Wordfence Emails Coming From Site With No Wordfence Installed

  • Resolved TheRealMikeD

    (@therealmiked)


    4 years, 1 month ago

    Hi Everyone,

    I am a huge fan of Wordfence. I’ve been using it on all of my sites since I discovered it about three or four years ago.

    I have been working on a freelance web development project for a client. I installed Wordfence on their production WP installation and in the staging environment that I set up for them. I also have a WP instance on my local dev box, which does NOT have Wordfence installed. Over the last few days, I have been getting [Wordfence Alert] Admin Login emails from the instance on my local dev box, which should already be impossible. But furthermore, it is telling me that other users who either don’t have admin permissions or who don’t exist at all are logging in.

    My dev box is behind two layers of firewall, and there is no DNS pointing to it, so there is absolutely no way that anyone should be able to get to it, much less even know to look for it using the domain name that I use for my Apache vhost only within my own home network.

    The admin login emails say something like:
    A user with username “[redacted]” who has administrator access signed in to your WordPress site.
    User IP: ::1
    User hostname: localhost

    1. How is this possible?
    2. How concerned should I be?

    Thanks!
    -Mike D.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @therealmiked and thanks for reaching out to us!

    Do you happen to use WP-CLI at all? I usually see something like this when a host runs commands to update core files and needs to deactive wordfence to process it. Usually localhost entries are from the command prompt.

    I don’t think its anything to worry about. Anyway you could send me a diagnostic from there? Send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Let’s see if I can find anything.

    Thanks!

    Thread Starter TheRealMikeD

    (@therealmiked)

    Hi @wfadam,

    Thanks for the response. On the local version of the site, I am not explicitly using WP-CLI. It’s always possible that some plugin uses it without my knowledge. I’m not sure how I would detect that, though.

    Also, I’m not sure how I would get you that diagnostic report if Wordfence is not installed on the site.

    Now, as I mentioned in the original post, Wordfence is installed on the production and the staging versions of the site, and I do use WP-CLI on those sites when I deploy code changes. I could get you diagnostic reports from either of those sites and see if something is getting confused as to which site it is coming from. Would that be of use?

    Thanks!

    Plugin Support WFAdam

    (@wfadam)

    Hello again @therealmiked

    I believe these are just what you said, a possible plugin using CLI to cause the localhost hits.

    Nothing to worry about as it’s on your local machine. I don’t think we need a diagnostic, I was just going to look over real quick to make sure nothing was out of sorts.

    Let me know if you need anything else!

    Thanks again!

    Thread Starter TheRealMikeD

    (@therealmiked)

    It still doesn’t make sense that another plugin using CLI would trigger the sending of a Wordfence alert email when Wordfence is not installed on the site. How would another plugin know to do that? Unless the emails are being deliberately and maliciously forged, which I don’t believe to be the case.

    The thing that really seems suspicious to me is that some of the emails indicate a login from an admin-level user who doesn’t exist in the local WP database. But that user does exist on the production site. That makes me suspect that the alert email is being generated from the production site, but is for some reason reporting incorrectly that it is coming from the local dev site.

    Supporting that theory, the details of the alert email (username and IP) match entries in the successful login attempts table in Wordfence on the production site. The date and time are offset by precisely four hours (which might be accounted for by timezone settings) – the successful logins table reports the events four hours later than the email.

    The only question is how Wordfence on the production site knows the URL of the dev site, and why it is incorrectly substituting it for the URL of the prod site.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence Emails Coming From Site With No Wordfence Installed’ is closed to new replies.