BUG REPORT: Endless Loop on File Change Detection

Did you look at the changes? Most of the time it is compatibility notes the plugin author has made but not updated the repo on www.ads-software.com with a new version. They edited the readme.txt file directly. Post a screenshot of the differences here.

tim

Thanks for the response Tim (@WFSupport)

I guess I don’t understand how your scan/checker process works.

What file are you testing and to what are you comparing it too?

Because:
(1) I ran a WF Scan
(2) The scan warned me the particular readme.txt file was changed from its original source
(3) I clicked on the WF Restore the original version of this file.
(4) I got a success pop-up message that the file was restored
(5) I immediately ran another scan, minutes later, and the same exact file was identified as being changed.

So after I “restored the original version of this file” what does your subsequent scan comparing the newly restored file too?

Seems to me I should have been good to go…

Tim, @wfsupport

Taking your suggestion into consideration I ran a scan again just now.

Again the ../updraftplus/readme.txt file got flagged. But this time I looked at the comparison changes in the file. Interesting what WF reports…see below:

Wordfence: Viewing File Differences

Filename:	wp-content/plugins/updraftplus/readme.txt
File type:	Plugin File
Plugin Name:	UpdraftPlus - Backup/Restore
Plugin Version:	1.10.3

There are no differences between the original file and the file in the repository.

So I think your scanner tool has a bug or 2…it throws “false positives”.

Ran another scan this morning. The plugin still throws “false positives”.

Modified plugin file: wp-content/plugins/updraftplus/readme.txt
Filename: wp-content/plugins/updraftplus/readme.txt
File type: Plugin
Issue first detected: 10 mins ago.
Severity: Warning
Status New
This file belongs to plugin “UpdraftPlus – Backup/Restore” version “1.10.3” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Clicked the link: See how the file has changed.

Wordfence: Viewing File Differences
The two panels below show a before and after view of a file on your system that has been modified. The left panel shows the original file before modification. The right panel shows your version of the file that has been modified. Use this view to determine if a file has been modified by an attacker or if this is a change that you or another trusted person made. If you are happy with the modifications you see here, then you should choose to ignore this file the next time Wordfence scans your system.

Filename:	wp-content/plugins/updraftplus/readme.txt
File type:	Plugin File
Plugin Name:	UpdraftPlus - Backup/Restore
Plugin Version:	1.10.3

There are no differences between the original file and the file in the repository.

Ran my morning scan again, and still the “restored” file wp-content/plugins/updraftplus/readme.txt is flagged.

Ran my morning scan again, and still the “restored” file wp-content/plugins/updraftplus/readme.txt is flagged.

Concerns me that if the service consistently encounters false positives then are true infections not being identified?

Ran my morning scan again and WF still throwing false positives.

Ran my morning scan again and WF continues to throw false positives.

If WF can throw false positives then it must be missing true infections.

Ran my morning scan again and WF continues to throw false positives. If WF can throw false positives then it must be missing true infections.

Case in point – I have had WF installed for about a year. Last month my WP installation got hacked without any notice or alert from WF (granted I am not on the “paid-for” version of WF). Got in touch with the sys admins at the data center. They found nothing wrong in my server’s OS, etc. In fact, I am running other hosts on my server that are not part of my WPMS installation and all of those hosts/sites were fine. The sys admin happened to mention hearing about an open exploit in Gravity Forms. So after 2-3 days of focused effort trying to clean my WPMS I ended up

1. completely deleting the Gravity Forms plugin,
2. manually inventorying each and every plugin & theme I had in my WPMS instance and deleted any that were no longer used or needed
3. deleted my entire set of UpdraftPlus backups
4. deleted the entire set of WHM/cPanel backups.

That solved my problem for now…no hacks or issues present in my WPMS.

WF is not a very trustworthy plugin for what it claims to do if you ask me.

Ran my morning scan again and WF still throwing false positives.

Isn’t there a option to “ignore an issue until it changes”, once you have established that it is a false positive?

If WF can throw false positives then it must be missing true infections.

Can you explain why this must be the case?

The sys admin happened to mention hearing about an open exploit in Gravity Forms.

As this plugin is not available in the WordPress repository, surely the decision to use, update and trust this plugin is your responsibility, and can’t be blamed on Wordfence, which compares plugins against those held in the WordPress repository.

WF is not a very trustworthy plugin for what it claims to do if you ask me.

As the top security plugin by downloads and active installs, it seems that many would disagree with this assessment.

Isn’t there a option to “ignore an issue until it changes”, once you have established that it is a false positive?

You’re missing the bigger point @barnez — the plugin has bugs in it.

Can you explain why this must be the case?

Read the 4th post [above] in this thread @barnez

As this plugin is not available in the WordPress repository, surely the decision to use, update and trust this plugin is your responsibility, and can’t be blamed on Wordfence, which compares plugins against those held in the WordPress repository.

Then WF should make a visible disclaimer and inform you that it does not test nor compare plugins/themes not part of the WP Repository. Right now the WF plugin actually processes this plugin which (gave me) some level of assurance that it checks it for vulnerabilities.

As the top security plugin by downloads and active installs, it seems that many would disagree with this assessment.

