Wordfence not completing user scan

Hi,

Have you had scans complete previously on this site? Is your test install that you performed the workaround on a similar setup as your live site?

Yes, looks like you have plenty of memory. Have you tried adjusting the maximum execution time for scans?

https://support.wordfence.com/support/solutions/articles/1000011129-my-scans-don-t-finish-what-can-i

Thanks!
Brian

Hi Brian,

Yes Wordfence and Sucuri worked together just fine before the updates.

Test site (below list) is similar to live site but live site has a few more bells and whistles.

Akismet 3.1.3 free not active
Clef 2.3.0 free active
Cornerstone 1.0.4 free active
Duplicator 0.5.22 free active
Google Analytics by Yoast 5.4.4 free active
Google Analytics Dashboard for WP 4.8.1.2 free active
Hello Dolly 1.6 free not active
Paid Memberships Pro 1.8.4.5 free active
Sucuri Security – Auditing, Malware… 1.7.12 free active
Wordfence Security 6.0.14 free active
Wp Mail Bank 1.24 free active

I try part of your fix to increase max e time to 15 in the options. In my php.ini max_execution_time = 600. I was almost excited for a while but it still is scanning, not sure how long it will take. So I’ll tell you around 9am.

I left a scan running before I went to the gym and an error was logged:

[29-Jul-2015 19:41:52 UTC] PHP Warning:  scandir(/home/removed_by_me/public_html/wp-content/wfcache/) [<a href='function.scandir'>function.scandir</a>]: failed to open dir: No such file or directory in /home/removed_by_me/public_html/wp-content/plugins/wordfence/lib/wfCache.php on line 306
[29-Jul-2015 19:41:52 UTC] PHP Warning:  scandir() [<a href='function.scandir'>function.scandir</a>]: (errno 2): No such file or directory in /home/removed_by_me/public_html/wp-content/plugins/wordfence/lib/wfCache.php on line 306
[29-Jul-2015 19:41:52 UTC] PHP Warning:  array_diff() [<a href='function.array-diff'>function.array-diff</a>]: Argument #1 is not an array in /home/removed_by_me/public_html/wp-content/plugins/wordfence/lib/wfCache.php on line 306
[29-Jul-2015 19:41:52 UTC] PHP Warning:  Invalid argument supplied for foreach() in /home/removed_by_me/public_html/wp-content/plugins/wordfence/lib/wfCache.php on line 307
[29-Jul-2015 19:42:10 UTC] PHP Warning:  touch() [<a href='function.touch'>function.touch</a>]: Unable to create file /home/removed_by_me/public_html/wp-content/wfcache/clear.lock because No such file or directory in /home/removed_by_me/public_html/wp-content/plugins/wordfence/lib/wfCache.php on line 359

Could it be my host? Arvixe has increased security lately.

Thanks for your help.

It looks like the error is happening when it scans the cacheing directory. Will you try to temporarily disable cacheing and then try another scan?

Thanks!
Brian

Interesting. Caching has never been enable. I resaved it as disable and cleared the cache.

The scan I left running like 6 hours ago never finished.

Disable cache scan hasn’t finished either. I started it around 8:30am.

Thanks!

Hi Brian,

Another thing I noticed testing things around is that even if I deactivate and delete files using WordPress it seems like it isn’t happening.

Sucuri added a nice a feature this update that lets you reset your plugins in the Post-Hack section. In that section I noticed that Wordfence was still installed after I had remove it.

Thanks!

Hi Brian,

Another thing I noticed testing things around is that even if I deactivate and delete files using WordPress it seems like it isn’t happening.

Sucuri added a nice a feature this update that lets you reset your plugins in the Post-Hack section. In that section I noticed that Wordfence was still installed after I had remove it.

Thanks!

Nevermind about this, I found the FAQ for that:

https://support.wordfence.com/support/solutions/articles/1000010321-how-can-i-remove-all-wordfence-data-or-reset-wordfence-to-the-default-settings-

I’ll try this to see if it works.

Thanks.

Hello,

I done some tests and others I’m working on right now.

Test 1:

On the Test site I used Sucuri 1.7.13 with WF 6.0.12, the scan finish in less than 5 minutes. I did 2 scans with XHR Monitor off and on (New Setting on Sucuri plugin). Scan finish in less than 5 minutes. Duplicator has around 200-300 MB (forgot exact number) of data stored.

On live same setup as above the scan never finishes. Duplicator had around 800 MB of data stored. Downloaded those backups and reduced data to 400MB. Scan never finished.

Test 2:

Completing removed Sucuri and WF.
Test or Live site using WF 6.0.14 (Securi uninstalled) Scan never finished.

Test 3:

Live and test sites running WF 6.0.14 with Sucuri 1.7.11 (default settings) so far not looking good they haven’t finished.

I hope you guys can find a fix. I really liked having both plugins installed.

Thanks.

lemoreno, FYI, I use both Sucuri and WF and I’ve never had an issue with my WF scan completing…until now…but the WF scan not completing doesn’t have anything to do with running the 2 plugins together, it’s the size of my site.

