trois

Thanks Tim!

Yup, defeated my own settings by adding those IPs (copied from the IP-whitelisting in Wordfence itself).

It’s working for both admins – thank you.

@eagle456 “custom login prompt” – good catch! Yes, I do have one ‘secret’ URL, using this plugin: ‘WPS Hide Login’. I overlooked that, my bad. Can’t register both admins on the same phone, as we are in different locations – but maybe the 2nd admin can change it once logged in.
Thanks for your input – appreciated!

@wfpeter – going to create a Premium ticket – thanks.

• This reply was modified 4 years, 5 months ago by trois.

@eagle456 – only 2 admins (no other users/roles). Set-up is easy, but we’re never asked for that code, on log-in – even with the option checked that admins require a code (and, no grace-period).

Shout out to @gwynethllewelyn! Thank you for one of the best-documented replies.
Battling to get WF-2FA to even show on login-screen, you gave me some things to look into.
I have 2 SSL-plugins, OpenSSL is enabled, but I also use Cloudflare – and LiteSpeed cache plugin… So, it ‘could be anything’…

Going to create a ticket here.

Here’s how I fixed it:

– uncheck ‘Comments’ on the ‘Look For Links In’-tab, under ‘Broken Link Checker Options’ (via the ‘Installed Plugins’-page)
– deactivate and then re-activate the plugin
– on your server, find this file: domain_com.php.error.log
– download and open it (in a regular text-editor, like Notepad or Wordpad)
– scroll to the bottom and check if you find this error:

“[] WordPress database error Illegal mix of collations (utf8mb4_unicode_520_ci,IMPLICIT) and (utf8mb4_unicode_ci,IMPLICIT) for operation ‘=’ for query INSERT INTO wp_blc_synch(container_id, container_type, synched)
SELECT posts.id, posts.post_type, 0 FROM wp_posts AS posts LEFT JOIN wp_blc_synch AS synch ON (synch.container_id = posts.ID and synch.container_type=posts.post_type) WHERE posts.post_status IN (‘publish’, ‘future’, ‘draft’) AND posts.post_type IN (‘page’, ‘post’, ‘feedback’, ‘iwp-log’, ‘tablepress_table’) AND synch.container_id IS NULL made by activate_plugin, do_action(‘activate_broken-link-checker/broken-link-checker.php’), WP_Hook->do_action, WP_Hook->apply_filters, blc_activation_hook, require(‘/plugins/broken-link-checker/includes/activation.php’), blcModuleManager->plugin_activated, blcModule->plugin_activated, blcContainerManager->activated, blcAnyPostContainerManager->resynch, blcPostTypeOverlord->resynch”

The error itself is: “Illegal mix of collations (utf8mb4_unicode_520_ci,IMPLICIT)”

Which you can fix yourself:
– open your database in PhpMyAdmin
– export the DB (just in case; better yet, repair and optimize it first)
– on the SQL-tab, execute this query:
(paste and click ‘GO’)

ALTER TABLE wp_blc_synch CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;

* make sure you get the table-name/prefix right – the above ‘wp_’ is the generic one!

This changes the char-set of the table and the plugin starts working.

• This reply was modified 7 years, 1 month ago by trois.
• This reply was modified 7 years, 1 month ago by trois.

Thanks Marcel,

I got your mails. What values would you use for empty fields? My export-file from the previous guest-book script doesn’t provide host (but includes IP), location etc. Would two quotes (“”) do?

Going to update my import-file – will report back later on.

Thanks Marcel, appreciated.

I mailed you the files and examples last night.

Thanks for fast reponse.

I did alter that line in page-import.php, but now get this error:
“It seems your CSV file is from an export that is not compatible with this version of Gwolle-GB.”
The comments-file from the PHP script (txt), I edited and updated according to the export-file that I created myself (and the one you provide), and now I keep running into this error:
“Your data seems to be corrupt. Import failed. I’m sorry, but I wasn’t able to import entries from the CSV file.”

I figure it has something to do with the fields that are missing, like location, host etc. I put in single letters, as replacements, but does your import check those, somehow?

I could mail you my CSV file?

@akanale – yes, that worked for me as well: not just after the WP 4.5 update, but also after a more recent update (though I can’t find which plugin – just any one that updates/installs a new jQuery.js).

