yorman

Hello @shaunmesh

Thank you for providing some logs.

These are not error logs, but ModSecurity logs, good enough.

The only thing that seems to explain the 500 internal server errors:

• mod_fcgid: read data timeout in 60 seconds
• Connection timed out: mod_fcgid: ap_pass_brigade failed

This information, along with the fact that the Sucuri plugin seems to be the only one causing the problem, leads me to believe that one or more of the actions attached to the “admin_init” WordPress hook is taking too long to finish the process.

src/globals.php [064] SucuriScanInterface::initialize
src/globals.php [068] SucuriScanInterface::handleOldPlugins
src/globals.php [069] SucuriScanInterface::createStorageFolder
src/globals.php [168] SucuriScanHook::hookCoreUpdate
src/globals.php [169] SucuriScanHook::hookOptionsManagement
src/globals.php [170] SucuriScanHook::hookPluginDelete
src/globals.php [171] SucuriScanHook::hookPluginEditor
src/globals.php [172] SucuriScanHook::hookPluginInstall
src/globals.php [173] SucuriScanHook::hookPluginUpdate
src/globals.php [174] SucuriScanHook::hookThemeDelete
src/globals.php [175] SucuriScanHook::hookThemeEditor
src/globals.php [176] SucuriScanHook::hookThemeInstall
src/globals.php [177] SucuriScanHook::hookThemeUpdate
src/globals.php [178] SucuriScanHook::hookWidgetAdd
src/globals.php [179] SucuriScanHook::hookWidgetDelete

These are the only functions that run when you load the WordPress admin page. One thing you can do to continue the investigation is to deactivate these functions by adding the following constant to wp-config.php, then reload the admin page, if the page loads without the “500 Internal Server Error” then congratulations, you have narrowed the error down to this block of code:

define("SUCURISCAN_ADMIN_INIT", false);

Let me know what happens after adding this constant.

Hello @schoaf

Fatal error: Cannot redeclare sucuriscanResetAndDeactivate()

There’s only one single declaration of this function in the plugin [1].

This error can —and will— happen if:

1. You have installed a copy of the plugin with a different name
2. Your APC installation is misconfigured, fix it with this [2]
3. There’s a bug in WordPress forcing multiple plugin loads [3]
4. Someone modified the plugin to duplicate the function

[…] but this server has not changed in all of those years?

I read this sentence as: I haven’t installed security updates, haven’t upgraded to a newer version of PHP, and no one except me have logged into this server in 3+ years. Please confirm if what I am assuming is correct, otherwise, we can conclude that the problem is related with a misconfiguration of the APC module that you or someone else may have installed.

We can continue investigating this issue if you provide more information about your server, otherwise, it will be impossible for me to provide a solution because the code is not broken. Here is a list of things that may help us continue the investigation:

• What type of web server is running?
• What PHP modules are currently installed?
• What PHP modules are currently active?
• What web server modules are currently active?
• How many people have access to your server?
• Is there a caching system in front of your website?
• Do you have any type of PHP Accelerator? [4]
• What WordPress plugins are currently installed?
• What WordPress plugins are currently active?
• Can you execute this command [5] in your server?

I hope you can answer all these questions so we can resolve this problem.

[1] Sucuri/sucuri-wordpress-plugin/sucuri.php#L244-L256
[2] https://stackoverflow.com/a/9245774
[3] https://make.wordpress.org/core/handbook/testing/reporting-bugs/
[4] https://en.wikipedia.org/wiki/List_of_PHP_accelerators
[5] grep -r -n "function.*sucuriscanResetAndDeactivate" /

Hello @amateurhr

@ycampo will be able to answer your question.

I understand the Sucuri Support team uses various email addresses to temporarily verify the ownership of a domain during a malware cleanup, but I am not aware of the current list of addresses they are using.

I hope you can be a better answer soon.

Thank you, I’ve added your fix here [1].

The fix will be released once @ycampo reviews and merges the changes.

[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/73

Hello, yes, you can use both of them at the same time, in the same website.

Hello @mike80222

(1) Protecting the MemberPress login page

The plugin detects successful and invalid logins by intercepting a WordPress called “wp_login” [1] and “wp_login_failed” [2] respectively. If MemberPress’ login page triggers this action —(they should, if they are hooking into a WordPress page)— then you don’t have to configure anything.

(2) Clearing the failed login page

1. Visit “Sucuri Security > Settings > General”
2. Scroll down to “Data Storage”
3. Select “sucuri-failedlogins.php”
4. Select “sucuri-oldfailedlogins.php”
5. Click the “Delete” button
6. Done

(3) Timezone issues

1. Visit “Sucuri Security > Settings > General”
2. Scroll down to “Timezone”
3. Select date and time that matches your zone
4. Submit the form
5. Done

(4) What exactly happens after the max unsuccessful logins?

If you choose “60 failed logins per hour”, for example, the plugin will send you and email with a summary of all the failed login attempts that occurred during the last hour, only if there are more than 60 failed attempts. If there are 59 or less attempts, the plugin will ignore them and reset the counter after the hour, then it will start collecting the logs again.

This option goes along with options from the “Security Alerts” panel:

• Receive email alerts for failed login attempts
• Receive email alerts for password guessing attacks

If your website gets 1,000+ failed logins per hour, you will not want to receive 1,000 email alerts. You’ll probably disable the first option, and enable the second option, and then configure the maximum number of attempts to send the summary.

I then test it by typing a bad password 30 times. It *appears* that at that point Sucuri puts up a “captcha” screen.

The plugin doesn’t provides this functionality, the captcha is being added by the Sucuri Firewall [3]. The documentation about this specific feature is available in this page [4] and you can ask for more details via chat (from the Sucuri home page) or via email directing your inquiries to info@sucuri.net

(5) Documentation

You can read about the main features from here [5].

Click on the difference sections listed in the left column.

Marking as resolved, let me know if you need more information.

[1] https://developer.wordpress.org/reference/hooks/wp_login/
[2] https://developer.wordpress.org/reference/hooks/wp_login_failed/
[3] https://sucuri.net/website-firewall/
[4] https://kb.sucuri.net/firewall/Whitelist+and+Blacklist/protected-page
[5] https://kb.sucuri.net/plugins

Hello @shaunmesh

The file wp-logon.php is not part of a normal WordPress installation.

It is common for hackers to create files that look like WordPress files by adding the wp- prefix. I believe you are confusing this file with wp-login.php and it probably contains PHP syntax errors which some times causes the web server to return a 500 Internal Server Error.

My error log doesn’t seen to be much help […]

The log in your comment is not an error log, it’s an access log. You need to search for a file called error_log, that’s where you can find details about the failure that is causing the 500 Internal Server Error.

—

Please keep the Sucuri plugin disabled until you can provide more information about the errors so I can continue the investigation. Otherwise, I may not be able to help you much.

Hello,

I do not know exactly what features the “WP Security” plugin provides, so I cannot say with confidence if having them both installed in the same website will be redundant. I would say “keep them both”, eventually you’ll find yourself using one more than the other, and then you will decide which one to keep. Here is an article [1] that lists the main features of twelve (12) popular security plugins.

Let me know if you need more information.

[1] https://kinsta.com/blog/wordpress-security-plugins/