Scan process ended after forking.

I’m seeing the same behavior.

@balex66 Have you had any luck figuring out the cause or solution?

Am having same problem with scans. Scans are not completing and getting this message:
[Apr 18 18:07:15] Scan can’t continue – stored data not found after a fork. Got type: boolean

Hello,
the error messages in the end there indicate that the server is running out of PHP memory while running the scan. If you try running the scan at a time when there is very low traffic on your website, I expect it might complete. It depends on what else is installed on your system though.

The available time a script is allowed to execute on your server is 30. I would advise to change that to 60. The setting is changed in php.ini.

In addition to this you can try setting the Wordfence option “Maximum execution time for each scan stage” to 15. This will decrease the risk of an error occurring.

You can read more about issues with scans not completing here.

@islandwoman I’m not certain, but I think your issue is the one being addressed now by the Wordfence team. It’s mentioned here:

https://www.ads-software.com/support/topic/scanning-stops?replies=13#post-8285267

While you’re waiting for the upgrade, you might try to disable the option “Scan for signatures of known malicious files” under “Options”/”Scans to include” and see if that works.

@wfasa I’ll try your suggestions and let you know if they work. Thanks!

@wfasa Wordfence is still not completing its scan and getting hung up in the same spot.

We increased “memory_limit” to 256M (from 128M).

We increased “max_execution_time” to 60 (from 30).

We also set “Maximum execution time for each scan stage” to 15.

EDIT: We also confirmed that the .htaccess file is not blocking the wp-admin folder or limiting access to it.

What else can we do to try to fix this?

In case it helps, below is the latest activity log

—
[Apr 18 12:39:43:1461008383.208393:10:info] SUM_KILLED:A request was received to kill the previous scan.
[Apr 18 12:39:43:1461008383.208019:1:info] Scan kill request received.
[Apr 18 12:39:37:1461008377.293253:4:info] Scan process ended after forking.
[Apr 18 12:39:32:1461008372.090535:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=get_known_files
[Apr 18 12:39:32:1461008372.084065:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
[Apr 18 12:39:32:1461008372.076455:2:info] Found 7 themes
[Apr 18 12:39:32:1461008372.071277:2:info] Getting theme list from WordPress
[Apr 18 12:39:32:1461008372.068918:2:info] Found 12 plugins
[Apr 18 12:39:32:1461008372.031506:2:info] Getting plugin list from WordPress
[Apr 18 12:39:31:1461008371.723393:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=log_scan
[Apr 18 12:39:31:1461008371.722894:1:info] Contacting Wordfence to initiate scan
[Apr 18 12:39:31:1461008371.720364:10:info] SUM_ENDOK:Scanning your site for the HeartBleed vulnerability
[Apr 18 12:39:31:1461008371.098203:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=scan_heartbleed
[Apr 18 12:39:31:1461008371.096772:10:info] SUM_START:Scanning your site for the HeartBleed vulnerability
[Apr 18 12:39:29:1461008369.004065:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
[Apr 18 12:39:27:1461008367.001707:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
[Apr 18 12:39:25:1461008365.001208:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
[Apr 18 12:39:24:1461008364.997028:4:info] getMaxExecutionTime() returning config value: 15
[Apr 18 12:39:24:1461008364.996586:4:info] Got value from wf config maxExecutionTime: 15
[Apr 18 12:39:24:1461008364.996031:10:info] SUM_PREP:Preparing a new scan.
[Apr 18 12:39:24:1461008364.993699:4:info] Setting up scanRunning and starting scan
[Apr 18 12:39:24:1461008364.993369:4:info] Setting up error handling environment
[Apr 18 12:39:24:1461008364.992815:4:info] Requesting max memory
[Apr 18 12:39:24:1461008364.990692:4:info] Checking if scan is already running
[Apr 18 12:39:24:1461008364.990441:4:info] Done become admin
[Apr 18 12:39:24:1461008364.990160:4:info] Scan authentication complete.
[Apr 18 12:39:24:1461008364.988985:4:info] Scan will run as admin user ‘workerb1’ with ID ‘2’ sourced from: singlesite get_users() function
[Apr 18 12:39:24:1461008364.988024:4:info] Becoming admin for scan
[Apr 18 12:39:24:1461008364.987751:4:info] Checking saved cronkey against cronkey param
[Apr 18 12:39:24:1461008364.987076:4:info] Exploding stored cronkey
[Apr 18 12:39:24:1461008364.974238:4:info] Fetching stored cronkey for comparison.
[Apr 18 12:39:24:1461008364.973972:4:info] Checking cronkey
[Apr 18 12:39:24:1461008364.973583:4:info] Scan engine received request.
[Apr 18 12:39:24:1461008364.292160:4:info] Starting cron with normal ajax at URL https://www.sfbee.org/wordpress/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=771129eb7aa8b8485fc2a9b4
[Apr 18 12:39:24:1461008364.289910:4:info] Test result of scan start URL fetch: array ( ‘headers’ => array ( ‘date’ => ‘Mon, 18 Apr 2016 19:39:22 GMT’, ‘server’ => ‘Apache’, ‘x-powered-by’ => ‘PHP/5.3.29’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘pragma’ => ‘no-cache’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘set-cookie’ => ‘wfvt_1762871018=571537ec2b8f9; expires=Mon, 18-Apr-2016 20:09:24 GMT; path=/; httponly’, ‘strict-transport-security’ => ‘max-age=63072000; includeSubDomains’, ‘content-length’ => ’12’, ‘connection’ => ‘close’, ‘content-type’ => ‘text/html; charset=UTF-8’, ), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set_state(array( ‘name’ => ‘wfvt_1762871018’, ‘value’ => ‘571537ec2b8f9’, ‘expires’ =
[Apr 18 12:39:22:1461008362.327310:4:info] getMaxExecutionTime() returning config value: 15
[Apr 18 12:39:22:1461008362.326874:4:info] Got value from wf config maxExecutionTime: 15
[Apr 18 12:39:22:1461008362.325966:4:info] Entering start scan routine
[Apr 18 12:39:22:1461008362.314871:4:info] Ajax request received to start scan.

