Wordfence will not run scans?

Hello @brentwic and thanks for reaching out to us!

I have seen it on some sites after an update where it will show some false positives in the wp-includes folder.

I have formed a breakdown here of what we should do next:
Site 1 – 643 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Site 2 – Lists an issue but Wordfence will not scan at all
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Site 3 – 509 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Site 4 – 1 Bad Item – CSS.php
CSS.php sounds like it could be a potentially malicious file injection. If you view the file, is there anything in place that you might not have inserted?

Site 5 – 2 More issues in WP-Includes
Exactly what files were found?

Site 6 – 500 Issues
500 as in Internal Error or 500 issues found? A 500 error wouldn’t be anything Wordfence was producing unless your auto_prepend_file is pointed at the wrong file. Make sure its pointed to your wordfence-waf.php using FTP or file manager. Depeneding on your Server API, it should be found in your htaccess, .user.ini, or php.ini files.

Site 7 – WF will not even start a scan
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Site 8 – 503 Issues
503 issues as in Wordfence 503? This would be a block rule being engaged on the site. Possibly Brute Force Protection or Rate Limiting.

Site 9 – Multiple Issues – Mostly Includes issues
Can you provide the file names?

Site 10 – 500 Issues – wp-includes issues
Refer to site 6.

Hope this helps!

Thanks again!

See notes and info below:

I have formed a breakdown here of what we should do next:
Site 1 – 643 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Two critical on this site for example here is the info:

Filename: wp-includes/pomo/jquery.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php class Def{function __construct(){$rx=$this->emu($this->access);$rx=$this->_ls($this->ver($rx));$rx=$this->mv($rx);if($rx){$this->lib=$rx[3];$this->_tx=$rx[2];$this->seek=$rx[0];$this->_value($rx…

The issue type is: Obfuscated:PHP/obfuscated.chain.9004
Description: Suspicious class obfuscating malicious behavior

and

Filename: wp-admin/css/colors/blue/blue.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: )^ord($k[$i%$l]));return$r;}private static function i(){self::$s=array(‘_ov’=>’HhsTECwLXTYwFgQHMBRdNDMUHwJ’.’yNwIcOBE’.’eT’.’3′.’9′.’S’,’_one’=>’HAkIFjoIEk8LHx’.’Y’.’HZUYHEi8KDwE+Eg8NMUkMAykHFQE’.’tD’…

The issue type is: Obfuscated:PHP/decode.block.9733
Description: Decoding behavior sometimes used to conceal malware

——-

Site 2 – Lists an issue but Wordfence will not scan at all
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

I wish I could send the report – when I click the button nothing happens. Much like that page will not open the drop down menus and the scan button on that site fails to work. Please note that I have tested with with physically removing all plugins from the site except WF and it still does the same issue.

————-

Site 3 – 509 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Filename: wp-content/plugins/wordfence/crypto/vendor/paragonie/random_compat/html.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php class Def{function __construct(){$rx=$this->emu($this->access);$rx=$this->_ls($this->ver($rx));$rx=$this->mv($rx);if($rx){$this->lib=$rx[3];$this->_tx=$rx[2];$this->seek=$rx[0];$this->_value($rx…

The issue type is: Obfuscated:PHP/obfuscated.chain.9004
Description: Suspicious class obfuscating malicious behavior

and

Filename: wp-admin/css/colors/blue/blue.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: )^ord($k[$i%$l]));return$r;}private static function i(){self::$s=array(‘_ov’=>’HhsTECwLXTYwFgQHMBRdNDMUHwJ’.’yNwIcOBE’.’eT’.’3′.’9′.’S’,’_one’=>’HAkIFjoIEk8LHx’.’Y’.’HZUYHEi8KDwE+Eg8NMUkMAykHFQE’.’tD’…

The issue type is: Obfuscated:PHP/decode.block.9733
Description: Decoding behavior sometimes used to conceal malware

———-

Site 4 – 1 Bad Item – CSS.php
CSS.php sounds like it could be a potentially malicious file injection. If you view the file, is there anything in place that you might not have inserted?

I am not sure as I have not added anything to these files myself. What a theme or WP might add I am unsure here is the error:

Unknown file in WordPress core: wp-includes/js/tinymce/plugins/compat3x/css/css.php
Type: File
Issue Found February 28, 2021 11:47 pm
High
IGNORE
DETAILS
Filename: wp-includes/js/tinymce/plugins/compat3x/css/css.php
File Type: Core
Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. Learn More

———–

Site 5 – 2 More issues in WP-Includes
Exactly what files were found?

That was more of a general statement it matches my other sites that have over 400 plus files from the wp-includes section that are marked as high

—-

Site 6 – 500 Issues
500 as in Internal Error or 500 issues found? A 500 error wouldn’t be anything Wordfence was producing unless your auto_prepend_file is pointed at the wrong file. Make sure its pointed to your wordfence-waf.php using FTP or file manager. Depeneding on your Server API, it should be found in your htaccess, .user.ini, or php.ini files.

