Probing for vulnerable PHP code

I’m having a similar issue. I use a php page to unsubscribe from our email.
I’ve been getting this pages blocked for probing for vulnerable php code. How can i override or whitelist some pages?

More info on this.

Today I’m seeing a client’s IP being blocked for “Probing for vulnerable PHP code”.
URLs are domain.com/wp-admin/admin-ajax.php and domain.com/wp-admin/async-upload.php – so both legit.
This client has Editor role, his IP didn’t change.

At the same time I do see malicious requests from other IPs (e.g. domain.com/wp-content/plugins/ubh/up.php and so on) that are being blocked. But why does it block the legit ones?

Also, I see broken images in Media Library, obviously resulting from the above.

The client was uploading an image with a strange name though – k0skf79wrp-1.jpg
Maybe that’s the reason of traffic inspector triggering a block?

That’s weird. Requests to wp-cron.php are not inspected on a normal WordPress installation. Traffic inspector blocks a request to a PHP script if the script doesn’t exist (physically on disk). Is your site on Windows/IIS hosting (server)?

No, it’s CloudLinux with cPanel, CageFS enabled. The website in question runs under PHP 7.2
Cloudflare is being used too.

• This reply was modified 7 years, 2 months ago by Nazar Hotsa.
• This reply was modified 7 years, 2 months ago by Nazar Hotsa.

Could you test out the development version: https://my.wpcerber.com/downloads/wp-cerber.zip

Installed 6.0.5 will keep an eye on it.

Same thing with 6.0.5 today.
It keeps blocking the client’s IP for “Probing for vulnerable PHP code”, URLs are:
/wp-admin/admin-ajax.php
/wp-admin/async-upload.php
/wp-admin/media-new.php
I think I’ll have to disable Traffic Inspector on that particular website because clients are complaining.
Is there anything I can do to help troubleshoot this behavior while TI is still enabled?

Also, 6.0.5 is throwing the following error from time to time:

[26-Jan-2018 12:34:42 UTC] PHP Fatal error:  Uncaught Error: Call to a member function fill_query_vars() on null in .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php:4769
Stack trace:
#0 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4663): cerber_get_non_wp_fields()
#1 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4424): cerber_to_log(700, 302, 0)
#2 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4346): cerber_traffic_log()
#3 .../public_html/wp-includes/class-wp-hook.php(286): {closure}('')
#4 .../public_html/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array)
#5 .../public_html/wp-includes/plugin.php(453): WP_Hook->do_action(Array)
#6 .../public_html/wp-includes/load.php(679): do_action('shutdown')
#7 [internal function]: shutdown_action_hook()
#8 {main}
  thrown in .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php on line 4769

Could you send me a content of the Server info section which is located on the Diagnostic page? Via https://wpcerber.com/support/

Sent.

Just to note, 6.1 keeps blocking legit URLs for “Probing for vulnerable PHP code”.

Another update.
On one of the sites Traffic Inspector keeps blocking the hosting server IP for “Probing for vulnerable PHP code” and URL is /wp-cron.php
I examined the request and it’s a GET request like this:
.../wp-cron.php?_nonce=1cf7b0da30&doing_wp_cron=1516711060.2889339923858642578125&backwpup_run=runnow&jobid=1
It’s coming from BackWPup plugin.

Please check the .htaccess file in the root folder on your site for non-standard rewrite rules (other than added by WordPress).

I have the following before standard WP rules:

# Disable directory browsing
Options -Indexes

# Redirect http to https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R=301,L]

Do you think the http>https one can cause these issues?