darnpunk

Hi @wfpeter,

Thanks for sharing. It seems setting sys_temp_dir = /home/mydomain/tmp in php.ini resolves the issue.

Would there be any issues setting the same path for both sys_temp_dir and upload_tmp_dir?

Sure, will explore that and share if I manage to implement it. Thanks!

I finally got it to work. For my case, I had a change of path on server, which the file /wp-content/nfwlog/ninjafirewall.php is still referencing to the old path.

I had to uninstall the plugin and remove the /wp-content/nfwlog folder, then re-install the plugin for it to work.

Hi, I am also facing the same issue. No matter how I try auto or manual options and edit the files .user.ini, php.ini and .htaccess it doesn’t work. Using LiteSpeed V7.7 with PHP 7.4.10.

Thank you. I guess we will install and setup invidually per site. It seems to be doing OK for now so we will continue monitoring and mark this as resolved.

Thank you @nintechnet

We are still monitoring the site on our new server. It seems that our previous server had all the WordPress sites hacked. We see malicious php.ini files which enabled shell_exec and turned off disable_functions.

I guess the old server was not hardened by the previous sysadmin as we can see cPanel security advisor reported quite a few serious issues. When checked thoroughly, the remote mysql was actually enabled. We have disabled it now. It’s going to be a long week ahead to try and restore this.

We plan to install NinjaFirewall for all the sites using wp-cli. But the default install requires us to manually activate Full WAF mode. Is there a way to do this via the wp-cli? If we could enable the full WAF mode and apply an exported configuration with wp-cli would be good.

I am reposting this as the previous post doesn’t seem to go through. Please remove the previous post if necessary.

I got a few triggers from NinjaFirewall’s File Guard detection from an IP address in Ukraine.

Nothing else happened. No database changes detected. New server is using nginx and we have implemented some blacklist and whitelist rules. Here are some info – https://pastebin.com/raw/wZ9PYqkV

Seems like they are trying to exploit a plugin vulnerability?

This line looks strange. That particular access came from an Amazon AWS IP.

"GET /submit/?elementor-preview=156&ver=

Thanks for the quick responses. We have 3 admin users (2 used by developers, 1 used by client) and 1 editor account. I didn’t change all their passwords for the previous hack. But the 2nd round I changed for all the accounts. The contact email address for all the admin accounts are correct. The contact email in Settings > General page is correct too.

I have turned on Full WAF and also enabled File Check + File Guard. I’ve also enabled all the options in “Block direct access to any PHP file located in one of these directories”.

We will be migrating the site to a new server tonight after doing offline scans and checks.

My main concern is still regarding the allowing of users to upload files from the contact form. Could that be the entry point?

Some other info:

Wordpress is latest 5.5 now. Before the hack it was 5.4.2.

Here are the plugins used:

Advanced Custom Fields 5.9.0
DynamicConditions 1.4.6
Ele Custom Skin 3.0.0
Elementor 2.9.14
Elementor Pro 2.10.3
Google Tag Manager for WordPress 1.11.4
Make Column Clickable Elementor 1.3.1
NinjaFirewall (WP Edition) 4.2.4
NinjaScanner 2.0.7
Radio Buttons for Taxonomies 2.0.5
Yoast Duplicate Post 3.2.5
Yoast SEO 14.8.1

I’ve checked these plugins inside the https://wpvulndb.com/ and versions seem to look ok.

Have you been hacked lately, before you installed NinjaFirewall

Nope, this is the first. The site was deployed with Ninjafirewall from a fresh install so I believe its protected from the start.

I was able to access the .lastlogin file. There are only 5 lines in there and the IPs belong to mine and the client.

Anyway, the issue just repeated again. The database password got changed which was detected by Ninjafirewall. And this time there was also a malicious file in the root folder named uploads.php. The site turned into a file manager / webshell when I visited it.