Hello kuleanadesign,
are you seeing any errors in web browser console while attempting the scan?

@wfasa thanks for your response.

I followed your link, and the steps to Open the JavaScript console for troubleshooting plugins. The only thing I see under Console is

“load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils&ver=1368877…:9 JQMIGRATE: Migrate is installed, version 1.4.0”

In case it helps, here is the latest from the Wordfence Activity Log.

—
[Apr 20 13:00:08:1461182408.133839:10:info] SUM_KILLED:A request was received to kill the previous scan.
[Apr 20 13:00:08:1461182408.132823:1:info] Scan kill request received.
[Apr 20 12:55:17:1461182117.489174:4:info] Scan process ended after forking.
[Apr 20 12:55:13:1461182113.271780:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=get_known_files
[Apr 20 12:55:13:1461182113.265217:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
[Apr 20 12:55:13:1461182113.258191:2:info] Found 7 themes
[Apr 20 12:55:13:1461182113.246922:2:info] Getting theme list from WordPress
[Apr 20 12:55:13:1461182113.237597:2:info] Found 12 plugins
[Apr 20 12:55:13:1461182113.175448:2:info] Getting plugin list from WordPress
[Apr 20 12:55:12:1461182112.848332:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=log_scan
[Apr 20 12:55:12:1461182112.847634:1:info] Contacting Wordfence to initiate scan
[Apr 20 12:55:12:1461182112.837406:10:info] SUM_ENDOK:Scanning your site for the HeartBleed vulnerability
[Apr 20 12:55:12:1461182112.030997:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=scan_heartbleed
[Apr 20 12:55:12:1461182112.030054:10:info] SUM_START:Scanning your site for the HeartBleed vulnerability
[Apr 20 12:55:10:1461182110.026157:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
[Apr 20 12:55:08:1461182108.025379:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
[Apr 20 12:55:06:1461182106.024698:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
[Apr 20 12:55:06:1461182106.020168:4:info] getMaxExecutionTime() returning config value: 15
[Apr 20 12:55:06:1461182106.019644:4:info] Got value from wf config maxExecutionTime: 15
[Apr 20 12:55:06:1461182106.019107:10:info] SUM_PREP:Preparing a new scan.
[Apr 20 12:55:06:1461182106.017453:4:info] Setting up scanRunning and starting scan
[Apr 20 12:55:06:1461182106.016986:4:info] Setting up error handling environment
[Apr 20 12:55:06:1461182106.016416:4:info] Requesting max memory
[Apr 20 12:55:06:1461182106.015407:4:info] Checking if scan is already running
[Apr 20 12:55:06:1461182106.015152:4:info] Done become admin
[Apr 20 12:55:06:1461182106.014873:4:info] Scan authentication complete.
[Apr 20 12:55:06:1461182106.013408:4:info] Scan will run as admin user ‘workerb1’ with ID ‘2’ sourced from: singlesite get_users() function
[Apr 20 12:55:06:1461182106.011799:4:info] Becoming admin for scan
[Apr 20 12:55:06:1461182106.011545:4:info] Checking saved cronkey against cronkey param
[Apr 20 12:55:06:1461182106.011280:4:info] Exploding stored cronkey
[Apr 20 12:55:06:1461182106.007933:4:info] Fetching stored cronkey for comparison.
[Apr 20 12:55:06:1461182106.007668:4:info] Checking cronkey
[Apr 20 12:55:06:1461182106.007312:4:info] Scan engine received request.
[Apr 20 12:55:04:1461182104.486764:4:info] Starting cron with normal ajax at URL https://www.sfbee.org/wordpress/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=606437287302d9211c0ca28
[Apr 20 12:55:04:1461182104.485250:4:info] Test result of scan start URL fetch: array ( ‘headers’ => array ( ‘date’ => ‘Wed, 20 Apr 2016 19:55:02 GMT’, ‘server’ => ‘Apache’, ‘x-powered-by’ => ‘PHP/5.3.29’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘pragma’ => ‘no-cache’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘set-cookie’ => ‘wfvt_1762871018=5717de982e407; expires=Wed, 20-Apr-2016 20:25:04 GMT; path=/; httponly’, ‘strict-transport-security’ => ‘max-age=63072000; includeSubDomains’, ‘content-length’ => ’12’, ‘connection’ => ‘close’, ‘content-type’ => ‘text/html; charset=UTF-8’, ), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set_state(array( ‘name’ => ‘wfvt_1762871018’, ‘value’ => ‘5717de982e407’, ‘expires’ =
[Apr 20 12:55:02:1461182102.968495:4:info] getMaxExecutionTime() returning config value: 15
[Apr 20 12:55:02:1461182102.968017:4:info] Got value from wf config maxExecutionTime: 15
[Apr 20 12:55:02:1461182102.966541:4:info] Entering start scan routine
[Apr 20 12:55:02:1461182102.950242:4:info] Ajax request received to start scan.

