Forum Replies Created

Viewing 15 replies - 1 through 15 (of 15 total)
  • Thread Starter z2zoop

    (@z2zoop)

    Both PHP value and WordPress Config were set to 1024M, confirmed by checking the site health screen.

    During a test having it set to even 2048M, one of the errors we caught reads “Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 2400848 bytes) in ~/public_html/wp-content/wflogs/rules.php on line 4937.

    The 134217728 bytes translates to roughly 128M, which seems to be a current limit when wordfence is running. Some digging around, 128M is the PHP default setting. In phpinfo() it mentions 2048M as the local value and 128M as the master value. So it’s weird for Wordfence to be using the wrong limit (it should be running as the same process as anything else php). Any ideas?

    This is 1 site on 1 server, so we can increase the global setting and see if that makes a difference.

    Regardless, my original question about making Wordfence less demanding still stands, wanting to allocate more than 128M per view when a frontend user loads a page is simply too much. Can it be set to ignore the newly created cache files? Or at least dont log the file changes, these cache files usually dont exist longer than an hour, so it’s of no use for wordfence to keep track of them.

    Thread Starter z2zoop

    (@z2zoop)

    Then you definitely need to test your integrations better, whether its cloudflare’s fault or not, you offer the implementation, and it doesn’t work properly.

    Even as bad as WordFence has gotten lately, it never locked the admin completely. Saying “Getting locked out could be caused by any number of options being turned on and then triggering them rules” is not the excuse you think it is. This shouldn’t be happening, period. I got hundreds of sites, willing to pay for decent plugins, I’m not about to go figure this out for each and every single one of them. I tested AIOS out as an alternative for WordFence, and it doesn’t suffice as it gave several problems within a few days of using it. Thats simply unnacceptable.

    Asking every single person here that complains to send in a ticket so no-one else will ever see the answers to it, is also horrible business practice. You now got an internet full of people asking questions and complaining and never any solutions posted with them just “send us a ticket”. Seriously, google a random error and your business name, and you’ll only see negative stuff (without solutions) because you choose to solve problems this way.

    In any case, I’ve already moved on to try other plugins, it’s not like your plugin is the only one or the best one. First impressions matter a great deal and my first impression is that i got zero faith in this plugin (that’s just a tiny fraction less faith i have in WordFence at the moment).

    Thread Starter z2zoop

    (@z2zoop)

    Hi Peter,

    Your first paragraph exactly describes the situation, the scan page now has “wordfence scan deactivated” title and a button “enable automatic scans” underneath it. So that confirms its properly saved, but it still scans regardless. All sites showing the same behavior. So how to disable automatic scans altogether? I’m almost tempted to just disable the cron job.

    We have 100+ wordpress sites running divided over 3 self managed VPS servers, and on all of it, it’s Wordfence that hogs it all down. They all approximately start scanning at the same time during business hours (8 / 9 in the morning) and it makes websites unreachable.

    WP memory limit varies between 256M (minimum) and 1GB depending per site and having a whopping 16gb ram available per server. Some sites run at a max execution time of 30 (which is default), the slightly heavier ones run at a maximum of 60. Scanning files outside folder is disabled on all sites (which was a good suggestion to check). I’ve reviewed your screenshot, only maximum execution for each scan stage was left blank, so 0 by default, the rest the same. Theres no problem with the amount of time it takes, just that it all comes at the same time.

    These performance issues started arising a few months ago (we have been using it for years (10?), performance issues is new, everything was scanning simultaneously in the past too, without issues), I’m guessing Wordfence had some major changes recently. We were considering buying wordfence pro for these sites, but seeing the difficulties we are facing right now we have put that decision on hold (especially since it involves a small fortune to cover all our sites).

    So back to the issue at hand, to solve these performance issues we need to be able to manage wordfence, starting with disabling scans, this is broken in the plugin. How do we proceed?

    Thread Starter z2zoop

    (@z2zoop)

    Just noticed other non-network sites behave the same way. Wordfence always scans ALL the sites en masse at the start of the business day (horrible timing), the setting to disable automatic scans is completely ignored.

