foreclosurepedia

The involvement of both Wordfence and TMD has brought the email mystery to a conclusion. I am hopeful that it might be allowed to remain as it is entirely possible that someone else has or will experience it. To be clear, had I not pursued every possible avenue, I would have not reached the conclusion.

First, I want to thank Wordfence for their tireless efforts in what they have done. What I mean is that several folks on here have listed avenues for me to search upon which brought the answers needed. They did this in the face of adversity and with respect to my inappropriate state of mind. I humbly apologize for that regardless of what I thought at the time. No justification.

Second, this is a good example of how a tertiary discovery has been made as a direct result of investigation. I am hopeful that it might help others; help others to realize that a) my language was abrasive and not recommended; and b) that if they have similar issues this might be the cause of it.

Hello,

Thank you for your update.

Having the actual email headers were were able to identify the reason causing the issue.

I have noticed that there is an old backup copy of your website of your account where clearly a left over from some previous restoration request and it was having the wordfence plugin files there.

I have removed it from your account public_html folder and placed it inside your account home folder so you can remove it if you do not need any of it’s files. I do believe that now the issue will be resolved as the files and folders of this backup can not be accessed as they are not inside your public_html folder anymore.

If you have any further questions or concerns, please do not hesitate to contact us.

Below is the raw original email header. There is a definite problem. Wordfence is initiating, somehow, these alerts. Ran it by TMD as well.

This alert was generated by Wordfence on “Foreclosurepedia” at Sunday 7th of September 2014 at 07:29:21 PM
The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

Delivered-To: [email protected]
Received: by xxxxxx with SMTP id xxxxx;
Sun, 7 Sep 2014 17:29:25 -0700 (PDT)
X-Received: by xxxx with SMTP id mc9mr28xxxxxxxx136164452;
Sun, 07 Sep 2014 17:29:24 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mxx.tmdhosting.com (mxx.tmdhosting.com. [19xxxx2])
by mx.google.com with ESMTPS id f8si941xxxicz.73.2014.09.07.17.29.24
for <[email protected]>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sun, 07 Sep 2014 17:29:24 -0700 (PDT)
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=198.143.161.162;
Authentication-Results: mx.google.com;
spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected]
Received: from new.tmdhostingxx.com ([xxxx0.114] helo=nodexx.tmdhostingxx.com)
by mxxx.tmdhosting.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.82)
(envelope-from <[email protected]>)
id 1XQmpe-0002Gy-Bi
for [email protected]; Sun, 07 Sep 2014 19:29:24 -0500
Received: from foreclos by node01.tmdhosting810.com with local (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1XQmpe-002nc8-0t
for [email protected]; Sun, 07 Sep 2014 19:29:22 -0500
To: [email protected]
Subject: [Wordfence Alert] foreclosurepedia.org User locked out from signing in
X-PHP-Script: foreclosurepedia.com/wp-login.php for 213.97.128.187
Date: Mon, 8 Sep 2014 00:29:21 +0000
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

—
To change your alert options for Wordfence, visit:
https://foreclosurepedia.org/wp-admin/admin.php?page=WordfenceSecOpt
To see current Wordfence alerts, visit:
https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

Below is their email to me. So, I think it best to use 1953EDT 07SEP14 as a baseline. If nothing else comes through, then the second part of the matter is resolved. The first part is not of my affair as I no longer utilize the plugin so it is moot to me.

Thank you for responding and giving some suggestions to issues. If nothing else perks through, I would believe that the issue is resolved.

I have double checked the server mail queue and I can confirm that there are no emails waiting to be sent from your account. However it is entirely possible that some emails might have been kept in the outgoing queue and they might have been delivered after the reported plugin removal.

However as the queue is clear now there should be no such future emails generated from your WordPress website.

Sent this, word for word, to TMD. I will respond back with their answer, but it would still not explain how the 3 strikes and your banned for 60 days; the Country IP ban and the Editor-in-Chief username as an automatic ban were all circumvented. This is really what I am driving at. The problem lies there whereas what I am experiencing now is an inconvenience.

Don’t get me wrong, I appreciate the breakdown of and understand how the server pulls the info from Wordfence and uses an internal mailserver to send to my personal email. And because I want all the answers to put the entire picture together, I am pursuing that. If, though, there is a problem, I believe in exploring the genesis of it.

I will post back when they reply.

Yeah, I thought about that and then I remembered why I use Google Apps. As I use Google Apps which makes Google Servers my Servers, for want of better words, I wrote Google and posted in their forums. The post you refer to deals with emails which are self hosted. More on point, though, as I had previously set all the proper conditions with respect to the blocking of logins after 3 failed attempts to 60 days, it would be rather moot. Additionally, the timestamps are indicative that either this is one of the most sophisticated attacks ever created in that it has tricked both my Servers on the site and the Google Servers, or this is a Wordfence problem. A simple scan of my site reveals that your Founder revoked my paid license and I uninstalled the program. 11 of these Wordfence alerts over the past 23 hours, though, is ironic at best.

