deleted

yes, scanned my machine, changed cpanel, ftp passwords, changed site passwords, kept everything up to date, ran firewall, actively blocked IPs, limited login attempts, didn’t use any unknown snippets, plugins or child theme code, ssl, etc.

Wordfence folder / files malware links. Sucuri detects it, host detects it, wordfence does not.

I know this is a complex issue but please, could you add something that scans files for known malware urls?

Wordfence is amazing. This is a big effort and all the moving parts work well together. The new firewall appears to be a big time saver. The free version of Wordfence is great but the pay version will set you and your client’s minds free.

Unfortunately, it neither stopped or alerted me to malware links contained in it’s own plugin directory.

<?php
require_once(‘wfAPI.php’);
require_once(‘wfArray.php’);
class wordfenceURLHoover {
private $debug = false;
public $errorMsg = false;
private $hostsToAdd = false;
private $table = ”;
private $apiKey = false;
private $wordpressVersion = false;
private $useDB = true;
private $hostKeys = array();
private $hostList = array();
public $currentHooverID = false;
private $dRegex = ‘AAA|AARP|ABB|ABBOTT|ABBVIE|ABOGADO|ABUDHABI|AC|ACADEMY|ACCENTURE|ACCOUNTANT|ACCOUNTANTS|ACO|ACTIVE|ACTOR|AD|ADAC|ADS|ADULT|AE|AEG|AERO|AETNA|AF|AFL|AG|AGAKHAN|AGENCY|AI|AIG|AIRFORCE|AIRTEL|AKDN|AL|ALIBABA|ALIPAY|ALLFINANZ|ALLY|ALSACE|AM|AMICA|AMSTERDAM|ANALYTICS|ANDROID|ANQUAN|AO|APARTMENTS|APP|APPLE|AQ|AQUARELLE|AR|ARAMCO|ARCHI|ARMY|ARPA|ARTE|AS|ASIA|ASSOCIATES|AT|ATTORNEY|AU|AUCTION|AUDI|AUDIO|AUTHOR|AUTO|AUTOS|AVIANCA|AW|AWS|AX|AXA|AZ|AZURE|BA|BABY|BAIDU|BAND|BANK|BAR|BARCELONA|BARCLAYCARD|BARCLAYS|BAREFOOT|BARGAINS|BAUHAUS|BAYERN|BB|BBC|BBVA|BCG|BCN|BD|BE|BEATS|BEER|BENTLEY|BERLIN|BEST|BET|BF|BG|BH|BHARTI|BI|BIBLE|BID|BIKE|BING|BINGO|BIO|BIZ|BJ|BLACK|BLACKFRIDAY|BLOG|BLOOMBERG|BLUE|BM|BMS|BMW|BN|BNL|BNPPARIBAS|BO|BOATS|BOEHRINGER|BOM|BOND|BOO|BOOK|BOOTS|BOSCH|BOSTIK|BOT|BOUTIQUE|BR|BRADESCO|BRIDGESTONE|BROADWAY|BROKER|BROTHER|BRUSSELS|BS|BT|BUDAPEST|BUGATTI|BUILD|BUILDERS|BUSINESS|BUY|BUZZ|BV|BW|BY|BZ|BZH|CA|CAB|CAFE|CAL|CALL|CAMERA|CAMP|CANCERRESEARCH|CANON|CAPETOWN|CAPITAL|CAR|CARAVAN|CARDS|CARE|CAREER|CAREERS|CARS|CARTIER|CASA|CASH|CASINO|CAT|CATERING|CBA|CBN|CC|CD|CEB|CENTER|CEO|CERN|CF|CFA|CFD|CG|CH|CHANEL|CHANNEL|CHASE|CHAT|CHEAP|CHLOE|CHRISTMAS|CHROME|CHURCH|CI|CIPRIANI|CIRCLE|CISCO|CITIC|CITY|CITYEATS|CK|CL|CLAIMS|CLEANING|CLICK|CLINIC|CLINIQUE|CLOTHING|CLOUD|CLUB|CLUBMED|CM|CN|CO|COACH|CODES|COFFEE|COLLEGE|COLOGNE|COM|COMMBANK|COMMUNITY|COMPANY|COMPARE|COMPUTER|COMSEC|CONDOS|CONSTRUCTION|CONSULTING|CONTACT|CONTRACTORS|COOKING|COOL|COOP|CORSICA|COUNTRY|COUPON|COUPONS|COURSES|CR|CREDIT|CREDITCARD|CREDITUNION|CRICKET|CROWN|CRS|CRUISES|CSC|CU|CUISINELLA|CV|CW|CX|CY|CYMRU|CYOU|CZ|DABUR|DAD|DANCE|DATE|DATING|DATSUN|DAY|DCLK|DDS|DE|DEALER|DEALS|DEGREE|DELIVERY|DELL|DELOITTE|DELTA|DEMOCRAT|DENTAL|DENTIST|DESI|DESIGN|DEV|DHL|DIAMONDS|DIET|DIGITAL|DIRECT|DIRECTORY|DISCOUNT|DJ|DK|DM|DNP|DO|DOCS|DOG|DOHA|DOMAINS|DOT|DOWNLOAD|DRIVE|DTV|DUBAI|DURBAN|DVAG|DZ|EARTH|EAT|EC|EDEKA|EDU|EDUCATION|EE|EG|EMAIL|EMERCK|ENERGY|ENGINEER|ENGINEERING|ENTERPRISES|EPSON|EQUIPMENT|ER|ERNI|ES|ESQ|ESTATE|ET|EU|EUROVISION|EUS|EVENTS|EVERBANK|EXCHANGE|EXPERT|EXPOSED|EXPRESS|EXTRASPACE|FAGE|FAIL|FAIRWINDS|FAITH|FAMILY|FAN|FANS|FARM|FASHION|FAST|FEEDBACK|FERRERO|FI|FILM|FINAL|FINANCE|FINANCIAL|FIRESTONE|FIRMDALE|FISH|FISHING|FIT|FITNESS|FJ|FK|FLICKR|FLIGHTS|FLIR|FLORIST|FLOWERS|FLSMIDTH|FLY|FM|FO|FOO|FOOTBALL|FORD|FOREX|FORSALE|FORUM|FOUNDATION|FOX|FR|FRESENIUS|FRL|FROGANS|FRONTIER|FTR|FUND|FURNITURE|FUTBOL|FYI|GA|GAL|GALLERY|GALLO|GALLUP|GAME|GAMES|GARDEN|GB|GBIZ|GD|GDN|GE|GEA|GENT|GENTING|GF|GG|GGEE|GH|GI|GIFT|GIFTS|GIVES|GIVING|GL|GLASS|GLE|GLOBAL|GLOBO|GM|GMAIL|GMBH|GMO|GMX|GN|GOLD|GOLDPOINT|GOLF|GOO|GOOG|GOOGLE|GOP|GOT|GOV|GP|GQ|GR|GRAINGER|GRAPHICS|GRATIS|GREEN|GRIPE|GROUP|GS|GT|GU|GUARDIAN|GUCCI|GUGE|GUIDE|GUITARS|GURU|GW|GY|HAMBURG|HANGOUT|HAUS|HDFCBANK|HEALTH|HEALTHCARE|HELP|HELSINKI|HERE|HERMES|HIPHOP|HISAMITSU|HITACHI|HIV|HK|HKT|HM|HN|HOCKEY|HOLDINGS|HOLIDAY|HOMEDEPOT|HOMES|HONDA|HORSE|HOST|HOSTING|HOTELES|HOTMAIL|HOUSE|HOW|HR|HSBC|HT|HTC|HU|HYUNDAI|IBM|ICBC|ICE|ICU|ID|IE|IFM|IINET|IL|IM|IMAMAT|IMMO|IMMOBILIEN|IN|INDUSTRIES|INFINITI|INFO|ING|INK|INSTITUTE|INSURANCE|INSURE|INT|INTERNATIONAL|INVESTMENTS|IO|IPIRANGA|IQ|IR|IRISH|IS|ISELECT|ISMAILI|IST|ISTANBUL|IT|ITAU|IWC|JAGUAR|JAVA|JCB|JCP|JE|JETZT|JEWELRY|JLC|JLL|JM|JMP|JNJ|JO|JOBS|JOBURG|JOT|JOY|JP|JPMORGAN|JPRS|JUEGOS|KAUFEN|KDDI|KE|KERRYHOTELS|KERRYLOGISTICS|KERRYPROPERTIES|KFH|KG|KH|KI|KIA|KIM|KINDER|KITCHEN|KIWI|KM|KN|KOELN|KOMATSU|KP|KPMG|KPN|KR|KRD|KRED|KUOKGROUP|KW|KY|KYOTO|KZ|LA|LACAIXA|LAMBORGHINI|LAMER|LANCASTER|LAND|LANDROVER|LANXESS|LASALLE|LAT|LATROBE|LAW|LAWYER|LB|LC|LDS|LEASE|LECLERC|LEGAL|LEXUS|LGBT|LI|LIAISON|LIDL|LIFE|LIFEINSURANCE|LIFESTYLE|LIGHTING|LIKE|LIMITED|LIMO|LINCOLN|LINDE|LINK|LIPSY|LIVE|LIVING|LIXIL|LK|LOAN|LOANS|LOCKER|LOCUS|LOL|LONDON|LOTTE|LOTTO|LOVE|LR|LS|LT|LTD|LTDA|LU|LUPIN|LUXE|LUXURY|LV|LY|MA|MADRID|MAIF|MAISON|MAKEUP|MAN|MANAGEMENT|MANGO|MARKET|MARKETING|MARKETS|MARRIOTT|MATTEL|MBA|MC|MD|ME|MED|MEDIA|MEET|MELBOURNE|MEME|MEMORIAL|MEN|MENU|MEO|METLIFE|MG|MH|MIAMI|MICROSOFT|MIL|MINI|MK|ML|MLB|MLS|MM|MMA|MN|MO|MOBI