The problem is: jQuery v.1.11.3 is 278kb, whereas v.1.12.3 is only 95kb (that is 65% smaller…). No wonder functions can’t be called/found anylonger – they were simply removed.

So, it is not a true bug as such – just a wrong call – rather, location, I would think, as those ‘old’ functions might be moved to a different file? It takes developers some time to link to the new files/libraries.

Thanks Matt,

I’m gonna save your ‘potential hacks’.

Would it be possible, once they have access to the DB, to add malicious code in a table? And if so, does Wordfence scan for that? How else would one detect it within the DB?

When I reinstalled the site (latest WP and theme), I didn’t specifically scan the DB (not even sure what tool to use) – so, theoretically it could still be in there? (my host said they checked the DB, as there were 75 (!) admin accounts in it – they removed them manually – but nothing about potential malicious code).

Thanks for that guide as well!

@majofa (as I can’t PM you):

these are the 14 files that GotMLS marked as potential threat – hope this helps.
(I grouped them: the first group is generic WP plus Wordfence)

?…/public_html/wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
?…/public_html/wp-includes/js/json2.js
?…/public_html/wp-includes/js/json2.min.js
?…/public_html/wp-includes/js/tw-sack.min.js
?…/public_html/wp-includes/js/tinymce/tiny_mce_popup.js
?…/public_html/wp-includes/pomo/translations.php

IWP:
?…/public_html/wp-content/plugins/iwp-client/init.php
?…/public_html/wp-content/plugins/iwp-client/pclzip.class.php

Theme:
…/public_html/wp-content/plugins/fusion-core/admin/page-builder/assets/js/editor.js
?…/public_html/wp-content/themes/Avada/assets/js/external_plugins.js
?…/public_html/wp-content/themes/Avada/assets/js/ilightbox.js
?…/public_html/wp-content/themes/Avada/assets/js/jquery.carouFredSel.js
?…/public_html/wp-content/themes/Avada/assets/js/main.js
?…/public_html/wp-content/themes/Avada/assets/js/main.min.js

@yitwail – thanks for the link – installed it and found something ‘weird’.

First run, it marked wp-config.php as a threat – inside there were these lines:

/** Outputs the WordPress header. */
//require_once(ABSPATH . ‘wp-head.php’);

As is – meaning, the second line was commented out – probably by some other plugin, as it refers to a non-WP-core file: wp-head.php – which was not present (anymore?) at my server… and appears to be malware (others reporting it).

After removing both lines, GotMLS only flags the .js files – they seem legit, as otherwise Wordfence would flag them as non-core files?

@majofa: check that new .htaccess file as well (just to be sure), although I figure Wordfence creates it (as I have it in my tmp folder as well). I will post the list of .js files here.

Got something similar (@majofa): now three times over the course of 2 months, ‘they’ managed to create a new admin-user – without logging in. We only found out when WF alerted is (yes, thank you, WF!). Ran a scan, found some bad files, deleted them. No luck. Then complete new WP install, with only 5 trusted (!) plugins, changing account and password. Same thing.
Our host just says it must be a file on the server – nice…. which one then, as no scanner (WF nor Sucuri) finds anything suspicious.

It only happens on one site, using a premium theme that we use on other sites as well. I realize this is not much help, but it might be a confirmation something more serious needs to be fixed (either in WP or in server-software?).

FWIW: configcache.php is only 1.3kb on my site. But, we do have an .htaccess file in the tmp folder – you might want to look into adding it to your folder?

Same here – scan completes and then displays this error.

As I understand from other threads, it is a server/host setting.

[May 03 21:47:28] Scan Complete. Scanned 4718 files, 5 plugins, 3 themes, 7 pages, 0 comments and 9844 records in 69 seconds.
[May 03 21:47:28] Wordfence used 44.09MB of memory for scan. Server peak memory usage was: 98.16MB
[May 03 21:47:28] Warning: dns_get_record(): DNS Query failed in /data/home/domains/abx.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php on line 947 Warning: Invalid argument supplied for foreach() in /data/home/domains/abx.com/public_html/wp-content/plugins/wordfence/lib/wfScanEngine.php on line 949 0

Thanks Brian. I didn’t know it being cleaned out on scanning – I guess during a scan something went wrong and I could have waited for the next scan to start.

The screenshot I made of this plugin:
WP DB Manager – it also lets you empty tables (which I do regularly, as other WF-tables grow pretty quickly as well). After that I optimize and backup – using the same plugin.