on your site being too high. Any “Verification Required” messages and emails are related to the message Google will send back when the user fails to be confirmed as human by reCAPTCHA checks.
We don’t receive inside information from Google about why a human may sometimes receive a low enough score to always require verification. The “reCAPTCHA human/bot threshold score” setting in Wordfence > Login Security > Settings is set to 0.5 by default. A higher threshold setting like 1.0 will cause the verification process to be more frequent as it would need to definitely be seen as a human to log in without verification. I recommend setting that to 0.5 and then using the “Run reCAPTCHA in test mode” option below that for a short time to see what sort of scores you see during your logins. After looking at the test mode score, you may need to slightly reduce or increase the threshold score.
If the issues persists, it might also be a good idea to disable auto-updates for Wordfence, if needed and check the Browser Console to see if you can detect any JavaScript errors or files that fail to load and share a screenshot with me.
Let me know how it goes.
Thanks,
Mark.Hi @m1guelrod,
Thank you for reaching out to us.You can clean the site by using the following guide: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure to get all your plugins and themes updated and update the WordPress core, too. As a rule, any time I think someone’s site has been compromised, I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall.
We always recommend using long unique passwords along with 2FA for your administrative accounts. This might assist if they’re using an existing compromised admin account to create this user and elevate the privileges.
Additionally, you might find the WordPress Malware Removal section in our Learning Center helpful: https://wordfence.com/learn/
If you’re unable to clean this up on your own, there are paid services that will do it for you. Wordfence offers one, and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at presales@wordfence.com if you have any questions about it.
Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.
Thanks,
Mark
Hi @vidishp, Thank you for reaching out to us.
Since the issue started after the most recent update, I suggest changing the Wordfence Web Application Firewall into Learning Mode. From the Wordfence Dashboard, click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now confirm whether you still see the JavaScript errors.
Once done, switch the WAF from Learning Mode back to Enabled and Protecting.
https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.
Let me know in case the above doesn’t solve your issue.
Thanks,
Mark.
Translation:
Hello everyone, I installed the free version of Wordfence to test, I really liked it, but any change I make, whether on a page or on the blog itself, anywhere on the page I click opens Wordfence, and I can’t change it. I looked in the confg, but I couldn’t find it. Can someone help me?
Hi @elizianesousaipgo, Thank you for reaching out to us.
This sounds pretty uncommon, so I’d suggest clearing cache (site plugins and local browser) and disabling all other plugins except for Wordfence, then trying again to see if there’s a plugin or theme conflict causing the issue. You could also revert to a default theme, such as Twenty Twenty-Three.
If it works as expected, reenable your plugins and theme one by one until the issue recurs to help find the cause.
If there’s a plugin or theme conflict, I would suggest changing the Wordfence Web Application Firewall into Learning Mode. From the Wordfence Dashboard, click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now confirm that you can view the Login Security Page. Once done, switch the WAF from Learning Mode back to Enabled and Protecting and test to see that you can still view the Login Security page.
https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.
Let me know how it goes.
Thanks,
Mark.
Hi @brobro, Thank you for reaching out to us.
The free version is still available. However, we made a few changes to the free license sign-up process. Existing free site keys created before the change will continue working, but all new installations require you to register for a new key.
You can see the reasoning behind why we changed the free signup process in the following blog post: https://www.wordfence.com/blog/2022/11/wordfence-7-8-0-announcement/
Please click on the Resume installation button on the sites with issues and follow the instructions in the video on the page below to obtain a free license key.
https://www.wordfence.com/help/api-key/#installing-your-free-license-key
Please note that you can use the same email address to obtain license keys for all your sites. There’s no limit to the number of free sites a single email address can configure.
Let me know in case you have any issues.
Thanks,
Mark.
Hi @xxxhoop, Thank you for reaching out to us.