Another possibility is your web server’s timeout. In Apache’s configuration, it is “TimeOut” — your host might have to check it depending on your setup. Since you mentioned they made some security changes recently, they might have set this too low, trying to stop a certain type of attack. Or, if you’re not using Apache, are you using LiteSpeed?

If the large files from Duplicator might be the cause, you could try the Wordfence option “Exclude files from scan that match these wildcard patterns”, about half way down the Options page, in the section, “Scans to Include”. You can use a pattern like “backup*.zip”, to tell Wordfence not to scan files with names like that. (I haven’t used Duplicator, so I don’t know how their files are named.)

One more thing that might cause a similar problem is if you have any symbolic links on the live site. I’ve seen at least one plugin that makes a link that causes a loop. I think these links can be ok, as long as they don’t point at the same directory, or one above. If you have shell access, you could use this command to check:
find /path/to/your/site -type l
(that is a lower-case L, at the end, in case it is hard to tell)

@blkcatgal Thanks for not letting me be alone out there! I thought I was the only one being that paranoid!

Yeah size matter! ?? In this case it isn’t a good thing for what I can tell with WF new behavior.

Please let us know if you find a fix, thanks!

@wfmattr

Hello,

Thanks for the reply.

Yes, my host runs Apache. I’m running a search on my host but doesn’t look like I have access to httpd-default.conf file.

From what I found in this example:

Apache Wait Time for Input/Output

Edit file C:\WampDeveloper\Config\Apache\extra\httpd-default.conf
Timeout = 300

https://httpd.apache.org/docs/2.2/mod/core.html#timeout

Not sure if that is the file I’m looking for but it seems I can increase it via .htaccess, right? Do you know the code snippet? (Will save me some time).

About Duplicator, I can test WF excluding the backup folder completely, right? But not too excited to leave that permanently as a solution.

In reference to symbolic links. I activated SSH on my host and ran the command you gave me.

I ran it on different locations expecting different results. It returned the following:

my_username@my_domain.com [~]# find /home/my_username -type l
/home/my_username/www
/home/my_username/mail/.purchasing@my_domain_com
/home/my_username/mail/.info@other_domain_com
/home/my_username/mail/.billing@my_domain_com
/home/my_username/mail/.support@other_domain_com
/home/my_username/mail/.my_name@my_domain_com
/home/my_username/mail/.accounting@my_domain_com
/home/my_username/mail/.info@my_domain_com
/home/my_username/access-logs
my_username@my_domain.com [~]# cd www
my_username@my_domain.com [~/www]# find -type l
my_username@my_domain.com [~/www]#

Thanks for getting back to me on this issue. I’ll open a ticket with my host so I can get some feedback about “timeout” and see if they have a hand in it. A few updates ago they blocked WF scan severs. But this things just happen to occur after an update.

Thanks again!

I don’t think you can change the Apache timeout in .htaccess, so your host will have to check it then. Depending on the server, you could change the PHP timeout (max_execution_time) in .htaccess, but yours should already be ok.

It looks like there were no odd symbolic links, so that should be ok too.

For the files to exclude from scanning in Wordfence’s settings, I’ve only excluded individual file patterns, myself. I don’t think you can exclude folders. If Duplicator uses .zip files and/or .sql files, you could try:
*.zip,*.sql

You don’t have to leave it that way permanently, but if the scans are hanging on those files, that will help narrow it down. I have worked on one server with 3 rotating backup files of about 600MB each and scans were still successful, so the file size in itself shouldn’t be the problem.

Hi Matt,

I updated to 6.0.15 and ran a scan and was completed in ~4 min 30 sec with .zip files excluded.

One thing I have noticed recently is that the Scan Summary window and the one below take a very long time to refresh. I mostly see the red box saying Wordfence is working. Then when it is almost done to the the last 2 checks it starts displaying. To be honest this is just minor, I’m just happy it is scanning again.

It just finished the 2nd scan with .zip not excluded and finished in less than 8 mins.

I think we can call it solved but I don’t want to jump the gun, hehe

Thanks guys for your effort and assistance.

Ok, thanks for the follow-up. The delay in the scan summary might be something else your host is doing — possibly limiting how many connections come from one IP in a certain period of time, since you mentioned that your host made some security changes recently. You could try changing the “Update interval in seconds” on the Wordfence Options page — updating every 5 or 10 seconds instead of 2 might work a little better for you.

I’ll keep it in mind if I hear about it from others, though, in case it’s not limited to just your host.

Also, you mentioned that you activated SSH access on your account, for the one test above — for best security, just be sure you have a good password set on it, or deactivate it again if you don’t plan on using it often.

Hi Matt,

I played a little with that interval and the other Brian suggested at start. I got better results increasing execution time to 15secs but it is so slow. I rather not see a thing during the scan and just see the results at the end, hehe.

Thanks for the tip on the SSH I will deactivate that account.

The bottom line it scans once again.

Thanks again!