Suspicious Process Alerts on VPS

  • I realise this is technically a server issue however it is being triggered by Wordfence –

    I host over 30 WP sites on a Centos/WHM VPS and get constant Suspicious Process email alerts always username/wp-admin/admin-ajax.php

    I know I can whitelist the file in LFD but this has to be done for every user – is there a way to disable this alert for all users.

Viewing 3 replies - 1 through 3 (of 3 total)

  • I believe admin-ajax is called when someone is looking at the Wordfence admin pages. By default, it refreshes every 2 seconds. This is what i saw in my Apache log, too. If you change the refresh too something less frequent, the messages might stop.

    https://docs.wordfence.com/en/Wordfence_options#Update_interval_in_seconds

    (I was looking for a simliar topic because sometimes the scan is flagged as suscpicous)

    Thread Starter keychange

    (@keychange)

    admin-ajax is called when someone is looking at the Wordfence admin pages

    Well I have tested on several sites and that has not triggered the alert. I also tried Wordfence Scan , Live Traffic and WordPress updates but no alerts generated.

    The files opened by the process are always so appears to be WF Firewall related
    Files open by the process (if any):
    ?
    /var/cpanel/locale/en.cdb
    /dev/urandom
    /home/username/public_html/wp-content/wflogs/ips.php
    /home/username/public_html/wp-content/wflogs/config.php
    /home/username/public_html/wp-content/wflogs/attack-data.php
    ?

    Thread Starter keychange

    (@keychange)

    I can finally confirm that the alert coincided with a scan – but it doesn’t do it every time.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Suspicious Process Alerts on VPS’ is closed to new replies.