Connecting back to this site

Hi @jknetdesign, sorry to see you’re having trouble with the scan.

I’m getting a ‘site unavailable’ notice when visiting your URL, so unless this was a deliberate action because the site is in development or you have a maintenance mode enabled, I’m concerned there might be some configuration issues.

It looks like an IP catching all users may appearing under under Wordfence > Firewall > Blocking so will need to be removed from the list.

Follow these steps if you need to regain admin access:

• Please use FTP/SFTP — or any file manager your web host provides via their administration panel.
• Look inside the /wp-content/plugins/ directory and rename the wordfence directory to wordfence.bak.
• Once you have logged in to your WordPress admin you can name the folder back to wordfence again.
• Refresh your dashboard and you should be able to see Wordfence Active again. If not, go to the Plugins page and Activate it.

Once Wordfence is activated again, take a look at Live Traffic to see if all logins and logouts seem like they have the same IP address.

If they do, look at Wordfence Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and cycle through the options there until it displays the IP address you discovered on https://www.whatsmyip.org/. That will be the setting you need to use going forward, so click the SAVE button once you’re done.

Once back in (even if the above didn’t apply and you had access to wp-admin all along), can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

Thanks,

Peter.

Yes I have FTP and admin access to WP.

Live Traffic has several different IPs

Renamed the plugin like you said, reactivated it. When I cycle through the ‘How does Wordfence get IPs’ every option has my IP.

Also, I saved every option and tried to scan. I get the same Scan Failed yellow message, and below it says ‘[JAN 14 08:21:27] Scan stop request received.
‘

Diagnostics report sent.

Hi @jknetdesign,

According to your diagnostics, wp_remote_post(), which attempts to make a POST request to wp-admin/admin-ajax.php on your server is coming back with a 423 HTTP code of “Locked”. However, your cron jobs are also out of date due to this connection issues which means plugins and other updates are not happening. The Wordfence scan report is coming back with a number of malicious file reports which alerts me to the error text on the page, “This site is currently unavailable. If you’re the owner of this website, please contact your hosting provider to get this resolved.” It looks like SiteGround have forced this 423 Locked code to prevent others seeing your site, so please get in touch with their support. They may be able to assist you in getting the site cleaned up and re-enable it on your hosting account.

The reason for the exploit occurring may be due to plugins not being updated in the past and a legacy vulnerability being exploited, but this is just one possible reason based on what I’m seeing. The most important thing for now is to clean your site, which I will provide you detailed instructions for below in case your host is unable to fully assist.

Follow the checklist here:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Make sure and get all your plugins and themes updated and update WordPress core too.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure and do this.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

Let me know how you get on!

Thanks,

Peter.

• This reply was modified 4 years, 2 months ago by wfpeter.
• This reply was modified 4 years, 2 months ago by Steven Stern (sterndata).

Have you received my diagnostics report?

Hi @jknetdesign,

We did receive your diagnostics and I replied with the action that should be taken a few hours before your last response. Some posts are held for moderation, so may have not been visible at that time. I’m replying again now to hopefully re-flag the post to you so that you can get the assistance you need.

Thanks again,

Peter.

The 423 Locked code to prevent others seeing the site was exactly the issue. The host would not remove the block but they give me a list of files that I removed. Now I’m able to perform the Wordfence scan as normal to double check. Thanks so much for your support.

Hi @jknetdesign,

Glad to hear they were able to assist and that your scans are up and running. You’re welcome for the help, always good to have some positive feedback!

If you need to ask further questions about Wordfence, please start a new topic any time and we’ll be glad to help you.

Thanks,

Peter.