P51Admin

Thanks again for your quick responses …

I will mark this as resolved, but it will be a couple of days before I can give this information a try.

I am sure thanks to your expertise I will get this done.

P51 Admin

Thank you very much for your very quick response!

I found the RSS feed setting and will certainly use that … thanks

I have to admit to you that I although I am an individual with 30+ years technical experience I am NOT a developer (coder).

Please dumb down your search button solution for me …

I am not using a child theme (yours is the only theme on the system)

Where do I find the files that you are referring to and where in the file should I insert the code?

I do have the site running on a VM in my offices, and uploaded to the “staging” area on my ISP. So depending on where the file resides I may or maynot have write access to the file. (I only have write access to the wp-content structure)

thanks again for all your time and assistance in the this matter.

P51 Admin

Thanks for the reply;

I will try disabling the “loading” animation and that may help figure what is taking so long to load as I will be able to see the elements loading.

Dave

[Update] – Deleted the plugins/WordFence folder and then the “update” worked. It seems that all my previous settings and filters remain intact. Ran a site scan and that passed.

Not sure if I should still be concerned or not, but WordFence seems to be running again and as the current version.

I will mark this as resolved.

p51admin

[EDIT] – Just checked the folder structure on the site and there are no PHP files in the plugin folder. Just a CSS folder with files.

P51 Admin

Hello Again Everyone;

I am going to mark this as “resolved”

This attack came to my attention because of the features built into the WordFence product.

Upon review of previous access statistics for my site it turns out that this was actually a relatively minor attack.

There were only around 2900 account lockouts within the 24 hour period. The thing that was different and what concerned me as that the originating IP addresses appeared to be many different countries. (In the past there have been 46,000 hits from one IP address in a matter of hours.)

I will continue to tune my WordFence plugin but I feel that this product has certainly proven to be a worthwhile addition to my site.

I will search through the forums for items relating to downloading hard copy of the log file for the live stream data.

Thanks again to those who responded ( @bluebearmedia )

P51 Admin

Hello Everyone;

Things have settled down for the moment.

I am going to do a deeper investigation, but at this time WordFence is giving me an all clear on website scans.

The false login activity has reduced significantly.

I would like to figure out how to export WordFence log files so that I can have a closer look at what happened.

Can someone point me in the right direction for that kind of information?

I have also tuned up the WordFence product to be a little more sensitive.

I know that this sort of thing likely happens a lot but it is the first time that it happened to me.

I will update when I have more specific informaton.

P51 Admin.

@bluebearmedia

Thanks for your response.

I am traveling at the moment but I will try this when I land.

At 1500+ plus attempts (lockouts) and still climbing.

P51 Admin.

@wfasa – You are right … those statistics are access through a NetFirms control panel. I had already adjusted WordFence to ignore that specific file until the “next change”. Thanks to your input I will now exclude those statistics files going forward.

Thanks again

P51Admin

Hello Everyone;

@wfasa – I did get a message back from the Netfirms support group.

Here is that message;

*******************************

Hello,

I see that ‘Webalizer’ tool is chosen to display the account’s stats (via https://www.netfirms.com/controlpanel/VisitorStats.bml) and webalizer.current is one of the component files of webalizer tool that contains information about the website statistics. It seems that there was access from IP 69.89.31.141 to your website files and that’s how that IP appears in webalizer.current file. Also, I’ve scanned your account and didn’t find any malware contents in your account. Following are the scan results :
———– SCAN SUMMARY ———–
Scanned directories: 589
Scanned files: 4830
Infected files: 0
Data scanned: 318.58 MB
Data read: 184.62 MB (ratio 1.73:1)
Time: 126.954 sec (2 m 6 s)

You can give above mentioned information to Wordfence and then tell them to ignore the site.

If you have any further questions, please update the Support Console.

Sincerely,

Praful K
Technical Specialist

******************************

I will mark this as solved and chock it up to a False Positive, but I am concerned that because a malicious site tried to connect to my website and that access was logged in the statistics file that this error will repeat.

Is there ever going to be a concern that this file may be used for malicious intent?

Thanks again for all your attention.

P51 Admin

@wfasa – Thank you very much for your extremely fast response. I will send an email to Netfirms support and see what they have to say.

I did search through the web page that displays my statistical results and that IP address was not a part of the information displayed.

I will not ignore the result for the moment until I get more conclusive information.

I will post an update with the response from Netfirms.

Thanks again for your extremely fast response !!!

P51 Admin

@wfmattr – Re-install of the WordPress went without a hitch. Things have been very quiet on my front withing the WordFence product.

Certain sites are still getting auto-blocked and I am going to try and figure out a way to get rid of the original “admin” account so that attack vector goes away.

I consider this situation resolved.

Thanks again everyone.

@wfmattr – Thanks for another response

Hello Matt, I was away from my offices for a week “Spring Break”.

I will take your advice to refresh the WordPress installation files and do that using the “re-install” option.

I hope that will have no impact on my content or layout.

As an aside I did get a notification while I was away (thanks to a scheduled WordFence scan) that a .js file relating to my Updraft site backup plugin had changed.

As part of the notification there was a link provide to “repair” the file and it was a simple single click solution to resolve the issue.

It was shortly after that a notice came down again from Wordfence that there was an upgrade to the Updraft plugin required.

This is the way that I feel WordFence should function and I am still surprised that the WordFence product did not detect the offending files. I did move the offending files to a different folder and will delete them later today.

I will mark this item as resolved when I have completed the WordPress re-install and there has been no impact to my content or layout.

I want to thank you for all your time and effort relating to this issue.

I personally appreciate your efforts to help me resolve this problem.

Thanks again.

So at this point my site seems fine.

My question is …

How do I refresh/replace wp-includes/images.

Or is this not the right place to ask.

Thanks.

@wfmattr – I attempted to create a tar.gz file containing downloaded copies of the files noted in the SiteLock scan results file.

At that time Google refused to allow me to attach the file because of embedded viruses.

So we now know that WordFence has been giving me the all clear when in fact there are infected files on my site.

I have since moved the files from the original locations to a temp_storage folder that I created within my site.

I ran another WordFence scan and it still comes back clean.

I am now officially looking for direction on how to remove the infection from my site.

I will now access my site to see if moving the files has broken my site.