Installation question

That might mean that there are two separate WordPress sites on the server you are using, or that the original creator had copied the database for some reason (possibly for testing or backup purposes.)

Wordfence doesn’t duplicate the tables in the original database, but it does add its own tables. If the WordPress database prefix is “wp_”, for example, Wordfence adds a number of tables beginning with “wp_wf”, for its own data. It doesn’t modify the table prefix or anything in wp-config.php.

I don’t think Wordfence has created files with a name like “delete me,” unless it was in a much older version. If you view the contents of the file in a text editor, does it look like a normal PHP file for WordPress? It might actually be a malicious file — some are designed to extract a file, run it, and then delete it — or it could be a temporary file from another plugin. If you’re not sure about the contents of the file, let us know.

WF MattR, Thank you for your response.

As to the two tables, it is possible that the original website creator already knew that the database would be modified/added to by WordFence. I suspect that they were being prudent and kept a virgin copy of the WordPress database.

In my quest to figure out the deleteMe_xxxxx.php file, I read some stuff from long ago that WordPress at one time created similarly named files during initial installation, and it is supposed to clean them up.

The delete_me file is base64 encoded, so when I decoded it, the following line in the php code stood out like a sore thumb,
“SELECT user_pass FROM {$wpdb->users} WHERE ID = %s”
I have decided it’s a left over from a failed WordPress install, as most everything else appears to be clean.

So now my question is how to ignore a specific directory from the file scan? This is a Real Estate website and every hour, a CRON job runs to pull new and revised Real Estate listings from the DDF servers. There are over 6300 listings, and each has over 20 pictures per listings, so the WordFence scans appear to be taking up a lot of time on dynamic content that I know is secure.

Ok — you might want to let a full scan run at least once, just to be sure. Getting a user password (though encrypted) might be done in some malware too. Most often, they wouldn’t care if they were already far enough in to drop files, but it could be going after users who reuse passwords.

As for the scans, I would make sure these options are not enabled, if the original creator may have had them set:

1. Scan files outside your WordPress installation
2. Scan image files as if they were executable
3. Enable HIGH SENSITIVITY scanning. May give false positives

If the real estate listings are stored outside of the normal WordPress folders, the first option should prevent them from being scanned. The other two are usually best used for cleaning up existing hacks.

You can use the field “Exclude files from scan that match these wildcard patterns” to exclude other patterns, to exclude something like “*wp-content/plugins/some-plugin/safe-folder*” (without the quotes, but with the asterisks).

Though, you might still want to do a full scan without exclusions periodically, unless the entire location is wiped out and rebuilt each time. (Some hacked files can be hidden in random folders, so if any of them remain around for a long time, it would still be a good idea to scan them.)

Cool,any thanks indeed.
I’ll get on to this first thing in the morning.

Great — I’ll mark this post “resolved” for now, but let us know if you have any additional questions!

A big hurdle, but…
The scan started around 1:00 pm and finished around 2:30 pm, around 80,000 files. Does this seem about right?

As per your instructions, this is what the Comma-separated list of directories to exclude from recently modified file list:

*wp-content/cache*,*wp-content/wfcache*,*wp-content/plugins/wordfence/tmp*,*/wp-content/uploads/soldpress*

looks like.

I appreciate the pointers on this very much.
Regards Richard

Richard,

That is quite a long time, and a lot of files, if the three options mentioned above are not enabled, and especially when excluding the other directories. The exclusions look correct to me, except the “soldpress” one needs to have the slash removed before “wp-content” — that is probably the bulk of the files that were scanned. (I originally thought that would work too, but I needed to use the asterisk instead — I’ll need to check with the dev team on that.)

Otherwise, if that’s not it, do you use any other caching plugins, or were any others enabled in the past? Another caching plugin might have left behind a directory full of old files that could still be getting scanned.

-Matt R

I changed the exclude to be *wp-content/uploads/soldpress*. I did this because after I made the change, simply to remove the slash, the whole field (it’s too stupidly tiny) became blank. And then!, I started toget an error the the key did not match the stored CRON key and I did keep my cool. Usualy when a product fails in front of me, I delete it.
I tracked down something about cached configuration files and made the setting adjustment, we’ll see how thta works out.
There may have been caching at one time, there is none now and the directories are gone.