|MOBILY|MODA|MOE|MOI|MOM|MONASH|MONEY|MONTBLANC|MORMON|MORTGAGE|MOSCOW|MOTORCYCLES|MOV|MOVIE|MOVISTAR|MP|MQ|MR|MS|MT|MTN|MTPC|MTR|MU|MUSEUM|MUTUAL|MUTUELLE|MV|MW|MX|MY|MZ|NA|NADEX|NAGOYA|NAME|NATURA|NAVY|NC|NE|NEC|NET|NETBANK|NETFLIX|NETWORK|NEUSTAR|NEW|NEWS|NEXT|NEXTDIRECT|NEXUS|NF|NG|NGO|NHK|NI|NICO|NIKON|NINJA|NISSAN|NISSAY|NL|NO|NOKIA|NORTHWESTERNMUTUAL|NORTON|NOWRUZ|NOWTV|NP|NR|NRA|NRW|NTT|NU|NYC|NZ|OBI|OFFICE|OKINAWA|OLAYAN|OLAYANGROUP|OLLO|OM|OMEGA|ONE|ONG|ONL|ONLINE|OOO|ORACLE|ORANGE|ORG|ORGANIC|ORIGINS|OSAKA|OTSUKA|OTT|OVH|PA|PAGE|PAMPEREDCHEF|PANERAI|PARIS|PARS|PARTNERS|PARTS|PARTY|PASSAGENS|PCCW|PE|PET|PF|PG|PH|PHARMACY|PHILIPS|PHOTO|PHOTOGRAPHY|PHOTOS|PHYSIO|PIAGET|PICS|PICTET|PICTURES|PID|PIN|PING|PINK|PIONEER|PIZZA|PK|PL|PLACE|PLAY|PLAYSTATION|PLUMBING|PLUS|PM|PN|POHL|POKER|PORN|POST|PR|PRAXI|PRESS|PRO|PROD|PRODUCTIONS|PROF|PROGRESSIVE|PROMO|PROPERTIES|PROPERTY|PROTECTION|PS|PT|PUB|PW|PWC|PY|QA|QPON|QUEBEC|QUEST|RACING|RE|READ|REALESTATE|REALTOR|REALTY|RECIPES|RED|REDSTONE|REDUMBRELLA|REHAB|REISE|REISEN|REIT|REN|RENT|RENTALS|REPAIR|REPORT|REPUBLICAN|REST|RESTAURANT|REVIEW|REVIEWS|REXROTH|RICH|RICHARDLI|RICOH|RIO|RIP|RO|ROCHER|ROCKS|RODEO|ROOM|RS|RSVP|RU|RUHR|RUN|RW|RWE|RYUKYU|SA|SAARLAND|SAFE|SAFETY|SAKURA|SALE|SALON|SAMSUNG|SANDVIK|SANDVIKCOROMANT|SANOFI|SAP|SAPO|SARL|SAS|SAXO|SB|SBI|SBS|SC|SCA|SCB|SCHAEFFLER|SCHMIDT|SCHOLARSHIPS|SCHOOL|SCHULE|SCHWARZ|SCIENCE|SCOR|SCOT|SD|SE|SEAT|SECURITY|SEEK|SELECT|SENER|SERVICES|SEVEN|SEW|SEX|SEXY|SFR|SG|SH|SHARP|SHAW|SHELL|SHIA|SHIKSHA|SHOES|SHOP|SHOUJI|SHOW|SHRIRAM|SI|SINA|SINGLES|SITE|SJ|SK|SKI|SKIN|SKY|SKYPE|SL|SM|SMILE|SN|SNCF|SO|SOCCER|SOCIAL|SOFTBANK|SOFTWARE|SOHU|SOLAR|SOLUTIONS|SONG|SONY|SOY|SPACE|SPIEGEL|SPOT|SPREADBETTING|SR|SRL|ST|STADA|STAR|STARHUB|STATEBANK|STATEFARM|STATOIL|STC|STCGROUP|STOCKHOLM|STORAGE|STORE|STREAM|STUDIO|STUDY|STYLE|SU|SUCKS|SUPPLIES|SUPPLY|SUPPORT|SURF|SURGERY|SUZUKI|SV|SWATCH|SWISS|SX|SY|SYDNEY|SYMANTEC|SYSTEMS|SZ|TAB|TAIPEI|TALK|TAOBAO|TATAMOTORS|TATAR|TATTOO|TAX|TAXI|TC|TCI|TD|TEAM|TECH|TECHNOLOGY|TEL|TELECITY|TELEFONICA|TEMASEK|TENNIS|TEST|TEVA|TF|TG|TH|THD|THEATER|THEATRE|TICKETS|TIENDA|TIFFANY|TIPS|TIRES|TIROL|TJ|TK|TL|TM|TMALL|TN|TO|TODAY|TOKYO|TOOLS|TOP|TORAY|TOSHIBA|TOTAL|TOURS|TOWN|TOYOTA|TOYS|TR|TRADE|TRADING|TRAINING|TRAVEL|TRAVELERS|TRAVELERSINSURANCE|TRUST|TRV|TT|TUBE|TUI|TUNES|TUSHU|TV|TVS|TW|TZ|UA|UBS|UG|UK|UNICOM|UNIVERSITY|UNO|UOL|UPS|US|UY|UZ|VA|VACATIONS|VANA|VC|VE|VEGAS|VENTURES|VERISIGN|VERSICHERUNG|VET|VG|VI|VIAJES|VIDEO|VIG|VIKING|VILLAS|VIN|VIP|VIRGIN|VISION|VISTA|VISTAPRINT|VIVA|VLAANDEREN|VN|VODKA|VOLKSWAGEN|VOTE|VOTING|VOTO|VOYAGE|VU|VUELOS|WALES|WALTER|WANG|WANGGOU|WARMAN|WATCH|WATCHES|WEATHER|WEATHERCHANNEL|WEBCAM|WEBER|WEBSITE|WED|WEDDING|WEIBO|WEIR|WF|WHOSWHO|WIEN|WIKI|WILLIAMHILL|WIN|WINDOWS|WINE|WME|WOLTERSKLUWER|WORK|WORKS|WORLD|WS|WTC|WTF|XBOX|XEROX|XIHUAN|XIN|XN–11B4C3D|XN–1CK2E1B|XN–1QQW23A|XN–30RR7Y|XN–3BST00M|XN–3DS443G|XN–3E0B707E|XN–3PXU8K|XN–42C2D9A|XN–45BRJ9C|XN–45Q11C|XN–4GBRIM|XN–55QW42G|XN–55QX5D|XN–5TZM5G|XN–6FRZ82G|XN–6QQ986B3XL|XN–80ADXHKS|XN–80AO21A|XN–80ASEHDB|XN–80ASWG|XN–8Y0A063A|XN–90A3AC|XN–90AIS|XN–9DBQ2A|XN–9ET52U|XN–9KRT00A|XN–B4W605FERD|XN–BCK1B9A5DRE4C|XN–C1AVG|XN–C2BR7G|XN–CCK2B3B|XN–CG4BKI|XN–CLCHC0EA0B2G2A9GCD|XN–CZR694B|XN–CZRS0T|XN–CZRU2D|XN–D1ACJ3B|XN–D1ALF|XN–E1A4C|XN–ECKVDTC9D|XN–EFVY88H|XN–ESTV75G|XN–FCT429K|XN–FHBEI|XN–FIQ228C5HS|XN–FIQ64B|XN–FIQS8S|XN–FIQZ9S|XN–FJQ720A|XN–FLW351E|XN–FPCRJ9C3D|XN–FZC2C9E2C|XN–FZYS8D69UVGM|XN–G2XX48C|XN–GCKR3F0F|XN–GECRJ9C|XN–H2BRJ9C|XN–HXT814E|XN–I1B6B1A6A2E|XN–IMR513N|XN–IO0A7I|XN–J1AEF|XN–J1AMH|XN–J6W193G|XN–JLQ61U9W7B|XN–JVR189M|XN–KCRX77D1X4A|XN–KPRW13D|XN–KPRY57D|XN–KPU716F|XN–KPUT3I|XN–L1ACC|XN–LGBBAT1AD8J|XN–MGB9AWBF|XN–MGBA3A3EJT|XN–MGBA3A4F16A|XN–MGBA7C0BBN0A|XN–MGBAAM7A8H|XN–MGBAB2BD|XN–MGBAYH7GPA|XN–MGBB9FBPOB|XN–MGBBH1A71E|XN–MGBC0A9AZCG|XN–MGBCA7DZDO|XN–MGBERP4A5D4AR|XN–MGBPL2FH|XN–MGBT3DHD|XN–MGBTX2B|XN–MGBX4CD0AB|XN–MIX891F|XN–MK1BU44C|XN–MXTQ1M|XN–NGBC5AZD|XN–NGBE9E0A|XN–NODE|XN–NQV7F|XN–NQV7FS00EMA|XN–NYQY26A|XN–O3CW4H|XN–OGBPF8FL|XN–P1ACF|XN–P1AI|XN–PBT977C|XN–PGBS0DH|XN–PSSY2U|XN–Q9JYB4C|XN–QCKA1PMC|XN–QXAM|XN–RHQV96G|XN–ROVU88B|XN–S9BRJ9C|XN–SES554G|XN–T60B56A|XN–TCKWE|XN–UNUP4Y|XN–VERMGENSBERATER-CTB|XN–VERMGENSBERATUNG-PWB|XN–VHQUV|XN–VUQ861B|XN–W4R85EL8FHU5DNRA|XN–W4RS40L|XN–WGBH1C|XN–WGBL6A|XN–XHQ521B|XN–XKC2AL3HYE2A|XN–XKC2DL3A5EE0H|XN–Y9A3AQ|XN–YFRO4I67O|XN–YGBI2AMMX|XN–ZFR164B|XPERIA|XXX|XYZ|YACHTS|YAHOO|YAMAXUN|YANDEX|YE|YODOBASHI|YOGA|YOKOHAMA|YOU|YOUTUBE|YT|YUN|ZA|ZAPPOS|ZARA|ZERO|ZIP|ZM|ZONE|ZUERICH|ZW’;
private $api = false;
private $db = false;
public function __sleep(){
$this->writeHosts();
return array(‘debug’, ‘errorMsg’, ‘table’, ‘apiKey’, ‘wordpressVersion’, ‘dRegex’);
}
public function __wakeup(){
$this->hostsToAdd = new wfArray(array(‘owner’, ‘host’, ‘path’, ‘hostKey’));
$this->api = new wfAPI($this->apiKey, $this->wordpressVersion);
$this->db = new wfDB();
}
public function __construct($apiKey, $wordpressVersion, $db = false){
$this->hostsToAdd = new wfArray(array(‘owner’, ‘host’, ‘path’, ‘hostKey’));
$this->apiKey = $apiKey;
$this->wordpressVersion = $wordpressVersion;
$this->api = new wfAPI($apiKey, $wordpressVersion);
if($db){
$this->db = $db;
} else {
$this->db = new wfDB();
}
global $wpdb;
if(isset($wpdb)){
