yorman

How many files are being mentioned in the mail alerts?

Is it the same files mentioned in this other ticket [1]?

[1] https://wordpress.org/support/topic/core-wordpress-files-were-modified-after-deleting-a-default-theme/

@harzens — thank you for the screenshot and the explanation.

I will work on this now and try to get a patch for the end of the day.

Thank you for your patience.

Those are Italian language files, they are not part of the official WordPress package, they were downloaded by the system when you went to the settings page and changed the language of your website, but they are not part of the official installation, that’s why the plugin is flagging them.

Please fix

This is not a bug, it’s a feature request.

You can select these files and choose the option “Mark As Fixed” which will do exactly what you are suggesting, but only in your own website. Other people will prefer to keep receiving these notifications, so implementing your suggestion in the code is a bad idea. The option to mark a file as “fixed” was designed specifically for edge cases like yours, where the website owner believes that the flagged files are harmless, and so they can force the plugin to ignore them in future scans.

Marking as resolved, feel free to re-open if you need more information.

The “in x hours” means that the timestamp that was stored in the logs is in the future compared to the current timestamp reported by the web server. This only happens if the timezone of the server is different than the timezone that was being used when the logs were written into disk.

For example, lets say that yesterday the server had timezone UTC-0000 and the plugin registered six logs at 1, 2, 3, 4, 5, 6:00 pm but today someone changed the timezone of the server to UTC-0700 which makes the values in the log file appear as if they were in the future because UTC-07 is on the left of UTC-00.

Ask your hosting provider to see if they changed something since yesterday.

The Sucuri plugin only opens the main access control file (the one in the document root) for reading, never for writing. The only files that it opens for writing are these [1][2][3] and only when you go to the plugin’ settings page, Hardening section, and click one of the buttons to block the direct access to the PHP files, it doesn’t modifies these files automatically, only per request when you click a button.

You said this is a recurrent problem, if I was you I would disable/delete the Sucuri plugin for 1-2 days and see if the problem keeps happening, if yes then you will be sure that the culprit is one of the other plugins, if the problem stops then I guess you could blame the Sucuri plugin, if this is the case, please contact me again so I can continue the investigation.

Marking as resolved for now, feel free to re-open if you need more information.

[1] /wp-content/.htaccess
[2] /wp-includes/.htaccess
[3] /wp-content/uploads/.htaccess

Some plugins and themes use the posts table to temporarily store data, it is possible that “WPForms Lite” does that too and somehow they were able to trigger that action, for example, submitting information through a form that you created using that plugin. The plugin stored the data that they submitted in the database, and this triggered the creation of a new post, which also triggered the event report from the Sucuri plugin, and so you received a notification about that.

It doesn’t mean that you were hacked, but considering the reputation of that IP address, I would say that they are using a web vulnerability scanner against your website to detect possible security holes that can be used to exploit and get inside the admin area. These vulnerability scanners usually submit random information through every form found in any page, just to see how it behaves; I believe this is what happened in your case.

Marking as resolved, feel free to re-open if you need more information.

Then you cannot whitelist your IP address.

That website that you linked in your original post is being protected by the Sucuri Firewall, one of our customers created an account and added the website there, and one can only do that if the person also has administrative access to the website. If you don’t have access to the Sucuri Firewall then you have to ask the person who has control over the account to whitelist your IP.

EDIT: Taking a quick look at the screenshot [1] that you provided, it seems that you are trying to use a backdoor to delete some content from the website, that’s why the Sucuri Firewall blocked your IP address.

[1] https://image.prntscr.com/image/l1UK22bKSqupz-SzHlLw5g.png

can you tell me its ok disabled wordpress integrity diff utility?

Yes, it is okay to have this option disabled, if you don’t want to use it.

[…] or i must enabled this feature

You can enable this option if you think the tool will help you investigate the corruption of the WordPress core files.

i dont have any idea about it

The diff utility is a tool that allows you to see the differences between the code that you have installed in your website and the code that was originally provided by WordPress, you can see an example here [1]. However, to be able to enable this option your server needs to enable something called “shell function” and apparently your hosting provider blocked that, that’s why you are seeing that error message. So even if you wanted to enable that option, you cannot, because your hosting provider blocked the “shell functions”.

Marking as resolved, feel free to re-open if you need more information.

[1] https://ps.w.org/sucuri-scanner/assets/screenshot-2.png