So I had to move out all the files from the root folder and reuploaded a clean set of files, then repeated the change of database passwords, salt etc. This time round I also changed the cpanel password.

When I looked through Ninjafirewall logs, I didn’t notice any UPLOAD event. However when I checked the website access logs, I noticed POST requests to the login page and theme-editor.php file.

I’m still not sure how the password got changed and the malicious files got into the server. My guess is maybe they got access to the FTP using the cPanel password, or plugin issue, or somehow managed to bypass the firewall (unlikely I feel).

For now I’ve ensured all plugins and core is updated. I’ve set DISABLE_FILE_MODS to true in wp-config. And in Ninjafirewall, I’ve also enabled the option to block POST requests in theme folder. Let’s see how it goes.

Aside to this, we have another site hacked on the same VPS server but in another cPanel. Not sure if this is linked.

Thanks for the advice. I checked and it looks like the database cannot be accessed remotely. The hosting is on VPS with WHM/cPanel. There are other sites hosted in the same server but in their own cPanel accounts. I believe cPanel has their own jailed environment to isolate the different accounts. The site having this issue is on its own account an no other sites are sharing the same cPanel account. Other than the database change mentioned earlier, scans didn’t find anything and the site looks ok.

The client does have access to the cPanel account but I am not sure if that may contribute to the issue since the database can only be accessed via localhost.

I’ve updated the salt keys and also changed the DB password. Will monitor to see if any issues.

@stoelwinder Are you using the lite version of the plugin? If yes, could you share the version?

I am not able to see any “From” or overviews page to check the IP address

That error shows up likely is due to the displayName being empty. You can add these lines below around line 95 within getUserProfile() function in the new Google.php from the post above.

Line 94: $this->user->profile->zip           = ( property_exists( $response, 'zip' ) ) ? $response->zip : "";

// Add these new lines
if (  empty($this->user->profile->displayName) ) {
			$this->user->profile->displayName = $this->user->profile->firstName . " " . $this->user->profile->lastName;
		}

New function should look like

function getUserProfile() {
		// refresh tokens if needed
		$this->refreshToken();

		$response = $this->api->api( "https://www.googleapis.com/oauth2/v3/userinfo" );
		if ( ! isset( $response ) ) {
			throw new Exception( "User profile request failed! {$this->providerId} returned an invalid response:" . Hybrid_Logger::dumpData( $response ), 6 );
		}

		$this->user->profile->identifier    = ( property_exists( $response, 'sub' ) ) ? $response->sub : "";
		$this->user->profile->firstName     = ( property_exists( $response, 'name' ) ) ? $response->given_name : "";
		$this->user->profile->lastName      = ( property_exists( $response, 'name' ) ) ? $response->family_name : "";
		$this->user->profile->displayName   = ( property_exists( $response, 'displayName' ) ) ? $response->name : "";
		$this->user->profile->photoURL      = ( property_exists( $response, 'picture' ) ) ? $response->picture : "";
		$this->user->profile->profileURL    = ( property_exists( $response, 'url' ) ) ? $response->url : "";
		$this->user->profile->description   = ( property_exists( $response, 'aboutMe' ) ) ? $response->aboutMe : "";
		$this->user->profile->gender        = ( property_exists( $response, 'gender' ) ) ? $response->gender : "";
		$this->user->profile->language      = ( property_exists( $response, 'locale' ) ) ? $response->locale : "";
		$this->user->profile->email         = ( property_exists( $response, 'email' ) ) ? $response->email : "";
		$this->user->profile->emailVerified = ( property_exists( $response, 'email' ) ) ? $response->email_verified : "";
		$this->user->profile->phone         = ( property_exists( $response, 'phone' ) ) ? $response->phone : "";
		$this->user->profile->country       = ( property_exists( $response, 'country' ) ) ? $response->country : "";
		$this->user->profile->region        = ( property_exists( $response, 'region' ) ) ? $response->region : "";
		$this->user->profile->zip           = ( property_exists( $response, 'zip' ) ) ? $response->zip : "";

