skunkworks

Those seem to come from OpenAI ChatGPT crawlers

Useragent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)

• This reply was modified 1 month, 2 weeks ago by skunkworks.

No interest in using (or continuing to troubleshoot) the plugin now that it’s known that the plugin requires communicating with an uncontrolled mystery server.

Update: Just received another Solid Security Email randomly in French.

Translated:

Main body:

Site analysis

Scheduled site scan found 1 issue [REDACTED-URL].ca/fr.

Known vulnerabilities

WordPress WPML Multilingual CMS plugin <= 4.6.12 – Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection vulnerability

Footer:

Debugging information (source page): [REDACTED-URL].ca/fr

The email was followed 12 hours later by an English version of the same email that differed slightly.

Main body:

Site Scan

The scheduled site scan found 1 issue when scanning [REDACTED-URL].ca.

Known Vulnerabilities

WordPress WPML Multilingual CMS plugin <= 4.6.12 – Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection vulnerability

Footer:

Debug info (source page): WP-Cron

can you try clicking the “Reset” button under the Scheduler table on your Debug page?

Done.

under the Notification Center table, can you confirm that the “digest” ID has a schedule for “Next Send”?

Reads:

digest – Last Sent: 2024-09-26 20:08:05, Next Send: 2024-09-27 20:08:05, Schedule: daily (Just changed to daily by me) Also I clicked “Force” button which resulted in an email arriving (in English). Unfortunately the email reads:

Site Scan
An error occurred while running the scheduled site scan on [REDACTED SITE NAME]:
Error Message: Unable to determine if the scan target is allowed: Target site returned invalid response. The site scanner was forbidden from accessing your site. Please check if the IP address 207.246.255.60 has been blocked.
Error Code: site_verification_failed.connection_error

Is https://ipinfo.io/207.246.255.60 Solid Security? If so, it was blocked by Cloudflare’s Firewall. You may want to get that IP whitelisted by Cloudflare’s staff as a known safe bot.

I know the last Security Digest was in French language, but (if not deleted yet) please check it’s content (use Google translate if you have to). The email content will tell us what security event/feature triggered that Security Digest email to be send (lockout(s) and/or file change(s)).

It was originally an IP block that was reported in French.

install your LAMPP stack properly.

if you dont know how to do it just buy a managed hosting or managed server.

Was installed by the experts at Less Bits via ServerPilot.io which was created by Justin Samuel and Kevin Luikens. Confident that they know what they’re doing.

Have used their products for just shy of 10 years and have never once had a situation prior where it seemed we didn’t have the basics installed properly.

DigitalOcean VPS + ServerPilot + Cloudflare

Checked the logs from the Post SMTP plugin and a weekly report email wasn’t sent.

Checked the Solid security plugin’s settings for the security digest at:

wp-admin/admin.php?page=itsec&path=%2Fsettings%2Fnotification-center%2Fdigest

and all was as expected there. Not sure why the email wasn’t sent. Many other emails from WordPress have been sent in that time and are visible in the logs.

Thanks for checking in on this. Strangely the Weekly report email didn’t come in. (Should’ve been on the 19th) Will need to check on why that is since I know site emails are working properly.

Have added

define( 'ITSEC_DEBUG', true );

to the wp-config and will see what happens when the next Weekly Digest email comes in.

If you prefer to use the old 2FA settings UI, you can add this constant to your site’s wp-config.php file: 
define ( 'SOLID_SECURITY_LEGACY_2FA_UI', true);

@shanedelierrr

With Solid Security Basic v9.3.2 I too had to use the above method in order to disable 2FA for my user as the regular method was not working. (WordPress v6.3.4, php 8.2) May 12th 2024

Unable to recreate the issue now. Strange. I will mark this as resolved and if we see the issue again we will try your suggestion.

shown to admins by JavaScript. It’s not included for visitors who aren’t logged in as an admin.

Well apparently it’s being seen by non-logged in bots watching the site.

I will check for caching issues and report back.

iTheme’s staff responded to our ticket with them (which linked to here) with:

I appreciate you reaching out to us about your findings on the potential conflict between iThemes Security and WP Super Cache, and you did an excellent job of finding a workaround!

I’ll submit this as a report to our developers, but please note that I can’t give you an exact date for a fix or confirm that we can implement this since our team considers certain factors before implementing one. 

Rest assured, I’ll get back to you if I receive feedback from one of our developers regarding this matter. I’ll also be on the lookout for the WP Super Cache team’s response to your .org thread.

Please don’t hesitate to create a ticket in the iThemes Security .org forum?here?if you have additional details to add or if you need assistance with other issues.

Shane Tiedra – iThemes, Oct 9th 2023

Confirming the change I made yesterday seems to be sticking and I’m no longer getting the recurring WP Super Cache Errors every 24hours now.

Seeing this same issue today with CF7 v5.7.2 and S&F Pro v2.5.13

Are you making use of any caching mechanism (like a caching plugin)?

Yes. WP Super Cache. We’ve been using this plugin for years on dozens of client sites and not seen this issue before.

Have a look at a bunch of 404 URLs in the iTSec plugin Logs page to determin whether they make any sense or not. If not it’s very well possible the site is under attack (searching for known vulnerable php files).

There are many 404s that are clearly bots but they are originating from their own IPs and we’ve disregarded them in this matter. But the 404’s from the site’s own IP is for content that makes sense but is no longer present on the site.

Also make sure the site is using the latest iTSec plugin release (7.7.1).

Yup.

Last but not least, is this site behind any proxy (like CloudFlare) ?

Yes. Cloudflare in use. WP Super Cache and Cloudflare is our go to for all our client’s sites for years and this issue is recent.