$this->table = $wpdb->base_prefix . ‘wfHoover’;
} else {
$this->table = ‘wp_wfHoover’;
}
$this->db->truncate($this->table);
}
public function cleanup(){
$this->db->truncate($this->table);
}
public function hoover($id, $data){
if(strpos($data, ‘.’) === false){
return;
}
$this->currentHooverID = $id;
try {
@preg_replace_callback(“/(?<=^|[^a-zA-Z0-9\-])(?:[a-z][a-z0-9\-\+\.]*\:)?\/\/((?:[a-zA-Z0-9\-]+\.)+)(” . $this->dRegex . “)($|[\r\n\s\t]|[\/\?][^\r\n\s\t\”\’\$\{\}<>]*)/i”, array($this, ‘addHost’), $data);
//((?:$|[^a-zA-Z0-9\-\.\’\”])[^\r\n\s\t\”\’\$\{\}<>]*)
//”\$this->” . “addHost(\$id, ‘$1$2’, ‘$3’)”, $data);
} catch(Exception $e){
//error_log(“Regex error 1: $e”);
}
@preg_replace_callback(“/(?<=[^\d]|^)(\d{8,10}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})($|[\r\n\s\t]|\/[^\r\n\s\t\”\’\$\{\}<>]*)/”, array($this, ‘addIP’), $data);
//([^\d\’\”][^\r\n\s\t\”\’\$\{\}<>]*)
//”\$this->” . “addIP(\$id, \”$1\”,\”$2\”)”, $data);
$this->writeHosts();
}
private function dbg($msg){
if($this->debug){
//error_log(“DEBUG: $msg\n”);
}
}
public function addHost($matches){
$id = $this->currentHooverID;
$host = $matches[1] . $matches[2];
$path = $matches[3];
if(strpos($path, ‘/’) !== 0){
$path = ‘/’;
} else {
$path = preg_replace_callback(‘/([^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\’\(\)\*\+\,;\=]+)/’, ‘wordfenceURLHoover::urlenc’, $path);
}
$host = strtolower($host);
$hostParts = explode(‘.’, $host);
if(sizeof($hostParts) == 2){
$hostKey = substr(hash(‘sha256’, $hostParts[0] . ‘.’ . $hostParts[1] . ‘/’, true), 0, 4);
$this->hostsToAdd->push(array(‘owner’ => $id, ‘host’ => $host, ‘path’ => $path, ‘hostKey’ => $hostKey));
} else if(sizeof($hostParts) > 2){
$hostKeyThreeParts = substr(hash(‘sha256’,$hostParts[sizeof($hostParts) – 3] . ‘.’ . $hostParts[sizeof($hostParts) – 2] . ‘.’ . $hostParts[sizeof($hostParts) – 1] . ‘/’, true), 0, 4);
$hostKeyTwoParts = substr(hash(‘sha256’, $hostParts[sizeof($hostParts) – 2] . ‘.’ . $hostParts[sizeof($hostParts) – 1] . ‘/’, true), 0, 4);
$this->hostsToAdd->push(array(‘owner’ => $id, ‘host’ => $host, ‘path’ => $path, ‘hostKey’ => $hostKeyThreeParts));
$this->hostsToAdd->push(array(‘owner’ => $id, ‘host’ => $host, ‘path’ => $path, ‘hostKey’ => $hostKeyTwoParts));
}
if($this->hostsToAdd->size() > 1000){ $this->writeHosts(); }
}
public function addIP($matches){
$id = $this->currentHooverID;
$ipdata = $matches[1];
$path = $matches[2];
$this->dbg(“Add IP called with $ipdata $path”);
if(strstr($ipdata, ‘.’) === false){
if($ipdata >= 16777216 && $ipdata <= 4026531840){
$ipdata = long2ip($ipdata);
} else {
return; //Is int but invalid address.
