Matthew

You’re so awesome @nlpro! ??

@tim-reeves I’m on board with ya, it’s great to bring these to light but I suppose with my initial reply I was trying to get at that iTSec probably won’t have a quick fix since it’s still going through preliminary 8.1 support.

I mean, warnings are expected on PHP 8.2. A lot of folks are still working on PHP 8.1 support, it’s not just iTSec.

https://make.www.ads-software.com/hosting/handbook/server-environment/#php

@emgraphics what do you mean by not connecting? I’ve used WooCommerce along with iThemes Security without any problems.

Hello @chadest, you’ll want to use define('ITSEC_DISABLE_TWO_FACTOR', true); 2FA stuff.

I’m betting folks who are not seeing the Mute button don’t have the site fully secured. An SSL may be installed but more than likely, a search/replace needs to be performed to update any lingering URLs not using HTTPS. This is a super common issue and something that’s seen at WP Engine ALL the time.

P.S. You can make an email label or new inbox to redirect the emails. They’ll be out of site, but the paper trail will still be available if needed.

iThemes released a blog post pertaining to this CVE. https://ithemes.com/blog/unpatched-vulnerability-in-wordpress-core/

@anotherdave Glad to help where I can. iThemes Security doesn’t use this blog as a source; the blog is a reference to whom filed the CVE, so you can rest easy.

I’m no security extraordinaire, but you can use your preferred search engine to learn more about how CVEs are submitted.

@anotherdave The source is Sonar Blog. Security blogs love to make headlines like this. They filed a CVE on this existing issue which core has known about for years, and now it’s a thing.

Yup, PHP 8.1 is something that is still being worked on, as @nlpro mentioned. Technically PHP 8.1 is still in beta support for WordPress, so it’s not recommended for production sites.

Edit: I forgot to link this https://make.www.ads-software.com/hosting/handbook/server-environment/#php

• This reply was modified 1 year, 11 months ago by Matthew.

Heya, @sterndesign you can try using https://www.ads-software.com/plugins/wp-mail-debugger/ to help debug the situation.

You can just truncate the table with something like PHPMyAdmin.

@beantown123 What PHP version are you using and what WordPress version?

For what it’s worth, WP Engine stopped using the .htaccess file a long time ago.

The Site Scanner checks your site for known vulnerabilities and automatically apply a patch if one is available. Using the Google Safe Browsing API, the Site Scan also checks your Google’s blocklist status and will alert you if Google has found any malware on your website.

From the context above, no, the Site Scan module would not tell you about the code unless it’s been reported to Google as malicious.

If you are worried about code being added, it would be good to use the File Change Detection module to track what’s added and removed.