File Change Emails NOT Sent

A manual File Change Detection (FCD) scan will never send an email.
Only scheduled FCD scans send emails. But only if file changes were detected …

Please make sure the Email file change notifications checkbox is enabled in the FCD section of the iTSec plugin Settings page.

Did you receive FCD emails in the past ?

If possible provide us with a screenshot of the iTSec Logs page after selecting ‘File Change History’ in the Select Filter:
dropdown listbox.

dwinden

@dwinden

Thanks for responding.

Good to know about the manual FCD scan not sending emails.

Email file change notifications checkbox is enabled, and I have received file change notifications in the past. It’s just recently stopped.

Screenshot: FCD log

Ok, I did a quick test using the iTSec plugin 4.9.0 in a WP 4.2.4 env and I can confirm I received a FCD email.

So at least we know it should work in the latest release.
Also based on the plugin Changelog, nothing seems to be changed related to the FCD feature…

So I think this must be a very specific issue in your env(s).

Best thing to do would be to temporarily use a debug version of the plugin file containing the function that executes a scheduled FCD scan (execute_file_check() function in better-wp-security/core/modules/file-change/class-itsec-file-change.php file).
Then examine the output it produces.

Before we go down that road (if you are up to the challenge) do check your web server error_log for any possible errors …

dwinden

Thanks for doing the test. Good to know that combo works.

I agree, it’s most likely an env issue, but as to what it is, I’m not sure.

I would love a debug feature. I found reference to it in the code (though I think it was in code for notify), however I don’t see any option for it. I tried setting “define(‘ITSEC_DEBUG’, true);” in wp-config.php, but it made no difference.

I’m up for the challenge! What do I need to do?

Nothing in error_log.

@dwinden, are you a iThemes Security dev?

@damian_au

No I’m not an iThemes Security dev.
I’m based in The Netherlands and keeping my IT problem solving skills up to date while in search for a new job. Have been helping in this forum since Nov\Dec 2014. It’s also fun !
By now pretty familiar with the iTSec plugin code, so rest assured I know what I’m doing.

Ok, start by removing the ITSEC_DEBUG line from the wp-config.php file
It’s primarily used for debugging a different email issue. It has no purpose for debugging this particular email issue.

Then rename your existing better-wp-security/core/modules/file-change/class-itsec-file-change.php file to class-itsec-file-change.php.old
(This and the next step will also make sure the next scheduled FCD scan will detect file changes …).

Download this debug version of that same file and copy it to the better-wp-security/core/modules/file-change folder. To facilitate the download I’ve renamed the .php extension of the file to .zip. But it’s not a zip file !
Once downloaded simply rename it from .zip to .php

I’ve added some debugging statements to the file so it will produce debugging info once a scheduled FCD scan is triggered.
The debug output will be displayed on screen in the WP Dashboard.
Once the debug output is on screen you’ll need to copy the output and paste it into a new post for this topic.

If you are lucky the next scheduled FCD scan is nearby.
However in the worst case scenario the next scheduled FCD scan is 24 hours away. We don’t want to wait for that. So follow these instructions EXACTLY to trigger an immediate scheduled FCD scan in WP Dashboard.

First make sure you are already logged into WP Dashboard and the debug version of the class-itsec-file-change.php file is in place.

Then log into the database using phpMyAdmin. Click on the [prefix]options table. Click on the SQL tab and enter the following command:

SELECT * FROM [prefix]options WHERE option_name = ‘itsec_file_change’

Where [prefix] should be substituted with your database table prefix (eg: wp_)

Doubleclick on the serialized data in the option_value column.
Scroll to the end and subtract 100000 from the “last_run” value.

eg: 1438943924 -> 1438843924
(In theory subtracting 24*60*60=86400 seconds should be enough. I use 100000 seconds because it makes for an easier calculation).

A single click anywhere outside the modified column field will save the change. Any action (page load) performed in WP Dashboard will now trigger a scheduled FCD scan. Debug output should be displayed on screen.
Any subsequent page load will clear the debug output again.

So once on screen copy\paste the debug info into your next post.

Finally restore the original class-itsec-file-change.php file.

dwinden

Thanks for the assistance @dwinden.

Here is the output:

************************* $send_email: 1
************************* $scheduled_call: 1
************************* $this->settings['email']: 1
************************* $files_added_count: 0
************************* $files_changed_count: 2
************************* $files_deleted_count: 0
************************* Digest email: 0
************************* Lockouts email:
************************* Sending FCD email ...
************************* Sending FCD email succeeded.

