Ouch! | Unknown File in WordPress Core | WP 6.7

Same problem in all wordpress updated sites. 2312 core files (wordpress 6.7) detected as Unknown file in WordPress core

+1

+1

Also Siteground

Did a restore to pre 6.7 and now anything /wp-admin/* redirects to /wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2Fplugins.php which says:

“No Update Required
Your WordPress database is already up to date!”

“Continue” button redirects to homepage, front end, cannot access anything /wp-admin/.

Hello all –

Ok, so I have found that if you are using the Free version of Wordfence, the “Rules” are only updated every 30 days – which means that this is completely out of sync with the release of WP 6.7.

If you go to Wordfence -> All Options -> Advanced Firewall Options -> Manually Refresh Rules and then run a new Scan, this resolves the issue (tested one site thus far and seemed to do the trick).

Wordfence changed this a bit ago where the rules are only updated once every 30 days – not sure this was a great idea on Wordfence’s part.

@abuzon –

This is due to a caching plugin, our environment is using Redis Cache – which we had to manually FTP into the site and rename the object-cache.php file to disable it to regain access.

With Siteground’s own caching mechanism, you can probably just disable that in the backend to regain access again.

Hi @viablethought,

Great catch and fix. It worked. Thank you.

Your fix begs the following:

1. Team Wordfence needs to pin a note to this support forum addressing this issue and the proper fix.
2. Team Wordfence needs to update their plugin (i.e., code) to prevent this from happening again. As a minimum, the rules for Wordfence Free need to be updated — and made available immediately — for all future revisions of WordPress.

Again, thank you.

@generosus –

Agreed, the Wordfence team should at least very minimum put something in place in force a manual refresh of rules to account for Core updates to avoid this in the future, or just revert it back to the way it was previous to the 30 day check.

This caused such a panic on our end since we host and maintain over 200 client websites currently – luckily I was able to put 2 & 2 together when someone on another board mentioned that WF possibly hadn’t updated their file list for 6.7. Checked the Rules and reran another scan and voila!

@viablethought,

Well stated. Personally, Wordfence is a great plugin but Team Wordfence hardly ever listens to its users (Free or Premium) and never implements much-needed features or enhancements.

Let’s see how far our recommendations go with them.

Cheers!

@generosus –

Well, if they don’t mind this support channel blowing up with every major and minor release, then that’s on them. I was kind enough to post a fix and post it to every support thread across www.ads-software.com to help others before they go and delete core files mistakenly.

An issue of this magnitude should not be taken lightly by the Wordfence team, hopefully some type of resolution is put into place, otherwise will have to look for an alternative. We have several Premium licenses and never had a real issue with this plugin up until now. We’ll see!

Guys please don’t post misinformation and your own misunderstanding of how things work in Wordfence. This stuff gets indexed by the search engines, other users visit these posts, and then it significantly increases our support load as we have to correct the misunderstanding you’ve created. Jason calling you out in particular.

Firstly, this is incorrect and completely unrelated to the core files issue: “Wordfence changed this a bit ago where the rules are only updated once every 30 days – not sure this was a great idea on Wordfence’s part.“

Firewall rules and malware signatures are not related to how we compare your core files to the original core versions. That’s a totally different process. What happened on our end is that, due to recent rate limiting on the repository, the process that mirrors new core releases did not complete normally and stopped halfway. Our application servers told the Wordfence plugin that we DID have a complete mirror with associated hashes, but we in fact did not. Once we discovered the issue we ran the process to completion manually which fixed the issue this time around. We’ve also put additional alerting in place to let us know if this happens in future. And then we’re refactoring the code for this process to make it more robust and not tell the plugin the process is complete if it did not successfully complete, in the case of an issue being encountered.

Also the comment of “Wordfence changed this a bit ago where the rules are only updated once every 30 days” is wrong. We didn’t. Not even sure why you’d think that or post it.

“…Team Wordfence hardly ever listens to its users”. No. We’re here in the forums. We’re in the tickets. We have multiple triage calls weekly which I’m on (I’m the CTO) as well as our CEO, and we’re making decisions based on your feedback at all levels of the organization, and doing that as a continuous and iterative process.

“If you go to Wordfence -> All Options -> Advanced Firewall Options -> Manually Refresh Rules”. No, it’s a coincidence this worked. We had fixed it on our end between your last scan and the scan you performed after making this change. You’re refreshing the firewall rules which has no relation to file integrity checks.

“Well, if they don’t mind this support channel blowing up with every major and minor release, then that’s on them. I was kind enough to post a fix and post it to every support thread across www.ads-software.com to help others before they go and delete core files mistakenly.“

Actually what you’ve done is posted an incorrect description of the problem, and a fix that does not work because it’s completely unrelated to the issue. As I said, you think it worked because a coincidence occurred. And we now need to go in and correct any misunderstandings created around the frequency of firewall rules being deployed, what caused this issue, how to fix it (you don’t need to because we did on the back-end) and answer any questions around this that come up.

We’re happy to have you guys as users and customers, but please give us time to get back to you when something like this occurs with all the information before you start replying to multiple customers with partial or inaccurate info.

Regards,

Mark Maunder – Chief Technology Officer at Wordfence/Defiant Inc.

Thanks for the comprehensive explanation, @mmaunder ! Love you guys.

Hi @mmaunder,

Thank you for the update. If you listen to your customers, can you kindly pin a summary of what happened here (and your preventive measures) to this support forum? These posts get buried over time.

Also, if you look at what I’ve recommended or have suggested over time, not a single item has been addressed.

Please consider this as constructive feedback. Just presenting the facts. Your plugin rocks.

Keep up the good work and thank you for keeping our websites safe.

Salud! ??

@mmaunder –

Thank you for the explanation, however, with everyone being hit with emails about 2500+ files being marked as “High Severity” it is a serious concern – especially for us as we host and maintain over 200 client websites at the moment. Trying to determine who the culprit is and finding a resolution for this issue was priority.

“Once we discovered the issue we ran the process to completion manually which fixed the issue this time around.”

When was this discovered on your end? Because I seen posts in this Support Channel as along as 15-18 hours ago as of 7am EST this morning. Someone should’ve posted here as soon as it was discovered to avoid any tpye of “misinformation” as you called it. At the point when we discovered the issue this morning, a lot of time as passed with radio silence on your end.

“Actually what you’ve done is posted an incorrect description of the problem, and a fix that does not work because it’s completely unrelated to the issue. As I said, you think it worked because a coincidence occurred. And we now need to go in and correct any misunderstandings created around the frequency of firewall rules being deployed, what caused this issue, how to fix it (you don’t need to because we did on the back-end) and answer any questions around this that come up.”

It was something that worked and just happened to resolve the problem at the moment that helped to ease everyone’s mind and allow them to carry on about their day, including us, coincidence or not.

“This stuff gets indexed by the search engines, other users visit these posts, and then it significantly increases our support load as we have to correct the misunderstanding you’ve created. Jason calling you out in particular.”

Sure does, so that way the next time something similar pops up and they reach these posts, it is something they can rule out and move on to looking for the next resolution rather than wasting time with what “coincidently” worked here.

As far as this:

“Also the comment of “Wordfence changed this a bit ago where the rules are only updated once every 30 days” is wrong. We didn’t. Not even sure why you’d think that or post it.”

https://cln.sh/TZJxFSGLNNfG1DF4zJqV

Then maybe clarify your wording a little better, something has changed at some point because there was a time not so long ago where we weren’t being prompted with this everywhere. Happened around the same time where we’re linked off-site to obtain a Free license.

Feedback received re pinning an item. Given the number of posts related to this and how it’s now fully resolved and has been for hours, I’m going to probably pass on doing this. But it’s Scott’s call anyway since he runs the CS team. I’m just a guest here. ?? So he may feel different. Anyone who visits the forums for the next day or two will immediately see several threads related to this. 24 hours after the issue occurred (about 16 hours from now) a new scan would have run on most sites making this moot anyway.

We do receive feedback – we just don’t necessarily implement it all. In fact as a ratio, we implement very little of the suggestions we get. There are a few reasons for this. Firstly we have an install base of around 5 million websites with about half a billion visitors per month across those sites, so deploying a new feature across that population comes with risks and affects a lot of people.

We also have probably the most credentialed team of security analysts in the world who also weigh in on what we implement and suggestions from users aren’t always feasible or wise to implement because they lack the background in security.

There are also performance implications, complexity that a new feature might add, cost/load considerations on the back end and on the customer site and so on.

But let me give this further thought. We might be able to create a more direct link between our user community and our engineering team and perhaps even crowd-source the prioritization of features. Not saying we’d implement them all or that they’d all be feasible, but I’ll give this some thought.

Thanks for your feedback.

Mark Maunder – CTO @ Wordfence

@generosus and @viablethought thank you so much and yes, I 2nd/3rd everything said.

So, I have to laugh at myself for panicking… The reason I panicked? The word “bastard”.
The first file I looked at (and the only one of 2,312) was /wp-includes/wp-diff.php, which states: “WordPress Diff bastard child of old MediaWiki Diff Formatter.”

Immediately, I thought “nope, there’s no way that’s a core file!” and hurriedly reverted to yesterday’s backup! ::forehead smack:: Doh!