    Since you didn’t get an answer yet, I’ll share this tip:

    Do you got any server access? Temporarily disabling the plugin by ftp or ssh (by renaming or removing the folder in wp-content/plugins) is always a sureshot way to get around it and get logged in. Once you logged in, you can re-enable / re-install the plugin and continue as normal.

    No one else answered yet, waiting on my own post to get answered, I figured I’d share my 2 cents.

    What you are seeing is Bots trying well known exploits on your site to see if your site is vulnerable. So those urls you see in the log entries might have worked on a vulnerable website, but hopefully not on your site (most likely not, since Wordfence caught it). Revolution slider, for example, is/was a plugin that has/had tons of security holes in it. Hence Bots like to try if you happen to have it (the revslider_show_image part in your logs).

    It is just an attempt, it does not say anything about your site itself. Those ajax calls responding with a 200 is pretty normal (the bot probably only gets a “0” as response, most of the time) and the 301’s are probably just WordPress redirecting the user to another page (in some cases, if you make a typo in your url, wordpress wont give you a 404, but redirects you to the url closest to a working url instead), usually the homepage.

    Thus far I don’t see anything to be concerned about. Just a bunch of bots feeling around blindfolded (obviously this was already happening without wordfence) and getting kicked out by wordfence and reported.

    Hope this was helpful!

    Thats because it has a critical error on this page, and the rest of the page (including the save button) does not appear.

    This is because it’s trying to access values that might not have been set yet (if you have saved these settings before, then there is no issue).

    Temporary workaround, make sure to be able to undo these changes:
    In /wp-content/plugins/http-headers/views/includes
    Edit csp-src.inc.php, remove line 84
    Edit csp-text.inc.php, remove line 2.

    Use the plugin, and save the settings page (the button should be there now). Afterwards, undo the changes I just mentioned. If you want to change more, then there should no longer be an issue, since the plugin has the values now it was trying to access.

    If you encounter any more problems this way, enable WP_DEBUG in your wp-config.php, so the errors show. Remove the line it’s complaining about, submit the settings page, and then undo that change.

    Would be nice to hear from the developer for more permanent solutions.

    Hope this helped!

    Thread Starter z2zoop

    (@z2zoop)

    @virgial Deleted the plugin, re-installed, issue solved.
    A website that auto-updated a few minutes later also had no issues.
    Thanks for swift response,

    (Groeten uit Zeeland)

    Thread Starter z2zoop

    (@z2zoop)

    So if i understand correctly, the problem was during a 2 minute window, and a few sites of mine managed to update exactly during that window? Hah, just my luck.

    So any other update scheduled later should have no problem? Thanks for your swift reply.

    z2zoop

    (@z2zoop)

    You’re the developer ?? I don’t know either, but it would make sense why you could not reproduce it, but then again, the error is quite straightforward (missing/cant find file).

    You should imagine that most of us already had a working version of the plugin installed, added custom themes and settings and then it broke after an update. Simply running the latest version on a clean wordpress might not be enough to reproduce it (especially if it DOES find the header in your case, maybe something breaks during updating or something.

    z2zoop

    (@z2zoop)

    Sorry, moved on long ago after going without an answer for so long. There are plenty of alternative plugins that do the same, so thats what I went with.

    But out of the top of my head, I’m thinking it has something to do with having custom email themes. If that’s the case, it needs better debugging messages because it only shows an error in one of the core files. Some kind of validation on the theme should be pretty much mandatory.

    Any news if this ever is going to get fixed? Its a simple include that is failing … after months it still present. A few months ago i was concidering buying this plugin, but without any word from the developer about a bug that completely breaks the plugin? This is getting insane … The plugin mentions is should be compatible with the latest wordpress, but it has obviously never been tested!

    Reported this 2 weeks ago, no reply whatsoever.
    Still running an old version on several sites.

    Funny, was thinking to buy the plugin for pro support. I think I’ll be looking for another plugin instead.

    Managed to fix this by changing the Invoice number type to WooCommerce Ordernumber, the autonumbering by the plugin itself seems to be horribly bugged.

    Any updates on this? The error is about receiving malformed JSON on a shop order, instead of a JSON response it gives an error that the PDF already exists and needs to be deleted (but it just got generated when the order was made, so this makes little sense). This error is in plain text, therefore it gives a syntax error.

Viewing 15 replies - 1 through 15 (of 15 total)