I agree that many people use Wordfence and have no issues. Some people use Wordfence and have issues and don’t post. Then some folks, like myself, have issues and document them.

I appreciate your reply and believe we are able to deduct that this is not the problem. So, there appears to be two issues at hand. The first is directly related to the second. Now, I wrote to my hosting provider, TMD Hosting, and am having them investigate the issue as well. It is concerning, at best, though that Wordfence is not only removed and the SQL tables gone, and I continue to get the emails.

Thanx. Wordfence is one of these unique platforms that keeps on giving. So, after I uninstalled the Platform, I continue to get Wordfence alerts on the same IP Address from Wordfence as seen below. Mark Maunder stated that my girlfriend insulted his staff and issued a refund check for $39. Would appear that this is to prevent any need to fix an obviously bug ridden platform. Now, we have not just the original issue I presented with, but a plugin that keeps on giving like the Energizer Bunny. That generally becomes the problem when you swap customer service for profit IMHO. **Should be noted that the Plugin is Uninstalled.

This alert was generated by Wordfence on “Foreclosurepedia” at Sunday 7th of September 2014 at 11:24:35 AM

The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

Matter is closed. Refund issued.

I reply here because I get a notice from no reply. I would send credentials, but I won’t post them on here nor do I think you are asking me to.

Nothing is cached anywhere I can find. Nor have they ever been. On the options page, there is nothing for cache. On the performance page I tried it once way back when it first came out and it jacked with my Live Chat so it has been off since then. Using REMOTE_ADDR in the How it gets IPs

Appreciate the reply. I reiterate the fact that I manually blocked the IP and that didn’t work. My lock out is set for 60 days and they breached that 15 times already. And the Country Blocking is set as well. I additionally set the Editor-in-Chief as an auto block and that didn’t work. Matter of fact, below you will see they attempted to access even as I wrote this:

This alert was generated by Wordfence on “Foreclosurepedia” at Saturday 6th of September 2014 at 05:51:49 PM
The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

It should be noted that they are now hitting my website about every hour now. I am loathe to pay for a product and then have to reach out to my provider to manually lock the IP down or do it myself in htaccess as why would I pay for something to do that in the first place.

Enable debugging mode (increases server load) is unchecked; not activated.

No CloudFare.

When I select the “REMOTE_ADDR” (Getting the IPs Area), the WordFence Errors leave and I get new ones.

So, I’ll head over to Pippin’s page and ask him. I thank you as that got rid of the WordFence errors. And maybe I’ll get an answer from the Live Chat folks today as well!

Thanx again for your time!

Notice: Undefined variable: bgrwvt in /home/foreclos/public_html/wp-content/themes/newspapertimes-codebase/functions.php on line 110

Notice: Trying to get property of non-object in /home/foreclos/public_html/wp-content/plugins/restrict-content-pro/includes/content-filters.php on line 15

Notice: Trying to get property of non-object in /home/foreclos/public_html/wp-content/plugins/restrict-content-pro/includes/content-filters.php on line 16

Notice: Trying to get property of non-object in /home/foreclos/public_html/wp-content/plugins/restrict-content-pro/includes/content-filters.php on line 18

Notice: Trying to get property of non-object in /home/foreclos/public_html/wp-includes/post-template.php on line 29

Notice: Trying to get property of non-object in /home/foreclos/public_html/wp-content/plugins/restrict-content-pro/includes/content-filters.php on line 76

Sent you an email to your direct email address. I have the Pro stuff and sent you the Paypal Receipt. I bought the Highest Dollar Package you had with like Gold, Map Pro and Chat Pro. So, I will await your email.

Thanx

Second this. Just bought the Plugin tonight as part of a DEV Package to upgrade the WP Maps Pro deal. I liked the telephone ringing. I just about jumped out of my chair. ??

https://foreclosurepedia.org if you need to look where it is at.

I filed a ticket on the WordFence site about 12 hours ago and heard nothing. It is troubling as I do not know if the protection is even doing anything which is why I bought the product in the first place. I suppose; had I not paid for anything, I would have no gripe. When you pay money, though and at the height of a Global WordPress hacking barrage, one kind of would like at least an answer explaining what the @#%$ is going on.

Hey, thanks for writing me! That means a lot to see a reply even though it is not from WordFence. It shows that we are all a Community — not to sound corny or anything.

I filed a Support Ticket on their Site as well. There have been some HUGE Global hacks going on so hopefully it is an unrelated deal.

Hope your stuff gets back to normal and have a great morning!

https://foreclosurepedia.org