wfmark
Forum Replies Created
-
You’re welcome @alamana.
I recommend reviewing the scan results daily or whenever you run a scan to review any modified file results.
Thanks,
Mark
Hi @helenvrees, thanks for getting back to us.
Can you please navigate to Wordfence> Tools> Live Traffic and confirm whether you see any Traffic entries on this page?
You may also want to confirm that the Firewall status is set to Enabled and Protecting under Wordfence>Firewall>Manage WAF.
Thanks,
Mark.
Hi @stefanp44, thanks for reaching out and bringing this to our attention.
I checked with our Threat Intelligence Team and confirmed that the vulnerability has been patched from version 2.5.10. The Vulnerability Database will be updated.
This should be safe to ignore.
Thanks,
Mark.
Hi @supervinnie41,
I can’t find your diagnostic in our inbox. Please follow the instructions in my previous post if you’ve not sent it yet, or try downloading it and sending it as an attachment if you already tried directly from your site.
Thanks again,
Mark.- This reply was modified 2 years, 6 months ago by wfmark.
Hi @tigrokon, thanks for getting back to us.
Wordfence is a localized firewall that stays on your web server to perform server-side scans at a deeper level.
Wordfence scans the files that are uploaded on your web server. Your files will not be shared with any third parties.
Thanks,
Mark
Hi @anafasia , thanks for getting back to us.
Glad to hear that the scans are working now.
On the ADs issue, I suspect this may be due to the malware issue you had on the site. Try running a High Sensitivity Scan on the site to see whether Wordfence detects any malicious files. You can do this by logging into your site and navigating to Wordfence > Scan > Manage Scan > High Sensitivity > Save – then run the scan from Wordfence > Scan > Start New Scan.
You can clean the site by using the following guide: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure and get all your plugins and themes updated and update WordPress core, too. As a rule, any time I think someone’s site has been compromised, I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall.
Additionally, you might find the WordPress Malware Removal section in our Learning Center helpful: https://wordfence.com/learn/
If you’re unable to clean this on your own, there are paid services that will do it for you. Wordfence offers one, and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at presales @ wordfence.com if you have any questions about it.
Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.
Thanks,
Mark
Hi @pldoolittle,
As per the forum guidelines below, please open your own topic, and we would be glad to assist you:
“Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”
Thanks,
Mark.
Hi @wrathyimp, thanks for getting in touch!
Unfortunately, we can not recommend a specific plugin. The choice of a form plugin with file upload capabilities depends on various factors, including the specific requirements of your project, your familiarity with different tools,
You can check out this page:
https://wordpress.org/plugins/search/form/
I hope that helps you out!
Thanks,
Mark.
Hi @dreame, Thank you for reaching out to us.
Please confirm whether you are using the latest version of WordPress, as we have had cases where updating WordPress fixes the issue.
Issues like this can be caused by plugin or theme conflicts stopping our Javascript from loading correctly or causing errors that mean our code doesn’t get run. Generally, reverting to a default theme and disabling all plugins except Wordfence should hopefully regain your button functions. If it does, re-enable everything else one by one until the issue returns to find the source of the issue.
It’s possible for a repair to be working in the background after the click, then time out. Running the scan again might reveal there are less files to repair than the previous scan if that’s the case. Please inspect the network tab of the console to see if anything was triggered when the button was clicked if the page doesn’t change and share a screenshot with us.
Let me know how it goes.
Thanks,
Mark.
Hi @munzee, thanks for getting in touch!
I’d check that the process owner on your folders that have 755/644 permissions is www-data.
If all that seems good, navigate to your wp-content/wflogs folder and delete the contents entirely. Wordfence should try repopulating it within 30 minutes to solve any issues if the files are corrupted or unusually large.
If you continue to have persistent problems with this file/folder but don’t see connectivity or permissions failures/error messages in your Wordfence > Tools > Diagnostics page, you can bypass this entirely by setting Wordfence to write to the MySQLi storage engine instead of a file: https://www.wordfence.com/help/firewall/mysqli-storage-engine/
I hope that helps you out!
Thanks,
Mark.
Hello @npanic , and thanks for reaching out to us!
If the firewall is optimized, you can add the line define(‘WFWAF_STORAGE_ENGINE’, ‘mysqli’); after <?php on a new line within /wordfence-waf.php. Wordfence will then save all its firewall data within the database instead of attempting to use the file system. If the firewall is not optimized, you’ll do that via the wp-config.php file. You can check to see if the firewall is optimized via Wordfence > Firewall > All Firewall Options > Protection Level, which will have a button saying “Remove Extended Protection” if it is optimized. Kindly check the link below for more information.
https://www.wordfence.com/help/firewall/mysqli-storage-engine/
Make sure the define(‘WFWAF_STORAGE_ENGINE’, ‘mysqli’); is in the correct bracket in the PHP file.