}
}
$parts = explode(‘.’, $ipdata);
foreach($parts as $part){
if($part < 0 || $part > 255){
return;
}
}
if(wfUtils::isPrivateAddress($ipdata) ){
return;
}
if(strlen($path) == 1){
$path = ‘/’; //Because it’s either a whitespace char or a / anyway.
} else if(strlen($path) > 1){
$path = preg_replace_callback(‘/([^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\’\(\)\*\+\,;\=]+)/’, ‘wordfenceURLHoover::urlenc’, $path);
}
$hostKey = substr(hash(‘sha256’, $ipdata . ‘/’, true), 0, 4);
$this->hostsToAdd->push(array(‘owner’ => $id, ‘host’ => $ipdata, ‘path’ => $path, ‘hostKey’ => $hostKey));
if($this->hostsToAdd->size() > 1000){ $this->writeHosts(); }
}
public static function urlenc($m){
return urlencode($m[1]);
}
private function writeHosts(){
if($this->hostsToAdd->size() < 1){ return; }
if($this->useDB){
$sql = “insert into ” . $this->table . ” (owner, host, path, hostKey) values “;
while($elem = $this->hostsToAdd->shift()){
//This may be an issue for hyperDB or other abstraction layers, but leaving it for now.
$sql .= sprintf(“(‘%s’, ‘%s’, ‘%s’, ‘%s’),”,
$this->db->realEscape($elem[‘owner’]),
$this->db->realEscape($elem[‘host’]),
$this->db->realEscape($elem[‘path’]),
$this->db->realEscape($elem[‘hostKey’])
);
}
$sql = rtrim($sql, ‘,’);
$this->db->queryWrite($sql);
} else {
while($elem = $this->hostsToAdd->shift()){
$this->hostKeys[] = $elem[‘hostKey’];
$this->hostList[] = array(
‘owner’ => $elem[‘owner’],
‘host’ => $elem[‘host’],
‘path’ => $elem[‘path’],
‘hostKey’ => $elem[‘hostKey’]
);
}
}
}
public function getBaddies(){
$allHostKeys = array();
if($this->useDB){
$q1 = $this->db->querySelect(“select distinct hostKey as hostKey from $this->table”);
foreach($q1 as $hRec){
$allHostKeys[] = $hRec[‘hostKey’];
}
} else {
$allHostKeys = $this->hostKeys;
}
//Now call API and check if any hostkeys are bad.
//This is a shortcut, because if no hostkeys are bad it saves us having to check URLs
if(sizeof($allHostKeys) > 0){ //If we don’t have any hostkeys, then we won’t have any URL’s to check either.
//Hostkeys are 4 byte sha256 prefixes
//Returned value is 2 byte shorts which are array indexes for bad keys that were passed in the original list
$this->dbg(“Checking ” . sizeof($allHostKeys) . ” hostkeys”);
if($this->debug){
foreach($allHostKeys as $key){
$this->dbg(“Checking hostkey: ” . bin2hex($key));
}
}
wordfence::status(2, ‘info’, “Checking ” . sizeof($allHostKeys) . ” host keys against Wordfence scanning servers.”);
$resp = $this->api->binCall(‘check_host_keys’, implode(”, $allHostKeys));
wordfence::status(2, ‘info’, “Done host key check.”);
$this->dbg(“Done hostkey check”);

