menken

Nick you did more research than we did, but here’s our report of the same problem (which we intended to submit until finding your report and trace):

Since upgrading to WordPress 4.8 (across a small family of related websites) we have found frequent problems where a logged-in user comes back to the site and sees

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache/2.4.10 (Debian) Server at {sitename.com} Port 443

If iThemes security is deactivated, if the user tries a different browser, or the user clears all cookies for the site in question, then the user can browse and login to that site. We’re seeing it on all our sites, including ones that are exclusively http and exclusively https. Activating and deactivating other plugins does not affect matters: only iThemes security.

The Apache2 site-error.log file shows entries like:

[Thu Jun 22 17:21:18.368894 2017] [proxy_fcgi:error] [pid 18999:tid 139716653393664] [client {a.b.c.d}:21655] AH01067: Failed to read FastCGI header
[Thu Jun 22 17:21:18.368930 2017] [proxy_fcgi:error] [pid 18999:tid 139716653393664] (104)Connection reset by peer: [client {a.b.c.d}:21655] AH01075: Error dispatching request to :

And /var/log/kern.log shows a corresponding entry:

Jun 22 17:21:18 webserver kernel: [6662139.037544] php5-fpm[21053]: segfault at 7ffd51345ff8 ip 00000000007012cf sp 00007ffd51346000 error 6 in php5-fpm[400000+802000]

So something sent in the cookie triggers iThemes doing something which causes a segfault in php5-fpm.

Any help would be appreciated!

Hi, thank you for helping!

No, I do not see any such entries. wordfence_daily_cron, wordfence_hourly_cron and wordfence_email_activity_report are all listed, but no. I have other sites on a different server with nearly identical configuration, and they have that entry each day.

We’re using Cloudflare with no local caching.

What do you suggest?

I have a stopgap solution for you:

Go to Wordfence -> Scan -> Options and all the way down to “Time limit that a scan can run in seconds” (right before the SAVE OPTIONS) button.

set the time limit on your scans to 2 seconds, and save. You’ll get an email that the scan ran over and aborted, but it won’t take your site down.

Hi, I have display_errors off, and error_reporting includes ~E_NOTICE & ~E_DEPRECATED, and WP_DEBUG is defined to false in wp-config.php, and I’m still seeing the error (!!).

Any suggestions while we await an update would be sincerely appreciated. I even tried messing with line 3911 of functions.php, and that didn’t improve anything (in fact, odd characters I inserted did not display, leading me to believe that it’s not actually line 3911 causing the error). I emptied page cache, I even changed line 3906 to read if ( FALSE && WP_DEBUG…. so that nothing would trigger, and it still did.

What have I missed?

Ken

I have both iThemes and Wordfence and am seeing similar behavior. What triggers the ‘logged out’ in Simple History? Does this mean the hacker got to the login screen, or was blocked because we hide wp-login?

Thanks for your help!