• Hello,

    This morning, all my WPs reported a similar message, like:

    WordPress Security Firewall has detected files on your site with potential problems. More Info
    Site – ” target=”_blank”>SITETITLE
    Details for the files are below:

    The MD5 Checksum Hashes for following core files do not match the official www.ads-software.com Checksum Hashes:
    – wp-includes/version.php

    You should review these files and replace them with official versions if required.

    Reports include various files, from one website to another, like fi:
    – wp-content/index.php
    – wp-content/themes/index.php
    – wp-content/plugins/index.php

    Considering that everyone of my websites, that are hosted on several different locations (and different server types), ALL sent this message at about the same time, I find it hard to believe that there would be a real problem.

    Most of my WPs have been installed using application tools that came with the various hosting packages that I submitted.
    Could it explain that the referenced files are all a bit different from the “standard” ones?

    Regards,
    Francois

    https://www.ads-software.com/plugins/wp-simple-firewall/

Viewing 14 replies - 16 through 29 (of 29 total)
  • Plugin Author Paul

    (@paultgoodchild)

    With all this being said then, would any one like to join a more structure beta-testing group? That way with all your help we can develop new features and catch things like this earlier?

    Hi Paul,

    Glad you guys are onto this. Had me working overtime to sort out the issues but not a problem.

    Keep up the great work on a superb plugin.

    Plugin Author Paul

    (@paultgoodchild)

    @ re7ox – thanks dude! ??

    @ everyone. For example, I have a fully working implementation of Google Authenticator for two-factor authentication.. Any beta testing takers? ??

    Thanks.

    Hi Paul, add me to your beta testing list!

    Thanks

    A reply to those users with many WP installs complaining about the email notifications, like Wingers574.

    Either you want a firewall which is automatically updating itself to protect your site as soon as possible against (new) threats – or not.

    New features can always contain bugs. I think that’s why most of you don’t let WP just do all updates automatically, right?

    Of course the same can happen to this firewall (keep in mind taht in this case we are talking about emails, not any serious bug killing your sites).

    If you don’t want those automatic firewall updates, deactivate it. You can update and test anytime you want. Another option might be to update only one site automatically, check the update emails and update the rest of your sites manually if the update looks good to you.

    I got the same emails. But I’m happy the plugin updates itself and as for now I still have trust that it won’t brake my site but protect it against new threats. If I loose this trust, i will deactivate automatic updates, simple is that.

    Paul, you mentioned: “index.php will be replaced automatically when it’s discovered to be different in any way to the original source.”
    Not sure if this is a good idea. With that many WP users maybe there is someone out there who changed some of these files on purpose. I don’t think this is a good workaround for the problem.

    Concerning beta tests: implement an option in the plugin to receive betas. (but don’t activate it automatically ?? )

    Anyway thanks for your fast response Paul, as always. Keep up the good work!

    Plugin Author Paul

    (@paultgoodchild)

    @flowliver
    Thanks for your comments and feedback on this.

    I’m torn. Last week I was inundated with folks writing about these index.php files, and then wanting an automated fix for them. This is not what I want to spend my time supporting, so going forward, I’m opting to not enable new features such as this, but then change the default to enabled at a later date, after the majority of plugins have already upgraded.

    This does 2x things:
    – it means the vast majority of automatic upgrades remain unaffected at the time of upgrade and going forward.
    new plugin installations eventually will have features such as this automatically enabled.

    If existing users/plugins want a new feature enabled, they’ll have to go to each site and enable it. Unfortunately both sides of this debate can’t be satisfied so I have to choose the least disruptive for users, and the lowest support burden for me.

    I may build in an option to “enable new features automatically”. This is complicated, but do-able.

    I like the idea of building in beta-testing into the plugin – I’ll create a subscription option there in the future at some point.

    Regarding the index.php problem I may remove the automated repair for it at a later date, but it’s the best option for resolving this issue at the moment. Once most sites are “repaired”, it wont need to be retained in the plugin and newer websites wont have the issue anyway.

    Thanks again for your feedback and suggestions, appreciate it!

    Paul, thanks again for the really wonderful plugin.

    I thought you should know that I am getting the checksum warning below on some brand new sites with fresh installs of WP:

    The MD5 Checksum Hashes for following core files do not match the official www.ads-software.com Checksum Hashes:
    – wp-content/themes/index.php (www.ads-software.com source file)
    – wp-content/plugins/index.php (www.ads-software.com source file)
    – wp-content/index.php (www.ads-software.com source file)

    I am not sure how a sites installed with the latest version of WP could be triggering this notification.

    Plugin Author Paul

    (@paultgoodchild)

    what is the source of your install files?

    Ah that could be the issue as one of the sites had WordPress installed by the host.

    Plugin Author Paul

    (@paultgoodchild)

    ah ok. if it’s not coming from www.ads-software.com, then you could have anything ??

    @paul:
    >> I may build in an option to “enable new features automatically”.

    It’s already possible to activate/deactivate automatic updates for this plugin. Whoever activates this must be aware that such things might happen. I don’t see a big problem here – once again it might be in front of the screen ??

    But if you think an extra option for updating with new features is needed, feel free, that’s up to you.

    Anyway, there should remain an option to automatically update to the newest stable version, for best protection.

    Thanks!

    @paul

    I’m still having some issues with notifications being thrown for themes/index.php and plugins/index.php on a variety of sites.

    I’ve removed the closing ?> on those files *and* turned on the auto repair and I keep getting notifications.. Odd.

    The other thing – I think I have an install or two and would love to beta test the Google authenticator if thats still open!

    Thanks for your awesome work and fantastic plugin!

    Plugin Author Paul

    (@paultgoodchild)

    Could you go to the source of the file and copy-paste the contents of the source files exactly and save them?

    Latest beta with Google Authenticiator is here:
    https://github.com/FernleafSystems/wp-simple-firewall/tree/release/4.17.0

    Thanks for the beta!

    I will do the manual source update. Is there a way to force the file check to run to see if it works?

    Thanks Paul!

Viewing 14 replies - 16 through 29 (of 29 total)
  • The topic ‘Problem with Checksum Hashes’ is closed to new replies.