Sucuri won't stop emailing me "Sucuri Alerts"

Hey there @niagracollege and others:

I have the exact same issue on Securi for MULTISITE.

See here:
https://www.ads-software.com/support/topic/where-do-i-stop-all-failed-attempted-login-alerts?replies=11#post-7768284

***I just did a follow up post today and saw your thread too.

??

Good to see someone else is having the issue. I’ve had to set up a rule in the Super Admin email inbox to pop everything from “Sucuri Alert” into a folder and mark it as read as the non-stop “new email” sound was driving me nuts. I’m receiving emails about failed logins (we’re a large site for a post-secondary institution, so we get hit all the time), as well as any changes to post/page (happening constantly – again, huge site, always being updated).

I do not need to receive these emails as I can check the log within the plugin. Because we do get hit by botnets occasionally (considering a sub to Sucuri Firewall), I’m afraid of killing the poor email server on campus.

I can put a screenshot up showing the settings area with everything disabled and the email removed, if needed.

This is an interesting issue, as I stated in the other thread I am still unable to reproduce the same problem, I have installed tens of WordPress in different servers from friends and co-workers and still am unable to replicate the non-stoppable plugin alerts.

I do not like to tell people to delete the plugin, but there does not seems to be another way to stop these alerts. I could change many parts of the code to “try” to address the issue, but if I do not have a way to replicate the problem I will not know if any of these changes work.

For now, instead of delete the plugin you can simply modify the line used to send the emails. Open the “sucuri.php” file, search this code “wp_mail(“, and change the whole line to “$mail_sent = true;”, save and enjoy. I hope this helps you to address the issue temporarily.

Hi Yorman,

Darn, how frustrating (for both of us, lol!)

I’ve edited the core plugin as you suggested. I had actually disabled it as the mail rule wasn’t taking care of the incoming mails and it was driving me crazy. I’ve re-enabled it now with your fix.

I do hate to edit core plugins (as I might forget to fix that line again) so not sure what my final decision with this will be.

@birdog123 – By any chance are you using the MS Domain Mapping plugin/sunrise.php? What about an SMTP plugin for email? I’m just trying to think of unique bits of my install that might give Yorman some clues.

@yorman

But what percentage roughly are you installing that are “multisite” installs? Have you tried to replicate them on WP “multisite” installs? I can appreciate it not being replicatable on WP “single” installs, but I have not seen where you reference or acknowledge the fact that this problems seems to be isolated to WP “multisite” installs.

I love your plugin and can hold out until a solution is found, but could you confirm that something actively is being done to find a solution on WP “multisite” installs on the email issue?

I just wanted to make triple sure your trying to replicate on a WP “multisite” install in case you did not notice . . . lol.

@niagaracollege I am using domain mapping by wpmudev.

@yorman and @niagaracollege I am also using the postman plugin to deliver all emails via mandrill (api/smtp). It works awesome on all other plugins including securi.

I will have to think of other bits myself that could relate to the email issue.

So far you mentioned MS Domain Mapping and I mentioned the Postman plugin along with WPMUDEV’s Domain Mapping plugin.

??

Cheers!

I had this same issue with network sites (multisite) and I had to add the specific sucuri options to the respective site options table by hand to turn them off. It appears that the core sucuri options are stored in the wp_options table but when using multisite it uses the wp_<site_id>_options table to pull in the sucuri options. This should probably be looked at by sucuri. Here’s the insert statements that you’ll need to update each site options table.

add any other values that you want from the main options table.

SELECT * from wp_options where option_name like ‘%sucuriscan_notify%’;

‘INSERT INTO <network site table>_options(option_name,option_value,autoload)
VALUES
(‘sucuriscan_notify_success_login’, ‘disabled’, ‘yes’),
(‘sucuriscan_notify_failed_login’, ‘disabled’, ‘yes’);’

Hate to add nothing more than me too; but we also experience this behavior on one of our installations. Strangely enough, not all of them.

@yorman This is still a recurring issue for on a Multi-site installation, I’ve even deleted the plugin and its still sending emails which I’m not even sure how that’s possible.

I thought it could potentially have them in que via Mandrill but that’s not the case and it keeps sending them. I also tried the fix above by @rkochis but didn’t have any luck..

There seems to be many issues with the Multi-site installation and the plugin but for now I just need to get these emails to stop sending.

@nmeagher23 noted; I will include this in my TODO list once again to check it more carefully including all the other issues reported with the network installations; I will keep this ticket marked as not-resolved until there is a definitive solution to this problem; thanks for your patience.

@yorman Is there anyway I can disable them manually? I already deleted the plugin and they just keep coming and I have no idea why?

@nmeagher23 can you contact your hosting provider and tell them to purge the SMTP queue associated to your domain? The plugin uses the built-in WordPress mechanism to send emails so once you delete it you are stopping the action that triggers the emails (technically speaking).

I know you already checked Mandrill to see if there were messages in their queue, but since the plugin is not installed in your website anymore there is no other thing that could generate new notifications. Also, make sure that all the options associated to the plugin were actually deleted from the database once you initiated the uninstallation process , just in case [1].

[1] DELETE * FROM wp_options WHERE option_name LIKE 'sucuriscan_%';

@yorman I am hosting on DigitalOcean so not sure what I can do from that end since it’s all going through Mandrill right? The queue would be on Mandrills side but I checked and it’s not in the backlogs.

I looked through all of the wp_options table but there seemed to be no trace of ‘sucuriscan_%’ there, BUT since I am running a multi-site I did find some in the ‘wp_2_options’ table which I just removed manually… we’ll see if that has any effect. Technically speaking it shouldn’t be sending anymore out now but we’ll see.

That means when deleting the plugin it isn’t looking through the other tables if it’s a multi-site installation.

@nmeagher23 right, there are known compatibility issues with the plugin in a network installation, I am trying to address them all before the new version is released. I hope the issue with the mass mail notifications is resolved soon.

@yorman It looks like the issue is resolved once you delete the Sucuri entries from the wp_2_options table, I haven’t gotten an email all day.

Phew.

Hi,
I am having repeat emails, as below taking over my email page.I can not do any of the blue link actions and want to stop this flow, quickly please.
Subject: Failed Login

Login Info:
Time: March 11, 2016 8:26 pm

Website Info:
Site: https://www.summerlinemarketing.com
IP Address: 46.148.18.162

Notification:
User authentication failed: admin

Explanation: Someone failed to login to your site. If you are getting too many of these messages, it is likely your site is under a password guessing brute-force attack [1]. You can disable the failed login alerts from here [2]. Alternatively, you can consider to install a firewall between your website and your visitors to filter out these and other attacks, take a look at Sucuri CloudProxy [3].

[1] https://kb.sucuri.net/definitions/attacks/brute-force/password-guessing
[2] https://www.summerlinemarketing.com/wp-admin/admin.php?page=sucuriscan_settings
[3] https://sucuri.net/website-firewall/