I'm getting the same Daily Security Digest twice

Hey Leandro,

This is a known issue for some users. I’ve filed a bug report and the developers are aware. I’ll update you here with any progress at all.

Sorry for the inconvenience,

Gerroald

Thanks Gerroald.

Is the bug tracker available to the public? Maybe I can fill a bug myself there next time.

https://ithemes.com/security/bugs/

dwinden

@leandro

In my case I sometimes receive 1 and sometimes receive 2 Daily Security Digest email(s) …

Tracked it down to the File Change Detection (FCD) feature …

When disabling the FCD feature I only receive 1 Daily Security Digest email …

It seems when a FCD scan and sending a Daily Security Digest email is triggered concurrently by the same page load I receive 2 Daily Security Digest emails …

So I wonder what happens when Scheduled Database Backups (SDB) is (also) enabled ?

If you are still receiving 2 identical Daily Security Digest emails, please disable the FCD and SDB settings.
Update this topic with your test result. Thank you.

dwinden

I’m always getting two emails.

If I disable those settings there will be nothing for the plugin to report and I’ll get no email at all. Or maybe I missunderstood something?

Good point … but not entirely true.
Timing is essential. I should have mentioned that in my previous post.

Not going further into that as I’ve finally identified where my second DSD email is coming from and I don’t want to waste any more of your time. It’s triggered by WP cron …
So looks like this issue is not related to a scheduled FCD scan after all. So don’t disable it.

So how did I find out ?

After looking at the DSD code I found that the function that sends the DSD email is added (under certain conditions) as an action to the WP init hook.
And as the WP init hook actions are triggered on every page load there must be 2 page loads happening. One for every DSD email I receive…

Then I noticed in the DSD code there is a debug option named ITSEC_DEBUG which, if defined, will help debugging the DSD emails !
(amongst other iTSec features as well).

So I added this line to my wp-config.php file:

define( 'ITSEC_DEBUG', true );

Visited my WP Dashboard login page (https://www.domain.com/wordpress/slug) kept my fingers crossed and waited for duplicate DSD emails to arrive in my inbox.
So when both emails arrived (phew) I opened each and found at the end\bottom the following debug output:

Email 1 (first one received):

Debug info (source page): https://www.domain.com/wordpress/wp-cron.php?doing_wp_cron=1438154374.7210230827331542968750

Email 2 (second one received):

Debug info (source page): https://www.domain.com/wordpress/slug

So in my case it’s a WP cron job doing an extra page load that is causing the extra DSD email to be send.

Now I have been reading a lot about the WP init hook on the internet and it seems there are some other reasons why extra page loads can occur in WP (404s being another one) thus potentially executing the actions added to the WP init hook multiple times. So it seems to me that adding an email function as an action to the WP init hook is not a smart thing to do … smells like bad coding practice.
Knowing all this I’m not surprised to see people reporting many many many DSD emails in their inbox …

Let’s see what I can do to fix this temporarily …
More on that in my next post.

@leandro
I’m interested to hear what causes your duplicate DSD email.
Don’t forget to remove the ITSEC_DEBUG line from wp-config.php file once you are done debugging ??

dwinden

Well, this is weird. Today I finally got a Daily Security Digest email, but I only received one. And this is weirder:

Debug info (source page): https://leandroperez.com.ar/feed/

What does the feed page have to do with all this?

@leandro
Ok, so that probably means the DSD email was triggered because someone accessed your website feed link.

You probably have fans all around the world who follow you, for example by subscribing to your feed.

Every WordPress website includes a default feed link.
If you haven’t disabled it, the feed link is available for everyone to use.

I think the feed link triggering the DSD email is just fine.

So keep the ITSEC_DEBUG in place and wait for duplicate DSD emails to arrive in your inbox. It’s the only way to see how the duplicate is triggered in your env.

dwinden

I got another email. This time it was just one, same as last time. Is it possible that maybe by disabling those settings you mentioned on past posts and then enabling them again fixed the issue?

The debug message:

Debug info (source page): https://leandroperez.com.ar/feed/

No, I think this issue is intermittent (sometimes it happens, sometimes not). It’s just “bad luck” you are now receiving just a single DSD email… I’m sure the issue is still there.

I think your past duplicate DSD emails were also triggered by WP Cron.
Again timing is essential for this issue to occur.
The random factor is the moment that the page load that triggers the DSD email occurs.

There are certain conditions that must be met for the duplicate DSD email to be send.

