wfasa

@bytemotion,
Please reach out to Wordfence premium support if you haven’t already via https://support.wordfence.com. Unfortunately we can not discuss the premium version in the forums.

The only previous report I can find of problems on Antagonist is three months ago when we had a conflict with other plugins that use the same GeoIP library. This release was only out for a few hours before we sent out a new one that fixed this. It was not specific to the host.

In order to research this further we’d need more information. Most importantly, are there any PHP errors logged? If so, which ones? What processes are running when limits are reached?

If upgrading causes problems, does a fresh reinstall work instead?

Hi @fingersmorris,
Our website at https://www.wordfence.com does not affect the Wordfence plugin and it’s related services. I can assure you that we do not announce maintenance in a way that would make it possible for attackers to abuse it.

Thanks for the support!

Hi @vinodsunkara,
The Wordfence Firewall uses /wflogs/ for it’s immediate memory due to that then the Firewall is loaded a connection to the database has not yet been established. It does read to and write to those files fairly frequently.

I’ve had another customer reporting a similar problem on Azure recently. I’m not quite sure how we can resolve it though.

There aren’t that many files in wflogs and only few are written to frequently so it seems strange that the 1024 limit should be reached unless you have a very large amount of traffic on the site. How much traffic does this site have approximately?

Hi @lookingahead!

I’m not doing anything here except trying to help. Please try to keep a friendly tone.

You’ve explained that your problem is that cookies can break cache on CDNs. I have explained that we’re not using cookies on the front-end of the site and that WordPress admin should not be cached. If you just want to know how to disable all cookies in Wordfence, the answer is that it’s not possible.

However, I wonder if perhaps the hosting company doesn’t know that we’ve stopped using cookies on the front-end? That’s why I’m asking which specific cookie they think is causing the issue. If there is any way you can get that information I’d be happy to investigate further.

To sum up: It’s not possible to disable cookies in Wordfence anymore but you shouldn’t need to do that because we’re not using any on the front-end of the site.

We use cookies in the WordPress admin. The WordPress admin does that itself as well. That’s how you are able to stay logged in to the WordPress admin. The WordPress admin shouldn’t be cached because that would cause all kinds of trouble. Perhaps you can ask them what the name of the cookie is that is causing the problem.

Hi @tommeke9,

I’m afraid we can’t discuss the premium version of Wordfence in the forums so please continue your support request in our support system.

Thank you!

Thanks @artcared!

The only way to be 100% sure would be to restore a backup from before the site was hacked. Otherwise you’ll just have to wait and see. Set Wordfence to scan with “high sensitivity” in the meantime. That’s the recommended option for sites that are suspected to be infected.

Have sent the domain on to our threat intelligence team. Thank you!

Hi @tommeke9!
Wordfence doesn’t handle the redirect for your SSL so I’m not quite sure how we’d be involved there. Generally if it’s not showing up in Live Traffic, it means it wasn’t us. It is possible that your server itself is doing the 503 as it means “service unavailable”. Have you tried deactivating Wordfence to see if the problem persists or not? That seems like the best first thing to check.

Hi @darraghmc,
Sorry to hear that. There is nothing we can do from our end as the application is installed on your site and the block is coming from there. You’ll need to wait until you are not locked out anymore or get login via cPanel or FTP. If you are cleaning the site of malware, you’ll need cPanel and FTP access either way. Best of luck!

Hi there,
We don’t use cookies on the front-end anymore, that’s why we have removed the option. We’ve implemented other ways of distinguishing between bots/humans and we only keep track of admins when they are logged in.

So you don’t have to do anything at all. I’ll make sure we update the docs asap.

Thanks!

• This reply was modified 5 years, 12 months ago by wfasa.
• This reply was modified 5 years, 12 months ago by wfasa.

Hi folks,
Very sorry to hear that your sites were compromised. We’ve seen this domain in hacks resulting from the WP GDPR compliance plugin so if you have that, after the site has been cleaned make sure you update that plugin to the most recent version.

Wordfence has protection against that vulnerability but free users get Firewall rules with a 30 day delay. Updating the GDPR plugin will fix the vulnerability though. If you are having troubles cleaning an option may be to restore the site to a point before the hack and then update all your plugins.

The domain in question has been added to our domain blacklist with a few others that were seen in similar scenarios related to this specific vulnerability. That’s active on free sites instantly so this domain should now be flagged in your scans.

Hi @shojibur,
First check to make sure you’re using the most recent version of Wordfence. If you are, check if you have any cache plugins installed and try clearing cache in those. If that doesn’t help I’d recommend reaching out to your web host and explain that database queries appear to be cached and inquire about any cache they may be implementing on your site.

Hi again!

Live Traffic is just a log essentially, it shows whatever is going on on the site at any specific point in time, including blocks. If you want to test the Firewall you have to make a request to the site that could be perceived as malicious. Examples could be

yoursite.com/?test=../../ (Local file inclusion) or
yoursite.com/?test=<script> (Cross site scripting in query string)

Wordfence has a lot of other blocking functionality too like rate limiting and brute force protection. To test each one you’d have to set those options as you want them and then attempt to break the rules. Try to use a different IP than your own when testing so you don’t end up blocking yourself.

I understand that all three issues would need to be resolved. If we can, we will at some point.

Hi @banao,
It sounds like a Wordfence plugin update must have failed. Please log in to your site via FTP/SSH or a cPanel file manager and delete the “wordfence” folder located in wp-content/plugins. Then you can reinstall Wordfence from the “Plugins” menu.

Hope that helps!

Your site is trying to make a request (visit) to itself. When it’s trying to do that, it fails. happyreading.in is trying to contact happyreading.in but can not because it can not find happyreading.in. This is a problem on the server and not in Wordfence, so you will have to reach out to your host to inquire about why it’s happening.