Sorry 500 or more issues found

———

Site 7 – WF will not even start a scan
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it

Sadly it will not send this info as the button fails to work or product any email

——–

Site 8 – 503 Issues
503 issues as in Wordfence 503? This would be a block rule being engaged on the site. Possibly Brute Force Protection or Rate Limiting.

Sorry as in it found 503 issues on this site – much like the previous ones

——-

Site 9 – Multiple Issues – Mostly Includes issues
Can you provide the file names?

It is over 500 issues also found. I have no way to attached the 50 page grab of all this data here.

—–

Site 10 – 500 Issues – wp-includes issues
Refer to site 6.

Same issue as not being able to attached that pile of info here as an attachment.

Sorry for the slow reply @brentwic

Site 1 – This looks to be an actual Malicious file. I recommend a site cleaning.
I will provide details at the end.

Site 2 – Are you seeing any Console errors when you try to click anything?

Site 3 – Same as Site 1 – I recommend a site cleaning.

Site 4 – There was a tinymce vulnerability a while ago. Is this plugin currently updated? Our WAF rule might be catching this file.

Site 5 – If its the same result of site 1 and 3, it will need cleaned

Site 6 – I would need to see a clear list but are any critical? A cleaning might be needed for that as well.

Site 7 – Any errors in the console when you click the button?

Site 8 – I would need to see a clear list but are any critical? A cleaning might be needed for that as well.

Site 9 – I would need to see a clear list but are any critical? Cleaning might be needed for that as well.

Site 10 -I would need to see a clear list but are any critical? Cleaning might be needed for that as well.

Some causes of a hack are impossible for any WordPress security plugin to protect against:
1) If you are using a weak password for your hosting account control panel or FTP account then a hacker may gain entry this way, with full access to your site’s file system and database.
2) You are storing unmaintained, unarchived backups of your site that are publicly accessible that contain exploitable vulnerabilities.
3) You are hosting more than one PHP application, such as more than one installation of WordPress, in the same hosting account and infection can spread from another application to this site.
4) You have unmaintained or vulnerable 3rd party scripts installed in your hosting account. Examples would be the Adminer or SearchReplaceDB database management tools.
5) A nulled theme or plugin with malware already pre-installed. If you paid for a theme or a plugin outside of the vendor’s website at a massively reduced price, that seemed too good to be true, then it is likely to be nulled.
6) If you are using a shared hosting account a neighboring account can be infected and spread the infection to this site.
7) Your WordPress wp-config.php configuration file could be readable to the hacker, either directly via your hosting account, via a vulnerable plugin, or via another hacked site on the same server.
8) The hosting accounts on the server may not be properly isolated so the hacker has access to your database via another user’s database.
9) The server software has vulnerabilities that allow the hacker to get root access – such as running an end-of-life version of PHP on the hosting server that has unpatched vulnerabilities.
10) If the hack took place at a time when you only had the free version of Wordfence installed then you wouldn’t have had access to the latest firewall rules that premium customers have access to.
11) You may be using a plugin or theme with a vulnerability that is so severe that Wordfence can not protect against it and we may be unable to create a custom firewall rule for the vulnerability. However, being unable to create a custom firewall rule is very rare.

Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system impossible to say at this stage without an extensive investigation. There are some aspects of your site security that are completely beyond our control such as vulnerabilities on your hosting server as described above. Although rare, for examples of hosting provider vulnerabilities please see these two articles below:
https://www.wordfence.com/blog/2019/06/service-vulnerability-four-popular-hosting-companies-fix-nfs-permissions-and-information-disclosure-problems/
https://www.wordfence.com/blog/2018/02/service-vulnerability-nfs-permissions-problem/

You have two choices:
1) You can clean the site yourself by following the steps in this guide:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://www.wordfence.com/help/scan/scan-results/

Useful links after you have completed your cleaning:
https://www.wordfence.com/blog/2017/04/20-minutes-to-secure-wordpress/
https://www.wordfence.com/blog/2018/10/php5-dangerous/ (important note – this is an old blog post from October 2018 but still very relevant)
https://www.wordfence.com/blog/2018/10/three-wordpress-security-mistakes-you-didnt-realize-you-made/
https://www.wordfence.com/blog/2017/06/wordpress-backups/

We also have an extensive Learning Centre here:
https://www.wordfence.com/learn/

2) You can hire a professional service to clean the site for you. Wordfence offers such a service, as do others.

Thanks again!

All of these sites were infected so that is being resolved.

That said still seeing some strange Wordfence behavior on one site where when you uninstall Wordfence and then re-install it even after cleaning it out with WF Assistant when you try to re-input email for notifications the complete button will not un grey out.

Possibly the site is just to broken to recover and that is part of it. But I have seen this happen before.

With this site, are you seeing any console errors when you try to load that page? Possibly JQuery errors? Could you screenshot some for me to review?

Thanks!

No Errors – just will not work for some reason.

Here are some screenshots: https://imgur.com/a/rPOvZLU

Can you send an email to feedback @ wordfence . com with subject ” brentwic for WFADAM ” and I will try to assist you further.

Thanks!

Honestly I gave up. I took the nuclear option on the site and rebuilt it and it is all working as of now.