Mountain-Hiker-1

Here is a summary of the claimed vulnerability history, two issues reported, one resolved.
https://www.pluginvulnerabilities.com/2023/10/02/patchstack-wordfence-and-developer-make-mess-of-minor-vulnerability-in-100000-install-wordpress-plugin/

Thanks for making a fix.
I believe your instructions should say Security and Malware plugin, not Anti-Spam plugin. I use both.
I do not want to delete and manually re-install the fixed Security plugin because I think I will lose my plugin settings and will have to set them up again manually.
It is not a critical or urgent problem so I can wait until the next revision of the plugin is released and my system will auto-update.
Thank you for your support.

I tried backslash. It makes no difference if I use a forward slash / or backslash \.
Same results when running malware scanner.
Upper case letters are changed to lower case letters as soon as I save the exclusion list settings.
Forward slash works in the excluded folders list.
No error message if using forward slash or backslash.
Using plugin version 2.118, auto-updated this morning.

• This reply was modified 1 year, 2 months ago by Mountain-Hiker-1.

OK, thanks for sharing this idea with the developers.

If I don’t permanently block these failed bot login attempts, then they can try again when the temporary lockout expires. They will get temporarily blocked again for up to 2 months.

Since the blocking is working, it is not a security problem, it is just a nuisance getting many email alerts of failed bot login attempts.

Maybe I will turn off the email alerts for failed login attempts.

I had a weekend brute force attack trying to login with username admin that does not exist on my website. Botnet IP locations from multiple countries including ch, cz,de,es,gr,it,kz,nl,nu,pl,pt,ru,sk,ua,vn,za and many from GoDaddy IP addresses.

I manually blocked IP addresses that were reported as failed logins. I have a local business, so I do not need any foreign country access, and only do occasional business with out of state customers.

While experimenting, I created a second admin account with a long strong username and password. When I logged in to the second admin account, I was able to change the brute force protection settings to blacklist common usernames used in guessing attacks.

I did not disable any plugins. So, I have some unknown problem with my first admin account, but no problems with my second admin account.

By using the second admin account, I was able to change the settings and solve my problem.

I updated to WordFence 7.1.0 released today. Had the same problem.

I added define(‘CONCATENATE_SCRIPTS’, false); to wp-config.php file. Had the same problem.

I am able to enter text into other option fields, but I cannot enter text into the username blacklist text area. My mouse pointer remains an arrow symbol (Normal select) when I click or hover over the area. It does not change to the Text select (I-beam) symbol to allow me to enter text.

This is not an urgent matter for me. I noticed that some hacker from India was trying to login using username admin. But that is not a valid username on my WP site, so they can’t get in. Rather than me manually blocking the IP address, I wanted to add username admin to my blacklist so that the IP address of any hackers using admin would be automatically blocked.

I will do some more troubleshooting this weekend by disabling other plugins to look for a plugin conflict problem.

I am running PHP 7.1 on GoDaddy. No other current website problems.

Chrome browser console error message has changed to:

Uncaught TypeError: Cannot read property ‘hasClass’ of undefined wp-auth-check.min.js…24d07202ff4b0cae1:1
at HTMLDocument.<anonymous> (wp-auth-check.min.js…24d07202ff4b0cae1:1)
at HTMLDocument.dispatch (jquery.js?ver=1.12.4:3)
at HTMLDocument.r.handle (jquery.js?ver=1.12.4:3)
at Object.trigger (jquery.js?ver=1.12.4:3)
at Object.a.event.trigger (jquery-migrate.min.js?ver=1.4.1:2)
at HTMLDocument.<anonymous> (jquery.js?ver=1.12.4:3)
at Function.each (jquery.js?ver=1.12.4:2)
at a.fn.init.each (jquery.js?ver=1.12.4:2)
at a.fn.init.trigger (jquery.js?ver=1.12.4:3)
at Object.<anonymous> (heartbeat.min.js?ver…24d07202ff4b0cae1:1)

• This reply was modified 6 years, 9 months ago by Mountain-Hiker-1.

In Chrome browser console, I see this error message:

Uncaught TypeError: Cannot read property ‘hasClass’ of undefined load-scripts.php?c=1…d07202ff4b0cae1:246
at HTMLDocument.<anonymous> (load-scripts.php?c=1…d07202ff4b0cae1:246)
at HTMLDocument.dispatch (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at HTMLDocument.r.handle (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.a.event.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:9)
at HTMLDocument.<anonymous> (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Function.each (load-scripts.php?c=1…24d07202ff4b0cae1:2)
at a.fn.init.each (load-scripts.php?c=1…24d07202ff4b0cae1:2)
at a.fn.init.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.<anonymous> (load-scripts.php?c=1…d07202ff4b0cae1:245)

Thanks. Maybe I have some compatibility problem with another plugin interfering.

Are you able to add a banned username such as Hacker to the blacklist text area?

The checkbox is for Immediately lock out invalid username. That is a different function to block any invalid username guesses but also blocks username typos made by valid users.

The text area is for a blacklist to block specific usernames such as admin.

I cannot enter any text in the text area, whether the checkbox is on or off.

Brute Force Protection is enabled and I am using the option “Lock out after how many login failures” set to 2 attempts. I can set the other options under Brute Force Protection, but I cannot enter any usernames to block.

Success! I made the correction above. The plugin activated with no errors and my blog is again displaying popular posts.
Thank you!

I made the edit suggested above and got a new error when activating the plugin:

Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected T_OBJECT_OPERATOR in website/wp-content/plugins/wordpress-popular-posts/admin/class-wordpress-popular-posts-admin.php on line 849

I have an old GoDaddy account with shared hosting using PHP Version 5.3. I cannot upgrade to newer PHP unless I move to a new hosting plan. I plan to do that when I renew in October.

I don’t have screenshot but saved edit looks like this:
Edit Plugins
Editing wordpress-popular-posts/admin/class-wordpress-popular-posts-admin.php (inactive)

// Fallback, just in case

$theme = new stdClass;
$theme->colors = array(‘#333’, ‘#999’, ‘#881111’, ‘#a80000’);

return $theme;

I made the edit suggested above and got a new error when activating the plugin:

Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected T_RETURN, expecting ‘)’ in website/wp-content/plugins/wordpress-popular-posts/admin/class-wordpress-popular-posts-admin.php on line 860