yorman
Forum Replies Created
-
It means that someone is using a “Password Guessing Brute-Force Attack” [1] to get into your administration panel using the username
admfrom different IP addresses, probably using a proxy as they are all different while the time is consistent.[1] https://kb.sucuri.net/definitions/attacks/brute-force/password-guessing
Download this file [1] into your server as
readme.html.If you are using a version of WordPress different than 4.8.1 then change the number in the URL accordingly. Notice that we do not provide an option to revert this hardening because deleting this file has absolutely no effect in the functionality of your website, the “500 Internal Server Error” that you are experiencing has nothing to do with this file.
This is the code that handles the form submission of that hardening option [1]; when it runs it executes this piece of code [2] which only fails if the directory does not exists or is not writable by the PHP interpreter.
Permissions is something that is server-dependent, meaning that only the configuration of your server applied by your hosting provider determines what the solution to this problem is, I cannot say more than — “check if the directory exists and that the write permissions are granted to the same user that is running the web server” — if you are able to communicate with your hosting provider about this, they can give you more details about their configuration.
Additionally, if you are still having problems with this option, just go ahead and put the string from line 50 to line 58 highlighted here [3] inside this file [4]. This is basically what the plugin does in the background when you enable that option.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/settings-hardening.php#L233-L242
[2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/hardening.lib.php#L62-L93
[3] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/hardening.lib.php#L39-L60
[4]/wp-content/uploads/.htaccessThe problem with the language file can be fixed by deleting these two files [1][2] created by WordPress during its automatic updates. Or you can install the development version of the code from here [3] which already includes a fix.
As for the greyed out options in the hardening page. This only happens if your website contains a valid Sucuri Firewall API key, the plugin assumes that your website is already protected by us and disables all the options in the hardening page as these rules are already applied by our Firewall, applying them using the plugin would be redundant.
[1]
/wp-content/languages/plugins/sucuri-scanner-en_US.po
[2]/wp-content/languages/plugins/sucuri-scanner-en_US.mo
[3] https://github.com/cixtor/sucuri-wordpress-plugin/archive/master.zip@gamingage — can you provide more details about this issue?
The code that was causing the slow responses a year ago doesn’t exists in the current version 1.8.8; so I doubt the problem that you are experiencing is related to the same bug. If you can provide more details about the experience that you are having I could investigate the issue and fix the problem immediately.
Here is a list of things that you could tell me:
- Does your hosting provider uses a custom DNS server? There is a piece of code in the plugin that is executing a DNS lookup on startup, if the DNS server that your hosting provider is using is too slow, it may affect the performance of this code and consequently the performance of your website.
- How often do you notice the slow load times? Is it at a specific hour of the day or all the time for every page load? I ask this because there is a scheduled task that runs every 24 hours, and it does something that in rare cases could be resource intensive. Noticing a slow load time at a specific time of the time would point us to this piece of code, otherwise we could look into something else.
- Although, this shouldn’t be the problem, but how much time does it takes to receive a response from this website https://wordpress.sucuri.net/ from your server? Can you use CURL to execute a GET/POST request against that domain? If yes, what is the execution time?
- Can you check if this file exists?
/wp-content/uploads/sucuri/sucuri-auditqueue.phpand if it does, can you check how many lines does it contains? This is basically the new storage system for the events that replaced the real-time reporting using the API a year ago. Instead of sending this data to our server immediately we send it to this file, this way the latency of the API service will never affect the responsiveness of your website.
I have more questions, but these could do for now. Please answer them all.
@supaiku — @hzagar — I will mark this as resolved as we have applied many significant changes to the code since version 1.8.3 and so far I have not been able to reproduce the issue nor with a regular WordPress installation nor with a Multisite.
Feel free to re-open this ticket if you are still experiencing this issue and include additional information about your environment so I can reproduce it and investigate it. Otherwise, we can leave this as resolved.
@chrislyles — I will mark this as resolved as we have applied many significant changes to the code since version 1.8.3; feel free to re-open this ticket if you are still experiencing this issue and include additional information about your environment so I can reproduce it and investigate it. Otherwise, we can leave this as resolved.
I am curious about what “[…] it requires loading of some php files” exactly means. Loading a PHP file, technically speaking, refers to the use of the “include” or “require” statements, these are not affected by any of the hardening options in any security plugin that I know.
What the Sucuri plugin and others do is to block HTTP requests going directly to a PHP file, which in most cases (at least in the WordPress plugin ecosystem) doesn’t happens, with just a few exception. I am not sure why “wlm-social” requires you to whitelist the entire directory.
Unfortunately, I cannot investigate this further as this is a premium plugin. It is very difficult if not impossible to give support and prevent incompatibilities with premium plugins because their development is made in private, we cannot track which changes are applied until its too late.
Since you are paying for that plugin, I assume that they provide premium support. You can ask them to investigate the issue and they will take a decision on their own. I will leave this marked as resolved.
Also, whilst Wordfence is a competitor do you not think it’s a bit bad on Securi’s side showing “Website Firewall Protection” as red/no firewall when someone is using Wordfence for their firewall?