$badHostKeys = array();
if($resp[‘code’] == 200){
if(strlen($resp[‘data’]) > 0){
$dataLen = strlen($resp[‘data’]);
if($dataLen % 2 != 0){
$this->errorMsg = “Invalid data length received from Wordfence server: ” . $dataLen;
return false;
}
for($i = 0; $i < $dataLen; $i += 2){
$idxArr = unpack(‘n’, substr($resp[‘data’], $i, 2));
$idx = $idxArr[1];
if(isset($allHostKeys[$idx]) ){
$badHostKeys[] = $allHostKeys[$idx];
$this->dbg(“Got bad hostkey for record: ” . var_export($allHostKeys[$idx], true));
} else {
$this->dbg(“Bad allHostKeys index: $idx”);
$this->errorMsg = “Bad allHostKeys index: $idx”;
return false;
}
}
}
} else {
$this->errorMsg = “Wordfence server responded with an error. HTTP code ” . $resp[‘code’] . ” and data: ” . $resp[‘data’];
return false;
}
if(sizeof($badHostKeys) > 0){
$urlsToCheck = array();
$totalURLs = 0;
//need to figure out which id’s have bad hostkeys
//need to feed in all URL’s from those id’s where the hostkey matches a URL
foreach($badHostKeys as $badHostKey){
if($this->useDB){
//Putting a 10000 limit in here for sites that have a huge number of items with the same URL that repeats.
// This is an edge case. But if the URLs are malicious then presumably the admin will fix the malicious URLs
// and on subsequent scans the items (owners) that are above the 10000 limit will appear.
$q1 = $this->db->querySelect(“select owner, host, path from $this->table where hostKey=’%s’ limit 10000”, $badHostKey);
foreach($q1 as $rec){
$url = ‘https://&#8217; . $rec[‘host’] . $rec[‘path’];
if(! isset($urlsToCheck[$rec[‘owner’]])){
$urlsToCheck[$rec[‘owner’]] = array();
}
if(! in_array($url, $urlsToCheck[$rec[‘owner’]])){
$urlsToCheck[$rec[‘owner’]][] = $url;
$totalURLs++;
}
}
} else {
foreach($this->hostList as $rec){
if($rec[‘hostKey’] == $badHostKey){
$url = ‘https://&#8217; . $rec[‘host’] . $rec[‘path’];
if(! isset($urlsToCheck[$rec[‘owner’]])){
$urlsToCheck[$rec[‘owner’]] = array();
}
if(! in_array($url, $urlsToCheck[$rec[‘owner’]])){
$urlsToCheck[$rec[‘owner’]][] = $url;
$totalURLs++;
}
}
}
}
}