I suspect this could be a false positive from your issue description. Sometimes, WordPress plugins or themes may exhibit behavior resembling known attack patterns, resulting in the Wordfence firewall blocking something that is not malicious. This can be resolved by switching the firewall to learning mode to eliminate the false positives.
From the Wordfence Dashboard, click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now proceed to confirm that pop-ups are no longer being blocked on the posts and pages. This will help Wordfence learn that these actions are normal, and it will allow them in the future. Once done, switch the WAF from Learning Mode back to Enabled and Protecting, then test to see that the pop-ups are not being blocked.
https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.
Please get back to us if the above doesn’t solve your issue.
Thanks,
Mark
Hi @rgi001, Thank you for getting back to us.
To rule out any caching issues, could you please try an incognito/private browsing window or a different browser than your default one?
If the above doesn’t make a difference, please send us a diagnostic to wftest@wordfence . com. You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
Thanks,
Mark.
- This reply was modified 2 years, 6 months ago by wfmark.
Hi @aga2442, Thanks for reaching out.
I couldn’t find your diagnostic report. To send it, please try the below instead:
Navigate to the Wordfence > Tools > Diagnostic page and then click the “Export” button. Send the txt file to wftest@wordfence.com. Add your forum username to the subject and respond here once done.
Thanks,
Mark.
- This reply was modified 2 years, 6 months ago by wfmark.
Hi @graichura, Thanks for reaching out.
Do you have any other Wordfence connection issues on the site?
wordfence_ls_ntp_cronis meant to sync up with an NTP server to determine if the plugin needs to use an offset for the server time. This is for 2FA to work since it depends on the synchronized time between the plugin and the used device. There is a chance this communication could be blocked by a server-side firewall or CDN such as Cloudflare, but I might expect to see other issues with communication to/from your site.While
cURL Error 7usually means that the website can’t make the connection to our servers at all, Cloudflare assigns an IPv6 address to your site even if your host doesn’t give you an IPv6 address. If you’re on Cloudflare, this could be a likely cause for a connection failure to be reported here and nothing to worry about.If the scan and plugin updates work under these conditions, the error in the diagnostics page can be disregarded. Let me know how that goes for you.
Thanks,
Mark
Hi @soozie10 , Sorry for the delayed response, and thank you for sending the diagnostic report.
Did you start using a proxy on the sites recently? This may explain the issue.
I’d recommend using X-Real-IP as X-Forwarded-For can be spoofed whereas X-Real-IP will always contain the actual remote peer address.
Thanks,
Mark.
Hi @ds1000, Thanks for reaching out.
Did you make any changes to your Brute Force Protection settings recently?
Can you please confirm the number you have set for “Lock out after how many login failures” under Wordfence> Firewall> Manage Brute Force Protection?
The login attempts may have failed, but if the users don’t hit or exceed the number set under “Lock out after how many login failures,” they will not be locked out, and you will not receive an alert for the same.
Let me know what you find.
Thanks,
Mark.
Hi @awpny, thanks for reaching out.
The unlock emails come from your website and not our servers. If they aren’t getting emails, you might want to check:
- The emails (from wordpress@yoursitename.com) are getting sent to your junk mail folder by your email client or provider. Make sure to whitelist or add your website to the list of safe domains so you get emails consistently.
- Their web server is having a problem with the email software on it. This isn’t like regular emails you send and receive but server alert messages. Usually, a restart of Postfix or Sendmail (whichever is installed) can fix it. Your clients’ hosting provider may need to help with this.
- Their hosting provider has disabled SMTP from the server for some reason, like preventing the server from being used to spam people.
- They have a third-party plugin for sending emails with another service, like Gmail, which isn’t working. Reaching out to the plugin author for support can help.
If they need to urgently regain access in the meantime, temporarily renaming their /wp-content/plugins/wordfence plugin folder to “wordfence_bak” and logging into their site using their username/password combination could be successful. Just make sure they rename it back to Wordfence once they log in.
Let me know how it goes.
Thanks,
Mark.