It is not bad per se, as it is just a red text, but I understand your concerns as the message can be misleading. I will try to find ways to detect if a website is using one of them popular firewalls in the market besides the Sucuri Firewall. Hopefully, the code will be available in the next version of the plugin. Thank you for the suggestion.
[…] my plugin that requires the running of php files has LOTS of php files
We do not have an option to allow you to whitelist an entire directory because it contradicts the point of the hardening in the content directory. I implemented the individual PHP file whitelisting because some popular plugins have 1-2 PHP files that need to be accessed directory to generate images or to track data, but I have not found a case where an entire directory should be whitelisted.
Please share the plugin that you are having problems with so I can investigate.
Alternatively, you can whitelist the entire directory by creating a “.htaccess” file inside that folder and adding the following access control rules which will have more priority than the ones created by the Sucuri plugin:
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> Require all granted </IfModule> </FilesMatch>Marking as resolved, feel free to re-open if you need more information.
[…] what SMTP plugin should I use to avoid conflicts with Sucuri?
I don’t know what features does the Postman SMTP offers that the other SMTP plugins cannot do. So far, people have only reported problems with Postman SMTP so I guess you could use any of the other plugins available here [1] but I haven’t tested any of them yet.
The incompatibility between the Sucuri plugin and Postman SMTP only affects the notifications for the successful and failed logins. It was originally affecting the notifications for changes in the posts/pages but I applied this patch [2] to fix that problem. If you want you can keep using that plugin, I will try to fix the incompatibility in a future version of the Sucuri plugin.
Marking as resolved, feel free to re-open if you need more information.
[1] https://wordpress.org/plugins/search/smtp/
[2] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/350c074You cannot revert them.
The plugin disables all the buttons in the hardening page when it detects that the website is using the Sucuri Firewall. However, this doesn’t means that the hardening options have been applied, the Firewall protects your website against all known threats that the hardening options are trying to protect, so having both options is redundant.
You can, however, delete these files [1][2][3] to revert the hardening applied by the plugin, but the buttons will still be disabled as long as your website is behind the Sucuri Firewall. If you are unsure about this, execute this command [4] in your terminal emulator and if you find the word “cloudproxy” in the name of the host that is serving your website, then it means that it is behind the Firewall, otherwise just let me know and I will investigate.
Marking as resolved, feel free to re-open if you need more information.
[1]
/wp-content/.htaccess
[2]/wp-includes/.htaccess
[3]/wp-content/uploads/.htaccess
[4]host -t A example.comPlease send a screenshot of the whole “Security Alerts” panel to
[removed](email removed to avoid spam) and upload a copy of this file [1] into this website [2] so I can verify if the version of the code that you have is corrupt or not. You will probably need to reinstall the plugin in that case because the option really exists as you can see here [3].[1] /wp-content/plugins/sucuri-scanner/src/settings-alerts.php
[2] https://pastebin.com/
[3] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/settings-alerts.php#L387-L388The message should only be visible if the Postman SMTP plugin is active, you can see the code that is making the message visible here [1] notice how the function built-in WordPress function “is_plugin_active” is used to determine if the plugin is still running or not.
Regarding the alerts that you are still receiving, notice that there are two options to control the notifications for the failed logins, you can see them below. The first option is the one that controls the alerts, if you disable that one it will automatically assume that you have disabled the second one, however, if you only disable the second one the plugin will only stop appending the password used in the login attempt into the message, but will continue sending you the failed login alerts. Please uncheck both options.
- Receive email alerts for failed login attempts (you may receive tons of emails)
- Receive email alerts for failed login attempts including the submitted password
Marking as resolved, feel free to re-open if you need more information.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/settings-alerts.php#L407-L424
Once the plugin is active you should see a new icon on the WordPress sidebar like this one [1] which includes the links to the dashboard, firewall, last-login and setting pages.
Can this plugin resolve my problem?
No, the plugin in itself will not remove the malware from your website, but it can give you enough information to find it so you can delete it yourself. There is a tool called “WordPress Integrity” that you can use to restore the original content of the WordPress core files, but if the malware was embedded into other parts of your website (database, web server modules, cronjobs, themes, background processes, etc) it will not do anything because the nature of the WordPress plugin ecosystem prevents them from having high privileges to do these things in your server.
You can, however, hire a professional, malware researcher, or web developer with security skills to clean up your website. Sucuri offers this service as a paid subscription that is not included with the plugin, you can read more about the service here [2] and the pricing here [3].
Marking as resolved, feel free to re-open if you need more information.
[1] http://i.imgur.com/WjkfWrK.png
[2] https://sucuri.net/website-security-platform/
[3] https://sucuri.net/website-security-platform/signup@adaptablewebsites — there is no solution, just disable the plugin for now.
I will release version 1.8.9 in a couple of weeks with a fix. Clearly adding internationalization support was a bad idea, people are not even interested to help with the translations so I don’t see the point of this. I will just revert the changes that I applied to support language files and go back to the basic English interface. It will take me several days to do this as I have to rewrite many files, but once this is finished you will stop seeing the “visual garbage”.
Thank you for your patience.