Please note that we only recommend using this option if your site is unable to read and write to the firewall files consistently or if your host uses multiple web servers that do not share the same filesystem since better performance and efficient resource usage are likely when using the default file-based storage on most hosts.
Thanks,
Mark.
Hello @adamwpmp, and thanks for reaching out to us!
If you navigate to Wordfence > All Options > Email Alert Preferences, you will see a series of checkboxes titled “Email me when…”. and “Alert me when…“.”If you do not wish to continue receiving these admin login alerts as frequently, you can tick both the “Alert me when someone with administrator access signs in” and “Only alert me when that administrator signs in from a new device”, which should reduce the number of these alerts you receive. Alternatively, you can disable those here as well. Don’t forget to press the SAVE button when done.
From this section, you can choose what settings fit best for you. Keep in mind that deactivating most of these notifications may lower your ability to quickly react to an attack or vulnerability.
Thanks,
Mark
- This reply was modified 2 years, 6 months ago by wfmark.
Translation:
Good morning,
Here is the message obtained after a Wordfence scan:
Unknown file in WordPress core: wp-admin/css/colors/blue/php.ini (+ 238 more)Type: File
Issue Found October 12, 2023 8:03 a.m.
Obviously 238 files are problematic and I don’t really know what to do to fix it. First of all, is it possible that this is a reading error? Or is it serious?
Here is the message obtained at the end of the box:
Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. 238 more similar files were found
Thanks for your help,
Hello @gaelleclairfonce, and thanks for reaching out to us!
If you already know about the listed file, you can click the link to ignore the file until it changes. If you don’t know what the file is, it may require some investigation to find out if your host has placed it there, if your FTP application or OS may have created it, or if it is malicious.
Some “Managed WordPress” hosting plans do not allow you to change core files, and on some hosts, if a new version of WordPress no longer includes a particular file, it may be left in your site’s files after they update WordPress. In this case, it is generally safe to ignore the file, or you can contact the host if you believe it should be removed.
In a few cases, we have seen that a host’s support staff or a host’s control panel may place “php.ini” files in every subdirectory of WordPress’s core files. Typically, this is to change PHP settings throughout the site. Since this can generate a lot of scan results, we combine results for php.ini files into a single result with a note like “(238 more similar files were found.)”
If that occurs, we recommend checking the contents of some of these files to make sure they are safe. Assuming that they are safe, your host may have a better way to set the same PHP settings without adding additional files; depending on the server configuration, it is usually done through the PHPRC environment variable or by using.user.ini.
Alternatively, if you are sure they are safe, you can use the “ignore” option to hide the result unless there are future changes.
Let me know if this helps!
Thanks,
Mark
Hi @rgi001, Thank you for reaching out to us.
This sounds pretty uncommon, so I’d suggest clearing cache (site plugins and local browser) and disabling all other plugins except for Wordfence, then trying again to see if there’s a plugin or theme conflict causing the issue. You could also revert to a default theme, such as Twenty Twenty-Three.
If it works as expected, then reenable your plugins and theme one by one until the issue recurs to help find the cause.
If there’s a plugin or theme conflict, I would suggest changing the Wordfence Web Application Firewall into Learning Mode. From the Wordfence Dashboard, click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now confirm that you can view the Login Security Page. Once done, switch the WAF from Learning Mode back to Enabled and Protecting and test to see that you can still view the Login Security page.
https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.
Let me know how it goes.
Thanks,
Mark.
Hi @davidovic123, Thanks for reaching out.
To resolve the IP detection issue, find your public-facing IP address here – https://whatismyipaddress.com/. Then look at Wordfence > All Options > General Wordfence Options > How does Wordfence gets IPs and cycle through the options until it displays the IP address above. That will be the setting you need to use going forward, so click the Save button once you’re done.
Normally, the Server State and Vulnerability Scan warnings can be thrown by a number of factors, as each stage involves a few different checks. I can highlight those without trying to generalize too much: https://www.wordfence.com/help/scan/#scan-stages
As the page above explains, if there is an issue with any of those steps, then there’s a likelihood of the yellow warnings being shown. I might be able to help more specifically by seeing scan result messages and your server configuration if you send me a diagnostic report.
Can you send one to wftest@wordfence.com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated.
For the scan log, please navigate to Wordfence> Scan > Email Activity Log and send it to wftest@wordfence.com as well.
Let me know when you’ve sent both so I can have a look.
Thanks,
Mark.