You can’t always gauge a plugin by that metric. The metric only shows how many times is has been downloaded. It does not inform you how many times it has been installed, nor how many active WP installs are actually still using it. That’s just a shortcoming in the metric. But knowing and understanding the shortcoming does help to make good judgement and assessment. Plus, there are other plugins out there that look popular but no longer work due to lack of support and continued development. You simply discover those as time goes on.

You’re missing the bigger point @barnez — the plugin has bugs in it.

And you have notified the plugin author. For a free plugin, can we expect more than to highlight the bug(s) and then wait patiently for the next release to see if it/they has been resolved?

If WF can throw false positives then it must be missing true infections.

Read the 4th post [above] in this thread @barnez

All I can see from post #4 is that there is probably a bug. Maybe I’m missing something but I’m not clear how this false positive can translate with certainty into missing true infections.

Then WF should make a visible disclaimer and inform you that it does not test nor compare plugins/themes not part of the WP Repository.

This is pretty clear from the official documentation on scanning plugins:

Scan plugin files against repository versions for changes
As with the core file change detection above, this compares your plugins with what is in the official WordPress repository and will alert you to any changes.

You can’t always gauge a plugin by that metric. The metric only shows how many times is has been downloaded.

Wordfence is actively maintained, has 2 support assistants monitoring the forum, and at 900,000+ active installs (more than any other security plugin in the repository) and is only increasing in popularity if you check the stats.

I understand that this has been frustrating for you, and having had hacks myself I also know how annoying and time consuming they can be. I just think that we have a great plugin here, which is actively maintained and supported in the forums, and is free at the point of use.

Also, it’s important to remember that security has to extend beyond installing a plugin such as Wordfence, which can only form a part of a security policy. The Hardening Codex plugin has excellent additional advice to strengthen the installation and ensure best practice from the site managers.

Good luck!

And you have notified the plugin author. For a free plugin, can we expect more than to highlight the bug(s) and then wait patiently for the next release to see if it/they has been resolved?

The plugin author participated in this thread one time, asking a certain question, and then elected to ignore all subsequent posts by leap frogging over this topic. That makes me feel that they have no plan or intention to address it. If they did, I would expect to see a post to the effect that they accept the topic as a possible bug and will look deeper into it and possibly release a fix in an upcoming version. Only seems logical and fair to me.

All I can see from post #4 is that there is probably a bug. Maybe I’m missing something but I’m not clear how this false positive can translate with certainty into missing true infections.

A bug of this nature gives me little assurance that it can catch all true infections. Plus my installation suffered an infection from a plugin (granted, not in the WP Repository) but one that WF scanned and reported on nonetheless. So for me, I have less than 100% confidence in this plugin.

This is pretty clear from the official documentation on scanning plugins:

Well, you’re a lot better and diligent in reading through all the documentation on the plugins you use than I am. I’ll bet you read all the fine print on the T&C for the things you buy as well. I’m just an old put faith in the “popular WP plugin” that it functions a certain way.

Bottom-Line

Is this a great plugin and one of many tools you should have in your toolbox for security & protection? Most definitively. I only post here and carry on in order to heighten the fact that the plugin has a bug or bugs. Yet I can’t get the attention of the developer to want to at least consider that there may be bugs in the plugin.

P.S. thanks for the link https://codex.www.ads-software.com/Hardening_WordPress — I’ll seriously take it into consideration.

@frank Actually I posted this:
Did you look at the changes? Most of the time it is compatibility notes the plugin author has made but not updated the repo on www.ads-software.com with a new version. They edited the readme.txt file directly. Post a screenshot of the differences here.
The question was more rhetorical. I explained what the problem often is. It was a change, that was done directly in the repository. If you wish to verify or not, go speak to the author of the plugin we warned you about. Warning you is what we do. It’s not our job to be the wordpress plugin police and tell developers how to do things. If they choose to do things where only new downloads have changed files and the rest of their users don’t, we cannot stop them. It’s not a great way to do plugins, but then I guess that’s our opinion. From all of your posts I have read (unless I missed something), Wordfence looks like it is working as it is supposed to. It is alerting you to a change.

You’d be hard pressed to find any plugin that didn’t have some bug or other in it, but at the same time I doubt you’d be able to find a more responsive development team that WF has. Ours is one of the best out there. We release almost every other week to address problems and add new functionality. We have invested in paid staff in the free forums, helping as best we can. When you assert that “WF is not a very trustworthy plugin”, it’s slanderous and not really grounded in the truth. If this bothers you so much, I’d just say uninstall the plugin and grab something else.

We appreciate and value our customer, both free and paid, and will continue to do what we can to protect the wordpress community. I am closing this post because it seems to have run its course and nothing further will be gained from it. @barnez Thanks, as always, for your support. @frank Thanks for pointing out, in good faith, what you feel is an omission in the software. We’ll look, as we have been, at ways to address your concern while balancing it with feasibility and functionality.

tim

Hi @wfsupport. Nice to hear from you again.

See my 5th post above which addresses your earliest question.

But I’ll post screen shots in a few moments — as soon as I run another scan.