• Resolved magicpowers

    (@magicpowers)


    Hi
    I have a free version of Yoast SEO plugin. For the past few months my Wordfence Security scan has been flagging a sitemap file as possibly having a malicious code indicating a hacking attempt.

    I’ve reached out to WF support – they traced it to an image in the media library which for some reason is identified in the sitemap with a randomised URL which is suspicious.

    I have removed that image and replaced it with a new one with a different name – again, the WF scan has flagged it as infected. Before I tell the scan to ignore this and similar files – I need to know beyond all doubt that it is NOT infected or otherwise unsafe. Additionally, I can’t delete this file (which I should be able to do) – it has some protection built in.

    Could please advise ASAP why is your plugin creating randomised URLs for my files in a sitemap – this should not be happening. Also, why does the plugin include an image in the sitemap, anyway?

    If you’d like to see the details of this file, I can send it to you via email, prefer not to post it on a public forum.

    If all this is too strange and you confirm that such a file could not be created by your plugin – it is definitely a hacking attempt.

    I look forward to your advice.

    thanks

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support devnihil

    (@devnihil)

    @magicpowers Can you please let us know which of the sitemaps the image link is contained within so we can check into this further?

    Also, if you have tried removing the image file in question and aren’t able to, it’s likely due to the permissions settings on it. For example, on most web hosts directories have permissions of 755 and files are 644. You should be able to contact your hosting provider and have them check to ensure all files/directories have the correct permission and ownership.

    As for whether our plugin creates an image file for the sitemap, it does not. The images that are linked to in the sitemap are not created by the plugin. We also have more information on this here: https://yoast.com/help/images-in-the-xml-sitemap/

    Thread Starter magicpowers

    (@magicpowers)

    @devnihil

    I can’t remove the file, but have changed that image. I think there is no point for me in changing permissions to be able to delete this file if it keeps being created by the sitemap over and over again.

    I didn’t suggest that the image is created by the plugin. I asked why an image (any image on the website) would be added to the sitemap? As I understand a sitemp is a list of posts and pages, not the actual content of those posts and pages like text and images.

    Thank you for the link to your article. Now I can see that images are actually included in a sitemap. I have checked my settings – redirection of attachment URLS to the attachment itself is set to NO. In addition, I exclude some of the media items (such as the audio files of my products) from indexing by Google. Not this particular image though.

    The article includes a code which will exclude images from the sitemap. Can I insert this code via the Snippets plugin? If not, where does it need to go?

    This file path ends with attachment-sitemap-xml/_index_ssl.xml_old

    The “matched text in the file” listed in the WF scan is the URL of one of my pages with /xxxxx/ part in it, which WF scan flags as a randomised URL in the category:
    “Suspicious:XML/sitemap.spam.8152” – “file appears to be malicious”.

    The WF support engineer investigated this issue directly on my site and found a connection to an image in the media library which for some unknown reason throws a randomised URL.

    He suggested that I ask Yoast support how to exlude images from being added to the sitemap. It looks like the code you have provided in your article could be the right solution.

    Interestingly, for the second time now, when I went back to the WF scan results – that alert is gone – without me doing anything about.

    The WF Security scans my website daily, so after the second scan that alert is gone. I don’t know however, it this is a positive sign of a false positive which goes away, or a concern that this malicious file has been used/done its job.

    Grateful for your advice.

    Plugin Support devnihil

    (@devnihil)

    @magicpowers The code to remove images from the sitemap is typically placed in your theme’s functions.php file:

    /* Remove Images From Yoast Sitemap */
    add_filter( 'wpseo_xml_sitemap_img', '__return_false' );

    I tested it with the Code Snippets plugin and it successfully removed the images from my test sitemap.

    Can you try removing the images from the sitemap using it, and let us know whether it resolves the WF Security warning?

    Thread Starter magicpowers

    (@magicpowers)

    hi @devnihil

    ok, I have inserted and activated the snippet and purged all caches. I will let you know it this is working.

    Could you still give me your thoughts please on how that randomised url is being created for the sitemap in the first place? Is it possible that is IS a malicious file?

    thanks

    Hi,

    We did look at https://www.quantumliving.com.au/attachment-sitemap.xml and we can find no reference to the: _index_ssl.xml_old file on it. We do know that if you had an image on your site named: _index_ssl.xml_old that was added by you or some other plugin, an attachment media file is made for it. That would be the only way it would end-up on the attachment sitemap.

    Though, we are not sure how that image file for on your site to begin with.

    We also know we partner with Sucuri to pro-actively secure our plugins. As our plugins run on more and more sites, we have a responsibility towards our users and the web at large to make sure that we do our utmost to make sure our code doesn’t make them vulnerable.

    In this manner, we can only recommend having your web host (or WordFence; we are not sure if they can find and remove malware) run an audit on your server. Once the audit is complete, your web host will make appropriate recommendations on fixing and securing your site.

    Thread Starter magicpowers

    (@magicpowers)

    hi @pcosta88

    I did not create any file attachment named _index_ssl.xml_old.

    The code provided by you didn’t help I’m afraid – today I got the same scan alert for the same sitemap file. And – just like recently – after running a new scan, that alert was gone.

    So either this is a strange WF plugin behaviour, or something is not right.

    I’m reaching out to WF support for help.

    thanks for your advice ??

    Hi @magicpowers,

    Thank you for your reply.

    Yes please, keep us in the loop about what WordFence support has to say about this odd behavior, we would like to know.

    Thank you!

    • This reply was modified 4 years, 4 months ago by Jeroen Rotty. Reason: typo
    Thread Starter magicpowers

    (@magicpowers)

    hi @jeroenrotty

    My smart WF support engineer has found the cause:

    https://www.ads-software.com/support/topic/attachment-sitemap1-xml-_index_ssl-xml_old/

    The issue is with the (often troublesome) WP3 Total Cache plugin.

    He is going to delete that offending file for me.

    Finally.

    thanks for your support ??

    Hi @magicpowers,

    Happy to hear that! Thank you for keeping us in the loop.

    We are going ahead and marking this issue as resolved. If you require any further assistance please create a new forum topic. Thank you!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Sitemap file flagged as malicious’ is closed to new replies.