divemasterza

Hi there

1. Safari is the latest 15.6
2. I don’t have mod_substitute installed on Apache so the directive above won’t work. I don’t really have the use for mod_substitute so to install it for one plugin, it does not make sense
3. No screenshot, but in essence WSOD when initiating the onboarding wizard

Best regards,
//Steph

I can confirm it’s a Safari Browser issue.

Just confirming that the above solution works perfectly

I definitely still happens, had another coming 2 days ago.
I will screencast and send – I will replicate it on a staging instance and give you access.

Best regards,
//Steph

Are you sure your browser is not compromised? (Extension or others) I can’t pick up anything on your site…

Hi,
PHP 5.4 is now un-maintained for at least 4 years… this by itself is an issue for security and compatibility. While technically Wordfence should run on PHP54 it’s definitely not recommended to run on a deprecated version.

Sources:
PHP Version
Wordfence system reqs

Hi,

If the log is publicly accessible it can reveal paths and other information.

Check your wp-config.php for the value of
define( 'WP_DEBUG', false );
it should be set to false for production websites.

If you need the debug file for any reason. You can limit the access to it. (via .htaccess for example.)

If the file is residual from the development phase of your website, you can delete it.

It has definitely a backdoor, but depending of your hosting security levels (i.e. some php functions being disabled) the backdoor might not be exploitable. But you need to cleanup. Wordfence has a nice writeup on this here -> https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

The index.php contains a backdoor. Not to go in too much details it checks for a certain $post query. if present it writes the value of query to a file.

The php function used: file_put_contents() is disabled on many server for security reason. So if this is the only file that got flagged, it is very possible it is the case @ your host.

//Steph

• This reply was modified 5 years, 6 months ago by divemasterza.

Yes same from South Africa – was definitely an issue in a switch somewhere in Europe

[root@cyberfx ~]# curl -Is https://noc1.wordfence.com | head -n 1                                                                                                      
HTTP/1.1 200 OK

Do you use Page Ruler Chrome Extension?

@iframe, I am not pinging as they are obviously dropping ICMP packets. (I am doing as well on two of my servers, I have other monitoring options for them)

However `curl –trace – https://noc1.wordfence.com’ does not happen either

A traceroute from London does work and the domain is reachable. However from some location in US and from South Africa, the traceroute dies somewhere in Europe.

There is definitely an issue with a switch somewhere in Europe

• This reply was modified 5 years, 7 months ago by divemasterza.

I am not from Wordfence family.
I just wanted to point out the Wordfence is more of a ‘Preventive Vaccine’ not a ‘Serum’ ??

Your title is slightly misleading if Wordfence has been installed after your website has been compromised.

Your are running WP 4.9.8 which is vulnerable and also Woocommerce 3.4.5 which is also vulnerable… an easy prey for anyone who wants to exploits the site.

Google is your friend “how to clean you hacked wordpress website” or you can use a professional service to clean.

I would start by making sure all versions of the plugins and the core are up to date and not vulnerable. (a quick scan showed that most of your plugins are out of date)

I tried from a few servers some are successful and some fail. I contacted the Datacentre / hosting providers: They claim the connections dies somewhere in Europe.

from an independant provider in the USA:
root@asgard [~]# traceroute noc1.wordfence.com
traceroute to noc1.wordfence.com (69.46.36.28), 30 hops max, 40 byte packets
1 asgard.aserv.co.za (64.22.105.121) 0.347 ms 0.391 ms 0.536 ms
2 63.247.69.37 (63.247.69.37) 0.374 ms 0.514 ms 0.507 ms
3 xe-11-2-3.edge2.Atlanta4.Level3.net (4.53.238.9) 0.593 ms 0.587 ms 0.618 ms
4 * * ae-1-3501.ear1.Atlanta1.Level3.net (4.69.214.190) 0.888 ms
5 4.68.74.158 (4.68.74.158) 0.975 ms 0.961 ms 0.954 ms
6 tuk-edge-14.inet.qwest.net (67.14.44.54) 60.615 ms 59.829 ms 60.105 ms
7 63.149.178.150 (63.149.178.150) 60.773 ms 60.800 ms 60.670 ms
8 * * *
9 * * *

As per several traceroutes from within Afrihost network, this leaves our network and our upstream provider and in Europe the connection dies.