Whitelisted IPs and Array entries?

Now I think it is a very high likelihood that this is something / someone up to no good. On the site where the Array stuffing just came back after I had removed it, I’m now getting bogus signups again (they had stopped when I cleared the Whitelist field.)

It may be coincidental, but it’s at least worth considering.

I don’t think its coincidental either. I’m just trying to narrow down where its coming from. Can you repost what the mod stripped out above, using pastebin?

Thanks!

tim

Hey Tim… it wasn’t much. I just put in another example of the Array stuffing. I tried going to the pastebin but it always gives me an error – connection reset every time I go to the page.

Out of curiosity I wanted to see how many times the “Array,” string was repeated. Turns out it was repeated 19,022 times in the Whitelist field. Don’t know if that helps at all, but it’s one more piece of data.

Anything else I can look at?

Just had another site hit with the Array stuffing. Any idea of what is happening? Anything more I can do?

Here’s the whitelist from this recent site hit…

198.61.176.9,198.61.173.69,23.253.56.59,23.253.62.185,Array,Array, ….

Hi All,

I’m working on this now. Can one of you do me a favor: If you’re running the newest version of Wordfence, export your database using the export button at the bottom of Wordfence options. Then email me the token. Send it to [email protected].

Alternatively, if you could give me admin access to your site that would probably resolve this faster. Contact me at mark at wordfence.com.

Thanks.

OK I found the problem. You’re all using the iControlWP plugin which is directly modifying Wordfence data and trying to whitelist their server but messing it up and corrupting Wordfence data.

Obviously you need to tell them to fix their bug and help you fix your websites.

But what really concerns me here is they’re modifying our data using undocumented non-public function calls that we will change in future and when they do, here’s what will happen:

https://imgur.com/DeaUlYG

See the big white screen that my test site generated? That’s what happens if we change the name of our wfConfig::get() function and you’re using iControlWP. That is why we do not want other plugin or theme developers reaching into Wordfence and calling our functions that are not public API functions, or directly modifying our data.

We’re happy to work with vendors if they want a public API call that makes Wordfence do things. As you can see we already have two calls on our docs home page: https://docs.wordfence.com/en/Wordfence_Official_Documentation#Wordfence_API

So if you are a vendor and want Wordfence to do things, contact us. Don’t use a hack solution that will break your customer sites.

Regards,

Mark.

By the way, a quick fix for this appears to be the following:

Disable iControlWP. Go into Wordfence options. Delete all the array,array,array entries in the whitelisted field. Save. You should be good to go. If you enable iControlWP again they will immediately re-appear.

Regards,

Mark.

Awesome, thanks Mark. I bet that was a real bugger to figure out. The folks over at iControlWP are really great and usually very responsive. I’ll give them a ping with this thread and have them chime in / fix the issue.

Thanks!
-Norm

Hi Mark et al.

No problem, we’ll update our plugin to ensure this doesn’t continue.

Can you provide some sort of interface to this white listing system so plugins like ours can interface with it without using such undocumented calls?

Thanks!
Paul.

Thanks Paul.

As Norm said iCWP is always on it.

Ed

Just letting you know that this update to the plugin is out – v2.8.3

Would be great to have a proper interface to this though.

Thanks,
Paul.

Done. It will be released in Wordfence 5.3.2 and the documentation is up:

https://docs.wordfence.com/en/WhitelistIP

Expected ETA for 5.3.2 is later this week or early next. So in your next release you should switch to the public function once we’ve released 5.3.2.

Thanks for being super responsive and fixing this issue in record time!!

Regards,

Mark.

Hey Mark,

No problem at all… it can be quite frustrating when 3rd party plugins don’t play well with other 3rd party plugins, so I’m happy to get a fix out asap if we’re messing it up.

Really appreciate your response to providing an interface to that – it’s very helpful!

Cheers!
Paul.