Failed scan = thousands of changed file alert

You may find my last post in this topic interesting.

The iTSec plugin handles scheduled tasks using WP Cron (default and preferred) or on any page request to the site (frontend or backend).

Since the plugin by default runs tasks (like file change detection) using WP Cron, the url => https://www.sitename_here.com/ part may be an indication of “inconsistant cron scheduling”. It indicates the failed task was actually run on a page request…(and not WP Cron).

Once a scan fails the result of the next scan is incorrect.

I suspect the bug causing the issue is fixed in the Pro plugin. Unfortunately that fix has not yet been incorporated into the Free 7.2.0 release.

So it looks like we will have to wait for the next free plugin update.

Yes thankfully I do not rely solely on only on iThemes for security reporting since I saw this exact behavior months ago. The first time I wasted time thinking it was a valid alert.

Just like the last time this happened with this extension today I got an email indicating several thousand files were added to the site. Sigh,

3 weeks later another 1468 files deleted. My god how long does it take them to roll out this fix to the free version of the plugin. Thank goodness I have more than this security plugin installed. It seems that someone “abc” in that other thread is also seeing this occurring at about the same time on their site as well

• This reply was modified 5 years, 9 months ago by frustrated999.

The fix I mentioned in an earlier post is included in the 7.3.0 release which was made available 4 days ago.

If you have already updated to the 7.3.0 release and the issue persists you might try and add the entry below to the wp-config.php file:

define('ITSEC_USE_CRON', true);

This will force the iTSec plugin to only use WP Cron for processing scheduled tasks.
No guarantees, there may still very well be bugs in the File Change scanning code.
(I know for sure a Windows platform specific bug still exists …)

Yes it was already using 7.3.0 so I added that line into wp-config file.

Well that implementation caused both sites to load at all. I had to comment it out of the wp-config.php file. Both sites are also using Cloudflare by the way

Hmm, weird. No errors ?
Difficult to say what’s bugging these envs.

The iTSec plugin includes a debug page, but it must also be enabled in the wp-config.php file, very similar to how forcing the plugin to use only WP Cron for scheduled tasks is configured:

define('ITSEC_DEBUG', true );

Once ITSEC_DEBUG is (properly) set to true you’ll notice a new Debug entry under the Security menu. Once in the debug page, the Scheduler section gives you an overview of scheduled iTSec plugin tasks. Interesting to see what’s listed there.

Notice there is also the possibility to Reset the ITSEC_Scheduler_Cron underneath the section. But let’s first have a look at the Scheduler list.

// BEGIN iThemes Security - Do not modify or remove this line
// iThemes Security Config Details: 2
define( 'DISALLOW_FILE_EDIT', true ); // Disable File Editor - Security > Settings > WordPress Tweaks > File Editor
// END iThemes Security - Do not modify or remove this line

//02_19_19 added to fix iThemes Security from flagging files as being deleted when they are not 
//define('ITSEC_USE_CRON', true);

That is what is in my wp-config.php file for one site. If I uncomment the line
define('ITSEC_USE_CRON', true);

then the site refuses to display at all. I had to FTP in this morning and comment the line out. Same with the other website. I only had added that define('ITSEC_USE_CRON', true); to the file nothing more about 2 days ago.

Let me try something and I will update this post in a day or so.

• This reply was modified 5 years, 9 months ago by frustrated999.

The syntax of the line is fine, though I would prefer to place it much further down the wp-config.php file like this:

define( 'WP_DEBUG', false );

// 02_19_19 added to fix iThemes Security from flagging files as being deleted when they are not
define( 'ITSEC_USE_CRON', true );

// 02_21_19 Enable/disable iTSec plugin Debug page
define( 'ITSEC_DEBUG', true );

/* That's all, stop editing! Happy publishing. */

Basically place the new entries between the existing
define( 'WP_DEBUG' ...
and
/* That’s all, ...
lines.

Do note, manually editing the wp-config.php file is considered risky business. A tiny mistake can render a site useless.

Ok uncommented one the initial suggestion for one of the sites and added the define(‘ITSEC_DEBUG’, true ); This is what it shows for jobs

iTSec chron

Ok, the screenshot shows no cron jobs at all.
So I guess it’s time to hit that Reset button I mentioned earlier.

Ok hit the reset on that site and there are these jobs scheduled to run. Will see if the plugin is any more stable and reliable using this method.

backup 2019-02-26 20:15:19 (1 min) backup
clear-locks 2019-02-26 20:25:19 (11 mins) daily
purge-lockouts 2019-02-26 20:30:19 (16 mins) daily
purge-log-entries 2019-02-26 20:35:19 (21 mins) daily

So there is still no file-change cron job scheduled ?
If the File Change Detection module is still enabled there should be a file-change cron job scheduled.

Ya it was enabled but would not show up. Had to disable it and re-enable it. It now shows up in the schedule under Debug.

Had so much issue with the plugin throwing errors in the past I had given up on it for a while.