One more time with slightly different results:

[Apr 20 14:09:47:1461186587.087469:10:info] SUM_KILLED:A request was received to kill the previous scan.
[Apr 20 14:09:47:1461186587.086760:1:info] Scan kill request received.
[Apr 20 13:56:31:1461185791.051346:4:error] Wordfence scan script accessed directly, or WF did not receive a cronkey.
[Apr 20 13:56:31:1461185791.050976:4:info] Checking cronkey
[Apr 20 13:56:31:1461185791.050106:4:info] Scan engine received request.
[Apr 20 13:48:16:1461185296.784373:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=send_net_404s
[Apr 20 13:05:55:1461182755.418077:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=get_known_files
[Apr 20 13:05:55:1461182755.379275:10:info] SUM_START:Fetching core, theme and plugin file signatures from Wordfence
[Apr 20 13:05:55:1461182755.164502:2:info] Found 7 themes
[Apr 20 13:05:55:1461182755.057207:2:info] Getting theme list from WordPress
[Apr 20 13:05:54:1461182754.952902:2:info] Found 12 plugins
[Apr 20 13:05:54:1461182754.743269:2:info] Getting plugin list from WordPress
[Apr 20 13:05:54:1461182754.411282:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=log_scan
[Apr 20 13:05:54:1461182754.410680:1:info] Contacting Wordfence to initiate scan
[Apr 20 13:05:54:1461182754.407453:10:info] SUM_ENDOK:Scanning your site for the HeartBleed vulnerability
[Apr 20 13:05:53:1461182753.342200:4:info] Calling Wordfence API v2.22:https://noc1.wordfence.com//v2.22/?v=4.5&s=http%3A%2F%2Fwww.sfbee.org&k=3fd8f03d6324047f62c599e17608accdf848236d0e3d672bc1e096b69ed30450b113f8be8d35c0004c62990ae5391ad4d0f0d2d216b65fc0a381c34259c39b1f&openssl=268439647&phpv=5.3.29&betaFeed=0&action=scan_heartbleed
[Apr 20 13:05:53:1461182753.341012:10:info] SUM_START:Scanning your site for the HeartBleed vulnerability
[Apr 20 13:05:51:1461182751.860012:4:info] Scan process ended after forking.
[Apr 20 13:05:51:1461182751.336651:10:info] SUM_PAIDONLY:Checking if your IP is generating spam is for paid members only
[Apr 20 13:05:49:1461182749.336096:10:info] SUM_PAIDONLY:Check if your site is being Spamvertized is for paid members only
[Apr 20 13:05:47:1461182747.335541:10:info] SUM_PAIDONLY:Remote scan of public facing site only available to paid members
[Apr 20 13:05:47:1461182747.314953:4:info] getMaxExecutionTime() returning config value: 15
[Apr 20 13:05:47:1461182747.314581:4:info] Got value from wf config maxExecutionTime: 15
[Apr 20 13:05:47:1461182747.313750:10:info] SUM_PREP:Preparing a new scan.
[Apr 20 13:05:47:1461182747.311403:4:info] Setting up scanRunning and starting scan
[Apr 20 13:05:47:1461182747.311016:4:info] Setting up error handling environment
[Apr 20 13:05:47:1461182747.310194:4:info] Requesting max memory
[Apr 20 13:05:47:1461182747.308790:4:info] Checking if scan is already running
[Apr 20 13:05:47:1461182747.308435:4:info] Done become admin
[Apr 20 13:05:47:1461182747.308045:4:info] Scan authentication complete.
[Apr 20 13:05:47:1461182747.306155:4:info] Scan will run as admin user ‘workerb1’ with ID ‘2’ sourced from: singlesite get_users() function
[Apr 20 13:05:47:1461182747.304729:4:info] Becoming admin for scan
[Apr 20 13:05:47:1461182747.304368:4:info] Checking saved cronkey against cronkey param