That file exclusion thing is not working.

Richard,

The message about the cron key can come up when Wordfence scans on a small number of hosts. If you disabled config caching, that normally will fix it. That option may have also affected your other options saving.

I tried creating a “soldpress” directory in the same location on my test server and made sure that it was scanned, then copied and pasted the exclusion from your last post into my exclusions, and verified that it did not scan the folder after that.

If disabling config caching does not fix the problem with the option saving properly for the scan to exclude that directory, I can look for more possibilities, since this is an unusual problem. I haven’t seen a scan exclusion not work before. If you would rather not troubleshoot anymore, that is fine.

-Matt R

Is WordFence still scanning???? I captured this from Scan Summary. There is a Detailed Activity log below as well. It would appear that the exclusion entry syntax you specified worked, highly unconventional syntax. It’s not even documented.
The config caching appears to have an odd interaction with configuration settings, this should be fixed ASAP.

[Sep 18 15:03:22]
Preparing a new scan.
Done.
[Sep 18 15:03:22]
Remote scan of public facing site only available to paid members
Paid Members Only
[Sep 18 15:03:24]
Check if your site is being Spamvertized is for paid members only
Paid Members Only
[Sep 18 15:03:26]
Checking if your IP is generating spam is for paid members only
Paid Members Only
[Sep 18 15:03:28]
Scanning your site for the HeartBleed vulnerability
Secure.
[Sep 18 15:03:29]
Fetching core, theme and plugin file signatures from Wordfence
Success.
[Sep 18 15:03:30]
Fetching list of known malware files from Wordfence
Success.
[Sep 18 15:03:30]
Comparing core WordPress files against originals in repository
[Sep 18 15:03:30]
Skipping theme scan
Disabled [Visit Options to Enable]
[Sep 18 15:03:30]
Skipping plugin scan
Disabled [Visit Options to Enable]
[Sep 18 15:03:30]
Scanning for known malware files
————————————————-
This appears to be the most recent Scan Detailed Activity log.
[Sep 18 14:58:03] Scan terminated with error: Scan was killed on administrator request.
[Sep 18 15:03:29] Contacting Wordfence to initiate scan
[Sep 18 15:03:29] Getting plugin list from WordPress
[Sep 18 15:03:29] Found 4 plugins
[Sep 18 15:03:29] Getting theme list from WordPress
[Sep 18 15:03:29] Found 1 themes
[Sep 18 15:03:31] Analyzed 100 files containing 1.09 MB of data so far
[Sep 18 15:03:32] Analyzed 200 files containing 2.34 MB of data so far
[Sep 18 15:03:34] Analyzed 300 files containing 4.64 MB of data so far
[Sep 18 15:03:35] Analyzed 400 files containing 5.3 MB of data so far
[Sep 18 15:03:36] Analyzed 500 files containing 7.05 MB of data so far
[Sep 18 15:03:38] Analyzed 600 files containing 8.45 MB of data so far
[Sep 18 15:03:40] Analyzed 700 files containing 10.11 MB of data so far
[Sep 18 15:03:40] Analyzed 800 files containing 10.76 MB of data so far
[Sep 18 15:03:43] Analyzed 900 files containing 13.75 MB of data so far
[Sep 18 15:04:23] Analyzed 1000 files containing 53.16 MB of data so far
[Sep 18 15:04:23] Analyzed 1100 files containing 53.51 MB of data so far
[Sep 18 15:04:23] Analyzed 1200 files containing 53.66 MB of data so far
[Sep 18 15:04:24] Analyzed 1300 files containing 54.09 MB of data so far
[Sep 18 15:04:25] Analyzed 1400 files containing 54.58 MB of data so far
[Sep 18 15:04:29] Analyzed 1500 files containing 58.4 MB of data so far
[Sep 18 15:04:47] Analyzed 1600 files containing 76.46 MB of data so far
[Sep 18 15:04:59] Analyzed 1700 files containing 87.58 MB of data so far
[Sep 18 15:06:00] Analyzed 1800 files containing 147.55 MB of data so far
[Sep 18 17:44:10] Scheduled Wordfence scan starting at Friday 18th of September 2015 05:44:10 PM
[Sep 18 20:13:47] Scheduled Wordfence scan starting at Friday 18th of September 2015 08:13:47 PM

