“Site is not clean” alert unchanged

There are two caches that must be flushed in order to get fresh results from this scanner, one is in your local server, in this file [1] which is automatically flushed every twenty minutes, the second cache is in SiteCheck’s API server which lasts for 48 hours.

The intermediate cache (the one that uses the file mentioned above) is necessary because a single scans takes around 20 seconds to load, if the scan was executed in real-time it would make your website very slow, so the plugin caches the response of this API [2] for 20 minutes. Once the local cache expires, the same process is executed again.

According to your post, the cache in SiteCheck’s server was already flushed, since it only lasts for 48 hours and you said that the problem has been occurring for over a week. It is possible that this file [1] is not being deleted after the local cache expires, and so the plugin keeps showing old data.

Try to delete this file manually and refresh the plugin’s dashboard. If this doesn’t works, send a request to this API [2] from the server where your website is being hosted, do not send the request from your computer, do it from your server as you need to verify that the cache in our CDN are actually flushing the content in the nodes closer to your server.

Let me know how it goes.

[1] /wp-content/uploads/sucuri/sucuri-sitecheck.php
[2] https://sitecheck.sucuri.net/?scan=www.whodunnknit.com&json=1&clear=1

Hi @yorman. Thanks for the tips. I have tried deleting the file manually but still no difference.

I’m not sure how to send a request from my server. Any help here?

I’m not sure how to send a request from my server. Any help here?

Definitely! There are two ways you can test this, one is to execute the following command in the Xterm emulator of your choice while connected to your server, this is if you have access to it via SSH.

curl -s "https://sitecheck.sucuri.net/?scan=www.whodunnknit.com&json=1&clear=1" | python -m json.tool

Another option is to create a PHP script, host it in your website and execute it via your favorite web browser. I wrote this script [1] for you so you can just copy and paste into a new file in your server using either (S)FTP or the file manager offered by your hosting provider in your cPanel account.

Notice that both options are just to check if the connection between your server and the Sucuri API is hitting a node in our network with an expired cache, which means, returning the old malware scan results with the warnings.

Let me know how it goes.

[1] https://cixtor.com/pastio/w3ftlo

Hi. Thanks for the tips. Not sure if I did the right thing. But here it is [1].

Yes, you did it correctly; please delete the file now.

I have checked the results and it is indeed clean, so we can be sure now that your server is hitting a clean node in the network, not a cached version of the scan. I will investigate the rest on my side, and will update this ticket when I have more information to share with you, I will try to find a solution by the end of the day.

Thank you!

I too have this problem and have done as suggested above both deleting /wp-content/uploads/sucuri/sucuri-sitecheck.php and running curl ….

external site check and curl says clean. Plugin says
*Known javascript malware
Malware found in the URL https:…404javascript.js

(Hover to see the Payload)
*Known javascript malware
Malware found in the URL (for Google’s UA) https:…/

Any ideas as to why? cache issue?
jcs

should have added tags I guess on previous post

Hello @wpjcs — yes the problem may be caused by an additional cache somewhere in the middle of the two nodes (plugin and API service). To be honest I don’t know how SiteCheck caches the results of the scans, my co-worker have explained this to me a couple of times in the past, but with so many things in my head I easily forget.

I remember a case a couple of weeks ago where a customer was reporting exactly the same thing that you are seeing in your website. I barely remember the solution, but at this moment I am unable to confirm if it works or not, so please give it a try just in case but feel free to come back to this ticket for more information.

Use your favorite (S)FTP client to connect to your web server, or use the file manager app available in your hosting admin panel. Navigate to the directory where the plugin’ source files are located [1] and open this file [2] then jump to line 126 and change this piece of code [3] to this [4]. Upload the modified file (or save the changes if you are using the cPanel code editor), delete the cache file once again [5] and reload the plugin’s dashboard.

These changes will force the plugin to execute a fresh scan, without the API service cache, every time the cache in the local server expires. This is, every 20 minutes your website will request a fresh scan from SiteCheck.

Let me know if it works.

[1] /wp-content/plugins/sucuri-scanner/src/
[2] /wp-content/plugins/sucuri-scanner/src/sitecheck.lib.php
[3] $results = self::runMalwareScan();
[4] $results = self::runMalwareScan(true);
[5] /wp-content/uploads/sucuri/sucuri-sitecheck.php

Hello Yorman

Yes that worked. but as you said quite slow

You I now revert the change?

Sorry should I revert the change

@wpjcs — yes you can revert the changes.

I will add a button in the next version of the plugin to execute this HTTP request without the cache in case that anyone else have the same problem. That way, they will not need to modify the source of the plugin to get the updated data. Thank you for the bug report.

Hello Yorman
Think this is a variation on this theme but with a different website

I now have several lines with no size and no date shown like
WordPress Integrity (7)
“red flag wp-content/languages/themes/twentyseventeen-en_GB.mo”
etc
where the files do not exist and I have done the actions above.
External site check says no problems

Any ideas

Hello @wpjcs — the code that powers the WordPress Integrity tool has no relationship with the code that powers the Malware Scanner, even if the information is printed in the same part of the interface, they are distinctively separated code-wise.

For the issue mentioned in this thread (the cache problems with the Malware Scanner — SiteCheck), we already found that requesting a scan while skipping the remote cache mechanism from the API works, and as mentioned in my previous message I will add a button to clear this cache if necessary when people notice out-of-sync data, this will be released with the next version of the plugin.

As for the warnings in the WordPress Integrity tools, these files are resources that according to your WordPress version should be in your project but aren’t. The plugin considers this suspicious and so proceeds to mark them with a red flag. If you think there is nothing wrong with your installation then select all the files and mark them as fixed using the dropdown at the bottom of the table. Alternatively, you can select them and choose the option “restore” which will request the download of the original code from the official WordPress repositories.

I already modified this piece of code in the development version of the plugin [1] to basically ignore the warnings when the resources are clearly language files, they are usually harmless and apparently associated with a bug that WordPress has to fix, but I have no power over their development process so I cannot force them to work on a fix immediately, I decided to take action in the code that I maintain.

Feel free to install the development version of the plugin [2] or wait until the next update.

[1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/b88fd35
[2] https://github.com/cixtor/sucuri-wordpress-plugin

Hi Yorman
Though these are all language files they no longer exist becuase the associated themes have been deleted. I would not expect the first 4 to required by current version nor the other two once the theme has been deleted. The full list is:
wp-content/languages/themes/twentyfifteen-en_GB.mo
wp-content/languages/themes/twentyfifteen-en_GB.po
wp-content/languages/themes/twentysixteen-en_GB.mo
wp-content/languages/themes/twentysixteen-en_GB.po
wp-content/languages/themes/twentyseventeen-en_GB.mo
wp-content/languages/themes/twentyseventeen-en_GB.po
Will try your plugin