if(sizeof($urlsToCheck) > 0){
wordfence::status(2, ‘info’, “Checking ” . $totalURLs . ” URLs from ” . sizeof($urlsToCheck) . ” sources.”);
$badURLs = $this->api->call(‘check_bad_urls’, array(), array( ‘toCheck’ => json_encode($urlsToCheck)) );
wordfence::status(2, ‘info’, “Done URL check.”);
$this->dbg(“Done URL check”);
if(is_array($badURLs) && sizeof($badURLs) > 0){
$finalResults = array();
foreach($badURLs as $file => $badSiteList){
if(! isset($finalResults[$file])){
$finalResults[$file] = array();
}
foreach($badSiteList as $badSite){
$finalResults[$file][] = array(
‘URL’ => $badSite[0],
‘badList’ => $badSite[1]
);
}
}
return $finalResults;
} else {
return array();
}
} else {
return array();
}
} else {
return array();
}
} else {
return array();
}
}
}
?>

Sorry, I can’t risk taking the site down again. Your upgrade seemed like a test of some sort anyway. Wish I could help you reproduce the error. Shoot me an email and I’ll reply with debugging info.

Update

Renamed folders and uploaded older version of plugin(ftp), reactivated plugins(dashboard) and the site is back up.

WP RSS Agreggator Tech Support was fast. Thanks Mark

You can ignore my previous post from the last time you updated your software.

If you make changes and those changes can take down a site, could you maybe mention that in your changelog? Or maybe stop charging until you get your release process sorted out. This could not have come at a worse time. Was counting on you.

Which files were changed and what changed in those files? I need to fix this now.

Fatal error: Call to undefined function wprss_autoloader() in /home/public_html/domain.org/wp-content/plugins/wp-rss-full-text-feeds/wp-rss-full-text.php on line 83

Just upgraded, got this error. Your change log seemed innocuous but it took down our entire site.

Fatal error: Call to undefined function wprss_autoloader() in /public_html/domainname.org/wp-content/plugins/wp-rss-full-text-feeds/wp-rss-full-text.php on line 83

Is it possible to revert to the previous version?

Hi Brian, thanks, yes, Enabled and Protecting. To be clear, I don’t think I’m alone in the hacking attempts on siteground. However, I keep everything updated, passwords are strong and my machine is clean. The attacks don’t seem to be slowed with waf and really strong options set in wf options. Our sites running ssl seem to be immune.

The only thing that didn’t work was your plugin. You didn’t help, at all. You were arrogant on the phone.

As a former realtor and a web dev for 20 yrs I have mls idx experience. My concern was whether or not you were even a legit company. I already changed plugins back to iHomefinder and it’s working as I hoped.

A theme dev recommended your plugin and I suppose since you took the opportunity to correct me, again, I’ll share my experience with him. It’s your sales process that needs work. I had been trying to buy your plugin for a week.

You took our conversation from professional to personal when you said, “do whatcha gotta do, brent.” That was priceless and salesless.

It’s your business and as the owner you can do whatever you like with your business. I’m just doing what I gotta do in the hopes that others don’t make the same mistake before they need tech support from you. I think you’re my second one star review in over ten years of buying plugins for WordPress.

Yeah, you’re awesome Sean.

What does it do? Can you add some details to the plugin page?

the extensions I bought keep getting reset to “deactivated” mode. it’s one of the sketchiest plugins to update because it has broken links to sites and reset branding options in client dashboards. I just don’t know how it works.

For example, when does the seo data get updated? What’s the data source?

We still get zeros for sites that are reported as having high page authority, page rank, trust ranks etc.

The folks from mainwp are responsive until you insist on a real answer or want your money back. That’s my experience.

My recommendation to mainwp is to focus less on selling half-baked plugins and focus more on core features.

Thanks for the update.

After updating I went to delete some spam registrations and got the following error:

Warning: fnmatch(): Filename exceeds the maximum allowed length of 4096 characters in /home/grencoll/public_html/wp-content/plugins/wordfence/lib/wfUtils.php on line 586

Hoping this is helpful.

@businesspointca

It’s related to the thread topic, not your specific issue. Thanks for creating a new topic.

heads up… the “Referer (website visitor arrived from) that matches:” input field is now truncated on the “Advanced Blocking” page.

Clarification: User input is truncated.

Also note misspelling.

Thanks!

I clicked a link you put in my dash and it lead to a broken link that you also created. Yeah, see how quickly it gets fixed blaming the customer and their web host.

Way to win me over.

Btw, 3 of the 4 plugins customers have forced me to buy from you don’t work. I’ll call my web host and see if they can fix that too.

Thanks MainWP, I used your support in the past. I wasn’t trying to do that again.