		if (  empty($this->user->profile->displayName) ) {
			$this->user->profile->displayName = $this->user->profile->firstName . " " . $this->user->profile->lastName;
		}

		if ( property_exists( $response, 'placesLived' ) ) {
			$this->user->profile->city    = "";
			$this->user->profile->address = "";
			foreach ( $response->placesLived as $c ) {
				if ( property_exists( $c, 'primary' ) ) {
					if ( $c->primary == true ) {
						$this->user->profile->address = $c->value;
						$this->user->profile->city    = $c->value;
						break;
					}
				} else {
					if ( property_exists( $c, 'value' ) ) {
						$this->user->profile->address = $c->value;
						$this->user->profile->city    = $c->value;
					}
				}
			}
		}

		// google API returns multiple urls, but a "website" only if it is verified
		// see https://support.google.com/plus/answer/1713826?hl=en
		if ( property_exists( $response, 'urls' ) ) {
			foreach ( $response->urls as $u ) {
				if ( property_exists( $u, 'primary' ) && $u->primary == true ) {
					$this->user->profile->webSiteURL = $u->value;
				}
			}
		} else {
			$this->user->profile->webSiteURL = '';
		}
		// google API returns age ranges min and/or max as of https://developers.google.com/+/web/api/rest/latest/people#resource
		if ( property_exists( $response, 'ageRange' ) ) {
			if ( property_exists( $response->ageRange, 'min' ) && property_exists( $response->ageRange, 'max' ) ) {
				$this->user->profile->age = $response->ageRange->min . ' - ' . $response->ageRange->max;
			} else {
				if ( property_exists( $response->ageRange, 'min' ) ) {
					$this->user->profile->age = '>= ' . $response->ageRange->min;
				} else {
					if ( property_exists( $response->ageRange, 'max' ) ) {
						$this->user->profile->age = '<= ' . $response->ageRange->max;
					} else {
						$this->user->profile->age = '';
					}
				}
			}
		} else {
			$this->user->profile->age = '';
		}
		// google API returns birthdays only if a user set 'show in my account'
		if ( property_exists( $response, 'birthday' ) ) {
			list( $birthday_year, $birthday_month, $birthday_day ) = explode( '-', $response->birthday );

			$this->user->profile->birthDay   = (int) $birthday_day;
			$this->user->profile->birthMonth = (int) $birthday_month;
			$this->user->profile->birthYear  = (int) $birthday_year;
		} else {
			$this->user->profile->birthDay   = 0;
			$this->user->profile->birthMonth = 0;
			$this->user->profile->birthYear  = 0;
		}

		return $this->user->profile;
	}

@lukefiretoss Do you happen to know how does the combination of configuration work?

I am running the tasks via cron so I set

define(‘DISABLE_WP_HTTP_WORKER’, true);

So if I add the optional on demand queue processing flag:

define('MAILCHIMP_DISABLE_QUEUE', true);

Will the orders and all still sync via cron but only single at a time?

Just to update, I disconnected my store and reconnected back. The numbers look alright now. But here’s a few things to note.

I noticed running the tasks via WP CLI every minute via cron job seems to have some issues. What I saw in the logs is that every minute when cron tries to run the tasks, there is this “Currently running in another process. Error”

My guess is when it first runs, it doesn’t exit until the max_time is met. For example, if I run manually the CLI without cron it shows this:

queue listen process_id [9984] :: max_time [1800] :: memory limit [33554432000]

I assume after 1800 seconds, this queue process then quits. And only then when cron tries to run the queue listen, it will work.

If it’s less than 1800 seconds, that error above “Currently running in another process” will keep on showing up.

Is this normal? Should the cron task be run every 1800 seconds?

@ryanhungate Thanks, that seems to work. It looks completed now. Just one more thing, the total number of products synced seems off from the products in my list. Is there a way to check in Mailchimp backend what is synced?