[Apr 20 13:05:47:1461182747.303972:4:info] Exploding stored cronkey
[Apr 20 13:05:47:1461182747.299070:4:info] Fetching stored cronkey for comparison.
[Apr 20 13:05:47:1461182747.298692:4:info] Checking cronkey
[Apr 20 13:05:47:1461182747.297957:4:info] Scan engine received request.
[Apr 20 13:05:38:1461182738.857203:4:info] Starting cron with normal ajax at URL https://www.sfbee.org/wordpress/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=407c729e4ffe43f925aa2b8b
[Apr 20 13:05:38:1461182738.852980:4:info] Test result of scan start URL fetch: array ( ‘headers’ => array ( ‘date’ => ‘Wed, 20 Apr 2016 20:05:28 GMT’, ‘server’ => ‘Apache’, ‘x-powered-by’ => ‘PHP/5.3.29’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘pragma’ => ‘no-cache’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘set-cookie’ => ‘wfvt_1762871018=5717e11285cd4; expires=Wed, 20-Apr-2016 20:35:38 GMT; path=/; httponly’, ‘strict-transport-security’ => ‘max-age=63072000; includeSubDomains’, ‘content-length’ => ’12’, ‘connection’ => ‘close’, ‘content-type’ => ‘text/html; charset=UTF-8’, ), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set_state(array( ‘name’ => ‘wfvt_1762871018’, ‘value’ => ‘5717e11285cd4’, ‘expires’ =
[Apr 20 13:05:27:1461182727.802270:4:info] getMaxExecutionTime() returning config value: 15
[Apr 20 13:05:27:1461182727.801980:4:info] Got value from wf config maxExecutionTime: 15
[Apr 20 13:05:27:1461182727.800926:4:info] Entering start scan routine
[Apr 20 13:05:27:1461182727.786125:4:info] Ajax request received to start scan.

Hello kuleanadesign,
sorry this is taking so long to solve. What we need to do next is to check your servers error logs. Primarily look for any rows that start with [error]. Error logs are sometimes found in your web hosts control panel (cpanel or similar). If you have access to the whole server, you might find them here: /var/log/apache2/error.log. If you can’t locate them, ask your web host to help.

You can share them here if you like and remove any information in them that you might not want to share or you can email them in plain text (paste in to an email) to [email protected]. Thanks in advance.

Hi wfasa,

Thanks for your help. I wasn’t to access our servers error logs, so I will contact our host and then email them to you.

Dan

@wfasa I sent you our server’s error log. I hope it helps.

I had an idea… so I deactivated all our plugins and retried the scan. It worked!

I re-activated our plugins, tried another scan, and then killed it after it was stuck for 5 minutes.

Is it safe to assume then that the issue we’re seeing is caused by one of our plugins?

Hello kuleanadesign,
I read your error logs and I can’t find any obvious explanation there. And yes, the fact that the scan worked when you deactivated plugins would indicate there is some conflict there. But it could also be that there is less things to scan when you deactivate the plugins.

If you think it’s alright I would at this point suggest that you do a clean reinstall. This means you go to Wordfence Options page and make sure “Delete Wordfence tables and data on deactivation?” is checked. Then you deactivate the plugin and delete it. Then reinstall. If you are up for that, let me know how it goes.