• Resolved Floris

    (@florismk)


    Since I started using WP Super Cache, it happens often (almost monthly) that WordFence finds malware (PD9) in cached pages. It’s good news that it’s getting caught, of course, but bad news that it’s there at all. WordFence never found malware on my sites before I installed WP Super Cache. How and why does this happen, and how do I keep it from happening?

    Note: I keep WP Core and my plugins and themes religiously up-to-date.

    PS: Apparently, tagging with ‘WordFence’ is not permitted?

    • This topic was modified 6 months, 1 week ago by Floris.
    • This topic was modified 6 months, 1 week ago by Floris.

    The page I need help with: [log in to see the link]

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Support Tamirat B. (a11n)

    (@tamirat22)

    Hello @florismk,

    Thanks for reaching out to us and reporting this.

    Can you tell us more about the security threats/reports you got from Wordfence regarding WP Super Cache? Can you share a screenshot or text copy of what the threat reports actually say?

    Look forward to hearing from you!

    Hi,

    Your site is infected by something. The code that malware adds to the pages of your site is being called by this plugin and thankfully getting detected then.

    I find your other thread here: https://www.ads-software.com/support/topic/supercache-file-critical-warning-2/

    I don’t know why your site is being targeted but there’s some vulnerability there that an attacker is taking advantage of. It’s not this plugin that is vulnerable, as far as we are aware. We would have received many more reports of this happening if that were the case.

    If you have other software installed on your server besides WordPress that may be vulnerable, or if you have custom code there may be vulnerabilities in it.

    Thread Starter Floris

    (@florismk)

    Hi @tamirat22, thanks for your response! The report says something along these lines (with the file name varying):

    /mnt/web003/e2/70/511363570/htdocs/floriskleijne.nl/wp-content/cache/supercache/www.floriskleijne.nl/meta-wp-cache-3c685ba0ad8c85ade50e389730ed2748.php
    
    Backdoor: PHP/PD9.5376 (A backdoor known as PD9).

    (Thanks to @donncha for finding my previous thread about this in the WordFence forum.)

    Thread Starter Floris

    (@florismk)

    Thanks for your reply, @donncha. There is no other software installed that I’m aware of, it’s a shared hosting server at a reputable hosting provider. And the affected site is actually the one without any of my custom code.

    So if there’s a vulnerability, it’s in an official repository plugin or theme that I keep up-to-date automatically.

    I have no idea how to go about finding the vulnerability though. Selectively disabling plugins and themes and waiting for the problem not to occur seems a time-consuming approach, and hardly foolproof, as it’s impossible to prove a negative.

    Hello there,

    As the issue mentioned “PHP”, I would advise updating your PHP version to prevent any vulnerabilities in older versions.

    Also, I would recommend getting in touch with your hosting provider and ask them for more help on what could be causing the issue.

    You could also contact WordFence and ask for more details on the issue. They may be able to explain what is causing the problem.

    Thread Starter Floris

    (@florismk)

    Starting a new thread on the WordFence forum. My PHP version is up to date.

    Plugin Support Tamirat B. (a11n)

    (@tamirat22)

    Thanks for the update @florismk and we’d love to hear what the Wordfence team has to say about this.

    In the meantime, I have shared your threat report with our product team to see if they have any insights into this.

    Thread Starter Floris

    (@florismk)

    Thread Starter Floris

    (@florismk)

    WordFence feedback is that WP Super Cache caches requests, and these requests may include the malware in GET parameters or cookies. What may be happening, according to them, is that WordFence blocks the attempt, but the request URL is nevertheless cached. So the malware does not reach the rest of the site, just the cache. Does that make sense to you guys?

    Thread Starter Floris

    (@florismk)

    In the WordFence thread, someone suggested strongly that I should set WPSC to serve after Init. Is that best practice in the presence of WordFence?

    I replied on the Wordfence thread with some ideas. I don’t think there’s any need to use “late init”.

    I’m very certain this is a false positive anyway and nothing to worry about.

    Thread Starter Floris

    (@florismk)

    Thanks, @donncha, I’ll keep the discussion in the WordFence thread then.

    Plugin Support Tamirat B. (a11n)

    (@tamirat22)

    Sounds like a good plan! I will go ahead and close this thread for now since the issue is being tracked in a separate thread!

    Thank you!

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Frequent malware in cached pages’ is closed to new replies.