dastafford

And can someone explain to me why my posts need to be moderated? I just received the following message after my previous post:

Your post is being held for moderation by our automated system and will be manually reviewed by a volunteer as soon as possible.

No action is needed on your part at this time, and you do not need to resubmit your message.

Apologies for the slow response.

No, there are no page caching plugins. But why would that affect this? Surely the firewall is the first plugin to evaluate any request. If it is not, it’s not really a firewall.

I want to automatically add ip addresses to the block list if they try to access something with a known vulnerability regardless of whether we use it on our site or not.

For example, today someone tried to access the url /tinyfilemanager/tinyfilemanager.php

That doesn’t exist on the site but, even if it did, they would have no business accessing it. In our list of “Immediately block IPs that access these URLs”, we have “/tiny*” and so the IP address should have been blocked but, instead, the attempt to access it was caught by the 404 handler.

@wfpeter I sent you the diagnostic file and alerted you to that. Did you find anything useful in the data?

Hi Peter

Thanks for your reply. Site diagnostic email is winging its way to you now.

Regards

David

The latest version (3.9.3) has fixed the issue.

Thank you.

The latest version (3.9.3) has fixed the issue.

Thank you.

Thanks for making me re-read the document, Mia.

I hadn’t read it closely enough and missed the bit about the noabort option. Scans are now working correctly and running to completion – and clear.

The other site that I mentioned has the mod in its .htaccess file but also has:

Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff

Is this to do with Wordfence, too, or from some other source?

Hi Mia

That’s the document that I followed initially which said ‘Try enabling the option “Start all scans remotely”’ which was why that switch was set before.

The site and account in question is sitting on a shared hosting platform (cloudunix/whm/cpanel) and I have access to another account on the same platform which is also a WordPress site and also has Wordfence installed but its scans run to completion … so I didn’t think it was platform related.

Anything else interesting in the diagnostics?

DAS

Hi Mia and thanks for the response.

1. In the version I see, there is a strip saying “Scan Stage Failed” and while that is displayed, the “Start New Scan” button can’t be clicked. Pressing the “Close” button on that strip re-enables the “Start New Scan” button and puts “Scan stop request received.” into the log detail.
2. Updated “Maximum execution time for each scan stage” from 0 (default) to 20.
3. The option “Enable debugging mode (increases database load)?” was already checked.
4. The option “Start all scans remotely (Try this if your scans aren’t starting and your site is publicly accessible)” was checked so unchecked it.

The scan started and the progress indicator kept going for several minutes but the scan did not appear to proceed.

After 7 minutes, it showed the message “Scan Failed.

I have sent a diagnostic report via email

@sucuri1 Thanks for responding.

We’ve had the plugin installed for some time. The date on the sucuri-scanner folder is Jun, 2021.

The plugin’s description says:
“We inspect your WordPress installation and look for modifications on the core files as provided by www.remarpro.com. Files located in the root directory, wp-admin and wp-includes will be compared against the files distributed with v6.2; all files with inconsistencies will be listed here. Any changes might indicate a hack.”

What would be useful would be to know what the nature of the “modification” on each file was. For example, a file that was no longer part of the core might simply not have been removed during the update. That’s quite different to the content of the file having been altered. Without knowing how you do your comparisons, it’s difficult to speculate as to what the difference might be – a hash mismatch doesn’t distinguish between a single additional space and 1000 lines of code.

What does the green flag indicate?

Will selecting all and choosing “restore file” have the desired effect?

Image upload for this forum has been disabled, apparently, so can’t show you what I’m seeing.