ellmann creative

Why is it that every other button and text can be translated manually in the various pages, but “Show more”, “Show less”, “Save & Accept”, as well as “Enabled” and “Disabled” on the various cookie categories – are not configurable from the backend?

@jakobward note that I am not part of this plugin’s dev team.

Your best approach to getting this answered is to open a new thread and ask there – it will bring this to the attention of the developers, and you won’t have other people interfering (unless they crash the party, like you ;P).

@jakobward considering that the plugin uses the mentioned value as its “signpost” to know whether it went through or not, and considering that it’s potentially possible that the second attempt actually breaks the data table – I doubt it’ll be handled automatically.

At best, I would see a “retry” button somewhere, which would trigger a complete restart of the upgrade procedure. It might caution you to make a full database backup, just in case.

Otherwise, I don’t see any good way out of this – at least not for installations which are already affected.

I haven’t looked at the source code to see how this upgrade works exactly, so I can’t really say anything for sure – but I expect a little bit more of defensive programming wouldn’t hurt here. Though I strongly suspect that WP’s very disjoint nature (specifically – how any scheduled process must fully expect to be interrupted and resumed, perhaps multiple times) isn’t helping matters at all.

Looks like that did it, and the upgrade took only a few seconds (possibly less).

My theory is that the update got triggered when the plugin auto-upgraded to 4.4.0, and then got axed when the erroneous clampdown killed our PHP processes.

As soon as we move hosts, this sort of issue should stop being an issue. Hopefully.

It’s a good thing that the conversion/upgrade process can be restarted.

Installed WP Crontrol. In “Cron Schedules”, I can see wp_wsal_meta_data_migration_440_cron_interval (set to “every 5 minutes”).

Otherwise, in “Cron Events” there are only two entries that contain ‘wsal’ in any way: wsal_cleanup (hourly) and wsal_delete_logins (daily).

As for the migration info from wp_options:

array(1) {
  ["local"]=>
  array(4) {
    ["start_time"]=>
    int(1646043533)
    ["processed_events_count"]=>
    int(0)
    ["batch_size"]=>
    int(50)
    ["connection"]=>
    string(5) "local"
  }
}

Okay, but how does Wordfence check the strength of a password it can’t read? I mean the password strength check during a scan, not during account creation (and possibly password change).

• This reply was modified 3 years ago by ellmann creative. Reason: rewritten for clarity

I see…

Well, here’s hoping for a speedy fix for this, as it’s clearly something in filename matching that’s probably affecting more than just .tmpl files…

Yes, I would like to know that you’re going to fix those filenames! ??

I didn’t report it to get a pat on the head, you know. ??

Hey. Any status updates on this?

I know this is likely low-priority (boo hoo, I need to re-upload Wordfence after a restore), but I’d just like to point out that if there’s some issue with backing up a random(?) file, there’s no guarantee that any files will get backed up reliably (after all – why that file? why not any other one?).

Okay.

The text files are a tad big, so I sent you two links hidden behind HTTP basic auth instead. Hope that isn’t an issue.

I’ll check out scanning exclusions. I hope it works recursively (you did say “all files“, not “all files and directories“), so that I don’t have to specify subdirectories manually (since they’re auto-generated and all).

I can see how it would be convenient to exchange all keys after an attack with a click, but that would make this a quality-of-life plugin, not a security plugin.

From what I can see, it is indeed getting bogged down in Hummingbird assets.

Is there some way I could tell it to skip scanning /wp-content/uploads/hummingbird-assets/*?

————–
I have the log files ready for you. How do I pass them to you securely?

I would like to provide these as two .txt files (one for a short scan w/ the binary option disabled, one for a longer one with it enabled).

As I would not like to have this info public, where/how can I pass this info on?

(also, one of the files will be in my local language, because WordFence at some point decided it’ll partially use the site’s language, not the /wp-admin language).

It’s likely not – sitecheck2/3/4 all return NXDOMAIN at this point. The first one doesn’t, but I can’t be sure it’s the only scanner used.

Hmm… I clearly don’t understand how the scanner works.

When I disabled the binary scan option, it scanned 21448 files (194.1 MB), and additional 6928 files afterwards. So the “additional” files clearly aren’t the additional scan. It also took significantly less time (2.5 minutes).

Can you please clarify how this works?

Bonus question: does it make sense to have it generally enabled on live sites? Or is it too much load vs too little gain, based on your observations of threats?