Regular DSD email conditions:

1. Daily Security Digest setting must be enabled.
2. Since the last received DSD email 24 hours must have passed.
3. Since the last received DSD email a positive scheduled FCD scan must have taken place (or there must be 1 or more current active lockouts which have not yet expired).
4. The _site_transient_itsec_notification_running transient does not exist in the database ([prefix]_options table).
The DSD process creates a transient in the database that expires after an hour. A page load 1 hour after receiving the last DSD email is required for the transient to expire (be deleted).
It seems the iTSec developer build in a mechanism to prevent multiple DSD emails from being sent. Obviously this is not working for DSD emails triggered by WP Cron…

Duplicate DSD email condition:

5. A scheduled cron job is due for execution, spawning an extra page load (wp-cron.php).

When all five conditions are met at the time of a page load (Frontend website, backend WP Dashboard, Feed etc) 2 DSD emails will be triggered.

Keeping the above conditions in mind allowed me to consistently generate duplicate DSD emails. Even when accessing the Feed link …

In a test env you don’t even need to wait 24 hours for the next DSD emails to arrive.

You can manipulate conditions 2 and 3 by manually changing the timestamps stored in the database. To be sure I subtract 100000 secs while in theory 24*60*60=86400 should be enough.

First I change one of the iTSec plugin WordPress Tweaks settings that writes to the .htaccess file and then click on the Save All Settings button. This is to ensure that the next scheduled FCD scan results in file changes found. Then in phpMyAdmin I change the FCD ‘last_run’ timestamp in the itsec_file_change option of the [prefix]_options table. Any subsequent page load will now trigger a scheduled FCD scan (condition 3). Use the plugin Logs page to check the result.
At this point I log out WP Dashboard and close the tab in the browser.
This prevents me from accidentally performing a page load …

Then again using phpMyAdmin I change the DSD ‘last_sent’ timestamp in the itsec_message_queue option of the [prefix]_options table (condition 2).
Please be aware that the DSD email mechanism is now armed …
Any page load will trigger at least one DSD email from this point on …

Finally I look at the time of the next scheduled cron job (condition 5).
Accessing the Frontend website, WP Dashboard or Feed URL AFTER the time of the next scheduled cron job immediately triggers 2 DSD emails.

My server access_log shows 2 seperate HTTP requests to the Web Server:

1. (GET) The original page load address (Frontend website, WP Dashboard or Feed URI).
2. (POST) The extra WP Cron (wp-cron.php) page load.

Note this test only makes sense in a test env without external visitors. Otherwise the control over timing the page load that triggers the DSD emails is too difficult.

For now I just think you need to be patient.
You could try a more active approach.
Instead of waiting for someone to access your feed url (and trigger the DSD email), try and do the page load that triggers the DSD email yourself. This way you might be able to manage\control the cron execution.
It’s crucial to find out the exact timings of your cron job schedule.
Plenty of plugins out there that will allow you to look at the cron job schedule.
WP includes 6 default cron jobs and the iTSec plugin includes another 2. So there must be at least 8 WP cron jobs scheduled in your system. Probably more.

dwinden

That’s a lot of conditions!

I just keep getting one email and the same debug info. I think I’ll update this thread again when I have a different thing to report.

Thanks for your help, dwinden.

Definately a lot of conditions for the DSD email, but only one extra condition for the duplicate DSD email…

I’m convinced the root cause for the duplicate DSD email issue is still there. It may return any moment (assuming it is caused by WP Cron and you haven’t disabled WP Cron in the wp-config.php … There may be other reasons as well which I have yet to identify …).

Anyway based on the changelog this issue is still not fixed in the 4.9.0 release.

dwinden

I just got two emails, both with the same delivery time.

The first one has the following debug info:

Debug info (source page): https://domain.com/wp-cron.php?doing_wp_cron=1439776566.6869840621948242187500

And here’s the second one:

Debug info (source page): https://domain.com/?attachment_id=3368/trackback/

Looks like it was triggered by WP cron for me as well.

Ok, great. Thanks Leandro. Really appreciate your feedback.
It was just a matter of time.

Any idea what the https://domain.com/?attachment_id=3368/trackback/ is about ? Just wondering … have never seen it before …

Would you be interested in testing a possible solution to this problem ?

dwinden

I changed my domain because I wasn’t sure if I should make that cron URL public with all those numbers (which is kind of useless now that I see I posted it a few comments before :P)

Anyway, I’m using a theme with galleries support that works with a static front page, the attachment URL links to one of the images in one of the galleries. Maybe the theme is creating that new kind of URL?

Sure, I can give it a try. What should I do?