Richard,

In the log you posted, it looks like the scan stopped shortly after 15:06:00. Normally, the log times will run fairly continuously, since most hosts limit PHP scripts to 30-60 seconds.

Some hosts will stop processes that take a long time, or limit CPU usage, database usage, or memory in ways outside of the PHP settings that can be detected by PHP scripts. Usually if time or memory are limited in PHP settings, as most hosts do, there will be a clear message showing why the scan stopped.

If you are having this much trouble running a scan, there may be something in your host’s particular setup that is causing trouble — having this much trouble is very rare. Even if we can get a scan running, you might have trouble with other features, or intermittent issues with the scans. Your host may be able to tell you what limits they have, or they may be able to check why the process ended, if you still want to try using Wordfence.

-Matt R

So around 15:06, there was probably an abrupt stop.
That’s rather unfortunate.
Let’s take one more stab at making this work.

The hosting service is GoDaddy shared Linux hosting with cPanel.

Is there a master reset on WordFence?
Do I deactivate, uninstall and reinstall?
Are there are special considerations, no matter how small or insignificant that I need to be aware of?

Yes, before deactivating, enable the option “Delete Wordfence tables and data on deactivation” near the bottom of the Options page.

If you want to be extra sure it’s a clean installation, after uninstalling the plugin, you could use phpmyadmin or another tool to verify the tables beginning with “wp_wf” are gone (assuming your db prefix is “wp_”), to rule out database privilege issues or mysql issues. If any of the tables are not gone, or if you get errors when trying to recreate them, the host may have to repair your database — there are very rare mysql bugs that can cause unusual issues in any table that is used often (not just Wordfence tables).

You could check that the files are gone from wp-content/plugins/wordfence/ too, but WordPress should alert you about that too, when you try to reinstall it.

The host should also have a way to check your disk quota, which may or may not include your database size — Wordfence does add temporary data to tables during scans, so if you do run out of space during a scan, that might give unexpected results too.

In cPanel, some hosts let you choose a PHP version (at least the major version like 5.4 or 5.5), so you could also check that the host isn’t running an outdated version of PHP. Version 5.4 just reached end-of-life, but I know that Wordfence worked fine even on that version a few weeks ago, and it should work fine on the latest releases of 5.5 and 5.6.

Also in cPanel, you may want to check that mod_security is not enabled, at least for testing. It was recently added to cPanel’s default features, but I don’t know if GoDaddy enables it by default. mod_security is an Apache module, and hosts can define their own rules for blocking just about anything (based on a single hit or multiple hits), so they may have something new that is causing trouble. Wordfence should work fine with the default OWASP rules, if those are enabled, though. (If Wordfence does start working, you could turn mod_security back on and verify that it isn’t causing any problems in the next scan.)

When you do reinstall Wordfence, you should probably turn on the option “Disable config caching” again, since that seemed to make a difference last time. I don’t think it’s normally necessary on GoDaddy hosting though.

As far as I know, we haven’t had any issues specifically caused by hosting on GoDaddy, but it’s possible that they have one host that isn’t configured correctly to their usual standard.

If you want to see where the scan is getting stuck, you could also turn on “Enable debugging mode” under “Other Options” on the Wordfence Options page — this causes a lot of debugging data to be added to the database (which also appears in the boxes on the Scan page), so I wouldn’t leave it on all the time.

Let us know how it goes.

-Matt R

I have been sitting on this to give the plugin time to stabilize.
SO, for 5 days, I have not logged in nor made any changes to the website or WordFence.
The exclude is, “*wp-content/plugins/wordfence/tmp*,*wp-content/uploads/soldpress*”.

