WF keeps resetting itself even after changing permission

Hi @dagigt,

If you delete the wflogs folder and let it be recreated (which will happen as soon as there is a new visit on your site), what are the permissions and which user/group owns the folder?

When you say that “WF keeps resetting itself“, do you mean that other permissions are set then? Does a new user/group appear to own the folder at that time?

If that’s the case, it could be due to the fact that you run Wp cron via a PHP cron job.

The wflogs directory itself and the files it contains need to be writable by the web server user at all time.

Hi @wfyann
Thank you so much for responding quickly. And I apologize for my late reply. I was trying to figure out what you mentioned and also talking to my hosting people to resolve this. So far I have deleted the wflog folder and had it recreate itself and it created the attack, ips and rule files and the permission resets to the default one (which is not the right one) and then I and then subsequently the server people reset my permissions and it changed to the master application folder (which is the right one) then WF started working for a few minutes or hours. Like last time when I checked it this morning WF firewall and extended protection are disabled as usual. I checked the wflog for change of permissions surely enough it it has created the config.php/tmp files with the default permissions (wrong permissions) but it has left the attack, ips and rules files permission un changed (with master application permission/ the right one). The best answer I got from my server people is: Actually, it happens if you upload any thing from the admin. Which I think is a bit lacking.
Any thoughts?
Thank you so much.

Hello @dagigt,

The wflogs folder and the files it contains will always be created (and therefore owned) by the user/group the web server runs as.

If you’d like to have them created by (and belonging to) a different user/group, you need to specify another user for the web server to run as.

Hi @wfyann,

I’m a premium Wordfence user, extended protection is on.

I have exactly same problem. WF keeps resetting ‘wflogs/config.php’ ownership to root, making it unreadable for web user and automatically disarms WAF ?? It behaves like it was hacked or tries to hack itself. Please let me explain technically deeper, I was testing your plugin for couple of days in regards of this particular issue which I can’t fix..

This problem was detected on our server and currently active no matter what I’ve tried (tried this https://www.ads-software.com/support/topic/firewall-cant-write-to-wflogs-repeatedly-even-after-being-fixed/ and this https://www.ads-software.com/support/topic/unable-to-open-wflogsconfigphp-for-reading-and-writing/).

Our Wp Cron is disabled in wp-config.php (confirmed disabled status at ‘WF Diagnostics’ page). Currently Wp Cron is running on web server via cURL every 10 mins successfully.

Wordpress is running under web user (confirmed at ‘WF Diagnostics’ page). ‘wflogs’ permissions and ownership – web user, readable/writable by web user. I confirm that Wordfence can easily reach these files and modify them).

Root is not available on my server at cloudways, there is no direct root access for my cloud applications.

Daily (i assume during ‘wordfence_dailycron’ execution – but not 100% sure) something gets to ‘/wflogs/’ folder and changes ownership from web user to root ONLY for this file: ‘config.php’. This automatically switches off extended protection and firewall!

After it happens, I can delete ‘wflogs’ folder and WF will recreate new ‘wflogs’ with all necessary files ok with correct ownership.

I’ve installed Crontrol plugin to troubleshoot Wordfence wflogs behaviour. Strange thing is – if i execute hourly, daily, email report, scans and other WF crons – all works fine for me. Well, at least I couldn’t recreate this behaviour with manual runs.
However, the problem still exists and continuing to disarm WAF.

Could you please help us to resolve this problem? It drives me insane lately…

Hi @mxmcreation
It’s funny you mentioned cloudways because we are hosting with them too.But what’s ironic is that we have 3 applications running with them but this problem started to happen only with the one. I have been working with their tech team for weeks now with no real solution. The best they could do is reset the permission every time it disables and then it works fine for some hours and disables itself again. First solution I was given was to come on chat and ask them to reset it every time it disables. To which I said that was ridiculous and I don’t have time to do that everyday. And they also told me that they are in contact with Wordfence about this issue. But today one of their guys decided to try a new method of a adding a rule to the wordfence-waf.php file and that fixed the problem at least for today. So I told them that I will get back with them on Monday and report if the fix was permanent or not.
I will also report it on here if it works or not.
Best of luck

Hello @dagigt,

Hmmm, it’s funny indeed. Looks like there is a “tricky” bug, which has dependancies on certain events.

This raises the main question – is Wordfence really secure endpoint system?
Why it doesn’t alert me during the scheduled scan that ‘config.php’ changed ownership and now it’s not visible/accessible by WF, therefore firewall was disabled programmatically and not by user request?!
I mean, whatever happens to WF during installation/configuration (corrupted DB entry or file; conflicting setting etc) – WF should always check its integrity IMHO.

From this point of view, I don’t really feel safe with WF now, although I saw many positive reviews about it and Cloudways pre-install it on every new WordPress.

Btw good to know we are neighbours in cloudways with the same pathology ?? It makes it easier to trace.

I’ll wait till Monday for your update. Please let me know of any outcome and what is the solution, i hope it will work for us.

@dagigt,

Could you please clarify what you mean by “default permissions (wrong permissions)” and “master application permission (the right one)“?

Have you checked the threads mentioned by @mxmcreation (https://www.ads-software.com/support/topic/firewall-cant-write-to-wflogs-repeatedly-even-after-being-fixed and https://www.ads-software.com/support/topic/unable-to-open-wflogsconfigphp-for-reading-and-writing/)?

——————————-

@mxmcreation,

Could you please open a ticket on our Premium Support platform (if you haven’t already done so)

Hello dagigt and mxmcreation,

Wordfence assumes that all of WordPress (including wp-cron.php) is always running as the same user. However, we do know that for various reasons that is not always the case so we are investigating if we can find a fix for that.

However, Wordfence does not control which user PHP is running as on your servers. The only way a file can change ownership to root is if PHP is running as root. I’ll be happy to explain more about why this is a problem that goes beyond Wordfence. If you want to know more about that please email me directly: [email protected].

I’m closing this topic for a few reasons. Given the potential severity of this issue, please work with Wordfence directly as Asa suggested.