So it appears to be calling send_notification_email() function, though I don’t see how we can consider the email as ‘sent’. I tried this on my local test environment and on external host. I watched the mail logs on my local test env and I there is no email generated by the plugin.

@damian_au

Ok, thank you for the debug output.

Is the Email Lockout Notifications setting in the Global Settings section of the iTSec plugin Settings page disabled in your problematic envs ? Please check multiple envs.

Please don’t change anything before I explain a couple of things in my next post.

dwinden

Yes, Email Lockout Notifications is disabled.

Ok, so we finally tracked down the root cause of your issue.

There is a serious bug in the send_notification_email() function.

Instead of sending the email directly from the send_notification_email() function the FCD feature uses the notify() function from another class (ITSEC_Notify) to send the email.
And the notify() function will only send an email when the Email Lockout Notifications setting is enabled …

In other words when the Email Lockout Notifications setting is disabled Brute Force Protection (BFP) lockout emails AND FCD emails are not send.

And there is another bug in the ITSEC_Notify class notify() function … Even though no email is send it will still return a value of true …
This explains why the debug output reports that the FCD email was send successfully while in fact it was not send at all.

So the way things are you would need to enable the Email Lockout Notifications setting in order to send any FCD emails.
But you have probably disabled this setting for a good reason.
You don’t want all those (BFP) lockout emails …

Sending FCD emails should be independent from the Email Lockout Notifications setting.
We can achieve this by sending the FCD email directly from the send_notification_email() function.

I have changed the send_notification_email() function code to do exactly that and hope to share it in my next post after properly testing it.

dwinden

Yep, I have come to the same conclusion. I hope iThemes Security devs monitor this forum.

Seems strange to require the Email Lockout Notification for FCD email notifications. I normally have this disabled so I don’t get swamped by lockout email notifications.

The ‘problematic sites’ all have Email Lockout Notification disabled; the ‘working’ sites have it enabled. So this is definitely the problem.

I recently updated settings on all my sites and would have disabled Email Lockout Notification if I saw it was enabled. Which explains why FCD emails recently stopped.

Thanks for confirming the issue with Email Lockout Notification.

I’ve uploaded a fixed 4.9.0 version (without debug statements) of the class-itsec-file-change.zip file.
Use the previous download link to get that version.
Instructions to apply the file are the same.

Let me know whether that fixes the issue. It did in my test env ??

Also keep in mind the fixed file will be lost when updating the iTSec plugin in the future.

dwinden

Thanks @dwinden, I will try that and let you know if it works.

@dwinden

Thanks for all your efforts, it’s greatly appreciated.

I have found a more simple solution to the problem, until the plugin is fixed. For anyone experiencing this problem, open: /wp-content/plugins/better-wp-security/core/class-itsec-notify.php and locate notify function around line 198.

After global $itsec_globals;

Add:

$file_change_settings = get_site_option( ‘itsec_file_change’ );

Then locate:

} elseif ( isset( $itsec_globals[‘settings’][’email_notifications’] ) && $itsec_globals[‘settings’][’email_notifications’] === true ) {

Replace with:

} elseif (
isset( $itsec_globals[‘settings’][’email_notifications’] ) && $itsec_globals[‘settings’][’email_notifications’] === true ||
isset( $file_change_settings[’email’] ) && $file_change_settings[’email’] === true
) {

Save file.

File change email notifications should now work.

NOTE: As @dwinden mentioned, any future updates of iThemes Security plugin will overwrite this fix. Hopefully iTSec devs fix this issue before next update.

It appears that this issue was introduced in Oct 2014 to fix issues with the plugin sending out notification emails when it shouldn’t.

See link for reference: iThemes Security Plugin GitHub Commit

@damian_au

Did you actually test that solution ?

Isn’t this (also) going to send Lockout notification emails when the Email Lockout Notifications setting is disabled and the Email File Change Notifications setting is enabled ?

Please reconsider …

dwinden

@dwinden

Yes, I have tested this over multiple sites.

Isn’t this (also) going to send Lockout notification emails when the Email Lockout Notifications setting is disabled and the Email File Change Notifications setting is enabled ?

Not that I can see, unless I’m missing something. The notify() function is triggered by both send_lockout_email() (Lockout Notification Function) and send_notification_email() (File Change Notification Function).

For lockout notifications, lockout() triggers send_lockout_email() (only if email_notifications is true) which then triggers notify(), which also checks if email_notifications is true.

For FCD notifications, execute_file_check() triggers send_notification_email() (only if email is true) which then triggers notify(), which also checks if email is true.

So notify() function will only send Email Lockout Notifications if setting enabled; and with my changes, it will also send Email File Change Notifications only if setting is enabled.