Daniel15

Hey @wfpeter, thanks for your reply. I did already have the “Disable XML-RPC Authentication” feature enabled, however these brute force attacks were still causing a very heavy load on my server even with that feature disabled. It seems like WordFence doesn’t fully block the requests. I’m not using Apache but I’ll do the equivalent in my Nginx configuration.

Thanks,
Daniel

The WordFence blog has a good writeup on this: https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/. It was a security issue in the Abandoned Cart plugin.

The thing is that I installed all the dependencies myself, and don’t even want the bundled third-party binaries on my system. They’re just extra risk. Number of users is not a good measure of trust (see Hoverzoom, Hola). The bundled binaries are not verifiable; there’s no way to tell if someone has uploaded a plugin update containing malicious versions of the binaries.

What if you made it an optional step after installation? “The required binaries were not detected on your system, click here to automatically install them”. Users that don’t know how to compile them could use the automated version.

This happened to me because I did not grant the site’s MySQL user DROP/TRUNCATE permission for security reasons. I saw this in the server’s PHP error log:

[25-Sep-2014 10:55:37] WARNING: [pool www] child 21991 said into stderr: "NOTICE: PHP message: WordPress database error DROP command denied to user 'username'@'localhost' for table 'wp_wfHoover' for query truncate table wp_wfHoover made by wp_new_comment, wp_allow_comment, apply_filters('pre_comment_approved'), call_user_func_array, wordfence::preCommentApprovedFilter, wfScanEngine->isBadComment, wordfenceURLHoover->cleanup, wfDB->truncate, wfDB->queryWrite"

So the TRUNCATE command was never actually successful. Is this error caught by Wordfence and displayed in the UI, or is it silently ignored? I don’t really want to grant the TRUNCATE permission to a database user used by a web site.

I’ll have to ask my sister as it’s her site, but as far as I’m aware she’s doing all the resizing in WordPress itself, and is not using an external tool at all.