Hi Tim.
Thanks for response, but you have not to explain yourself. Be sure, I know a few about your business. I know some more about IT infrastructure, but a few about public internet services.
Now we will have a deeper look to site which is on a public system (85.x.x.x) without a firewall in front, but a .htaccess configuration which restrict the access from the public internet (“require valid-user”).
List of plugins at this WP site:
Wordfence Security
WP Overview (lite)
nothing more, is only a test site.
Configuration:
Key type [free Key]
Enable debugging mode [no]
Disable Wordfence Cookies [yes]
Start all scans remotely [no]
Disable config caching [yes]
connectivity test to Wordfence servers:
DNS lookup for noc1.wordfence.com returns: 69.46.36.8
STARTING CURL http CONNECTION TEST….
Curl connectivity test passed.
STARTING CURL https CONNECTION TEST….
Curl connectivity test passed.
Starting wp_remote_post() test
wp_remote_post() test to noc1.wordfence.com passed!
Starting wp_remote_post() test
wp_remote_post() test to noc1.wordfence.com passed!
=== Test 1 Start ===
Now I start a scan manually… and…
result from “Scan Summary” window:
– nothing – still empty window –
result from “Scan Detailed Activity” window:
– nothing – still empty window –
=== Test 1 End ===
Now I do some changes at the config pane:
Enable debugging mode [yes]
Start all scans remotely [yes]
=== Test 2 Start ===
Now I start a scan manually… and…
result from “Scan Summary” window:
– nothing – still empty window –
result from “Scan Detailed Activity” window:
[Nov 25 12:03:19] CURL fetching URL: https://noc1.wordfence.com//v2.14/?v=4.0.1&s=http%3A%2F%<mysite.tld>%2F<WPdir>&k=<freeKey>&action=ping_api_key
[Nov 25 12:03:48] Ajax request received to start scan.
[Nov 25 12:03:48] Entering start scan routine
[Nov 25 12:03:48] Got value from wf config maxExecutionTime: 22
[Nov 25 12:03:48] getMaxExecutionTime() returning config value: 22
[Nov 25 12:03:48] Starting cron via proxy at URL https://noc1.wordfence.com/scanp/<mysite.tld>/<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey>
[Nov 25 12:03:50] Scan process ended after forking.
=== Test 2 End ===
But in the httpd server log, there I see the reason why the job is not starting:
scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
And this error appears at all possible configurations. So. I have some questions:
– why is this job not linked to the WPcron itself
– why do you do a deep link to a directory which is recommended to be secured with a .htaccess file
– why do you not show a link at the config pane to configure a job who can do this on the local machine
– why do you security promise, but a dependency created which brings a security risk
last I will explain: if someone disconnect your servers and/or from the internet (is not as hard to realize than most think of!) all the WP sites which are secured by Wordfence do not recognize this or don’t scan their site any more. then they can be all manipulate without any message from the Wordfence service.
You should think about the design, you can still deliver all you service, but with a few changes you will raise the level of security.
But the one and only, wherein I’m interessted in: how to install a WP site with Wordfence inside a secured by .htaccess file directory?
Thanks for support,
Regula.