Here is the scan ending from the 27th and starting up on the 28th,
More than 80,000 files, more than 2.3 GB of data?

Surely the exclude line does not work properly at all.

[Sep 27 16:17:19] Analyzed 80866 files containing 2.37 GB of data.
[Sep 27 16:17:20] Starting scan of file contents
[Sep 27 16:17:21] Scanned contents of 38 additional files at 33.04 per second
[Sep 27 16:17:22] Scanned contents of 96 additional files at 44.52 per second
[Sep 27 16:17:23] Scanned contents of 118 additional files at 37.16 per second
[Sep 27 16:17:24] Scanned contents of 128 additional files at 30.62 per second
[Sep 27 16:17:25] Scanned contents of 165 additional files at 31.74 per second
[Sep 27 16:17:26] Scanned contents of 217 additional files at 34.72 per second
[Sep 27 16:17:27] Scanned contents of 268 additional files at 35.99 per second
[Sep 27 16:17:28] Scanned contents of 272 additional files at 31.71 per second
[Sep 27 16:17:32] Scanned contents of 277 additional files at 22.74 per second
[Sep 27 16:17:33] Scanned contents of 302 additional files at 22.84 per second
[Sep 27 16:17:34] Scanned contents of 316 additional files at 22.18 per second
[Sep 27 16:17:35] Scanned contents of 426 additional files at 27.94 per second
[Sep 27 16:17:36] Scanned contents of 539 additional files at 33.11 per second
[Sep 27 16:17:37] Scanned contents of 627 additional files at 36.26 per second
[Sep 27 16:18:15] Scanned contents of 632 additional files at 11.51 per second
[Sep 27 16:18:15] Scanned contents of 632 additional files at 11.44 per second
[Sep 27 16:18:15] Asking Wordfence to check URL’s against malware list.
[Sep 27 16:18:15] Checking 358 host keys against Wordfence scanning servers.
[Sep 27 16:18:15] Done host key check.
[Sep 27 16:18:15] Checking 52 URLs from 36 sources.
[Sep 27 16:18:16] Done URL check.
[Sep 27 16:18:16] Done file contents scan
[Sep 27 16:18:16] Starting scan of database
[Sep 27 16:18:17] Done database scan
[Sep 27 16:18:18] Examining URLs found in posts we scanned for dangerous websites
[Sep 27 16:18:18] Checking 78 host keys against Wordfence scanning servers.
[Sep 27 16:18:18] Done host key check.
[Sep 27 16:18:18] Done examining URLs
[Sep 27 16:18:18] Starting password strength check on 3 users.
[Sep 27 16:18:19] Starting DNS scan for focusproperties.ca
[Sep 27 16:18:19] Scanning DNS A record for focusproperties.ca
[Sep 27 16:18:19] Scanning DNS MX record for focusproperties.ca
[Sep 27 16:18:19] Total disk space: 3240.2505GB — Free disk space: 2342.1275GB
[Sep 27 16:18:19] The disk has 2398338.51 MB space available
[Sep 27 16:18:21] ——————-
[Sep 27 16:18:21] Scan Complete. Scanned 80866 files, 5 plugins, 1 themes, 27 pages, 0 comments and 1052777 records in 2898 seconds.
[Sep 27 16:18:21] Wordfence used 48.54MB of memory for scan. Server peak memory usage was: 54.15MB
[Sep 28 01:26:07] Scheduled Wordfence scan starting at Monday 28th of September 2015 01:26:07 AM
[Sep 28 01:26:15] Contacting Wordfence to initiate scan
[Sep 28 01:26:16] Getting plugin list from WordPress
[Sep 28 01:26:16] Found 5 plugins
[Sep 28 01:26:16] Getting theme list from WordPress
[Sep 28 01:26:16] Found 1 themes
[Sep 28 01:26:19] Analyzed 100 files containing 1.09 MB of data so far
[Sep 28 01:26:20] Analyzed 200 files containing 2.34 MB of data so far
[Sep 28 01:26:22] Analyzed 300 files containing 4.64 MB of data so far