wfchar

Hi @franck_b,

We don’t have any plans to support moving the login page option as part of Wordfence’s functionality at this time.

There is a plugin, WPS Hide Login, available that handles this functionality. Elegant Themes has an overview of setting up WPS Hide Login and using it here. If you’re comfortable coding your own solution, you can leverage WordPress’s wp_login_form function to handle building a new login form: https://codex.www.ads-software.com/Function_Reference/wp_login_form

Hi @blwdjustin,

Can you provide more information about your database setup, such as whether you’re using replication and what versions you’re using?

Hi Lukas,

Are you still seeing this behavior? I tested using Chrome (67.0.3396.99) and Firefox (59.0.2), but in both cases saw a “ERROR: The username or password you entered is incorrect. Lost your password?” message instead of a 502.

Hi @langejan,

Those are normal notices that Wordfence is doing its job. Those are all entries showing that something was recently blocked and are not an indication that you’ve been compromised.

Let us know if you have any further questions or concerns!

Hi @mike-clayton,

The URL you provided is generated by the Wordfence firewall. When you visit the URL, what do you see?

Also, are you using any caching on the site? It’s possible that the JavaScript used to generate these has been cached in the HTML.

Hi @managedhostingpartners,

I had Quality Assurance take a look at this issue, and when they tested your table and insert they triggered “ERROR 1364 (HY000): Field ‘bcol’ doesn’t have a default value”, which may point to a configuration difference where instead you just saw a warning. Beyond that, we’re not seeing anything that points to Wordfence, as we aren’t seeing any other reports of this or similar issues. We don’t recommend changing the column default as this could break future updates to Wordfence and wouldn’t be supported.

Since the failure seems to be around their restore process taking a valid table definition, exporting it, and re-importing its own output, it may be worth investigating on their end whether something is going on with how they’re handling and interpreting binary data through that process.

Hi @backpackingseries,

The scan option that is displaying in the alert banner, the malware scan, is the most resource intensive scan as it inspects all content of all files. With the “Scan images, binary, and other files as if they were executable” option on, the source of every file, including static files such as images and pdfs, is inspected, which adds further to the overhead required. Unless you know your site is infected, you’ll want to make sure this isn’t checked as image files and PDFs are not executable on Apache servers and therefore aren’t necessary to actively scan as the php file that would leverage a compromised resource would be caught without the “Scan images, binary, and other files as if they were executable” option enabled.

You can get more detailed information on the message you’re seeing by running the scan with Debug Mode on, which you can toggle at the bottom of the Tools > Diagnostics page. The scan will then show more detailed information. If you check the scan log generated with debug mode on, additional information will be available, such as php error messages and whether it’s stuck on a particular file or folder.

Can you make sure that the “Scan images, binary, and other files as if they were executable” option isn’t checked, then enable debug mode and rerun the scan?

Hi @parakeet,

Glad to see that you’re getting successful connections!

That’s correct — brute force protection will also protect xmlrpc.php, plus you have the other options for whitelisting the IPs with an explicit block.

Let us know if you have any further questions or concerns!

Hi @jennyinbc,

You can set the firewall into Learning Mode while you’re doing the site restore and that should allow things to proceed.

Let us know if you have any further questions or concerns!

Hi @jsepeta,

These files look like legitimate font files that could be part of the Metropolis theme. Another possibility is that there’s another plugin or theme involved, or possibly custom code from your host if they have managed WordPress. Have you had anyone working on the site lately, or installed any new plugins or themes?

Another thing to note is that these files will disappear the next time WordPress is updated. Since wp-includes is a core folder, it’s recommended that you use wp-content for file uploads such as adding additional fonts. If these font files were manually installed, you may want to consider moving them into wp-content so Wordfence isn’t alerting for the presence of non-core files, and the files aren’t removed when WordPress is updated.

Hi Kenny,

There isn’t anything we can do from our end, unfortunately. If you’re using an email service that provides the ability to set up custom filters, it would be worth creating one that routes these incoming notifications so you never even have to see them. For example, I use Gmail and have rules that bypass my inbox, mark it as read, and send it directly to the trash.

Hope this helps!

Hi @backpackingseries,

Would it be possible for you to reproduce the scan failure? If it’s repeatable, please provide the exact failure message you see.

Once you have the failure message, go to Tools > Diagnostics and select Send Report by Email, and send the report to [email protected]. Please include your forum username in the Forum Username field as well.

If you also have logs under Log Files, please download and zip those and send the file to the same email address above. Please include your forum username in the subject.

Thanks!

Hi @parakeet,

After doing some retesting, it looks like your original configuration should be working. If you’re taking the IP address ranges straight from the JSON file, they’re not going to work as the IPv6 addresses need to be formatted to match what is required by the parser: https://www.wordfence.com/help/firewall/options/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#whitelisted-ips

Hi @parakeet,

I discussed your use case with the team, and the general recommendation is that you remove xmlrpc.php from the “access these URLs” block, as xmlrpc.php is protected by the brute force protection rules that also protect the login page. However, if you want to proceed with having xmlrpc.php explicitly blocked, you can do so and then go to Firewall > Firewall Options > Advanced Firewall Options and enter the AWS IPs to whitelist in the “Whitelisted IP addresses that bypass all rules” field. You will need to keep in mind that the AWS IP addresses listed in that json file can change, so you will need to keep that in mind when troubleshooting external service issues.

Let us know if you have any further questions!

Hi @jayrenn,

The first error message is the include in Line 305 in wp-settings.php:

// Load active plugins.
foreach ( wp_get_active_and_valid_plugins() as $plugin ) {
        wp_register_plugin_realpath( $plugin );
        include_once( $plugin );
}

The strpos() call in the WP core function plugin_basename() in Line 658 of plugin.php is:
`foreach ( $wp_plugin_paths as $dir => $realdir ) {
if ( strpos( $file, $realdir ) === 0 ) {
$file = $dir . substr( $file, strlen( $realdir ) );
}
}`

$realdir is from the global $wp_plugin_paths, and that’s the missing “needle” in the message —$realdir shouldn’t be empty when loading plugins.

For each of the places where you snipped the path, could you confirm that those paths are valid? It is possible that Wordfence is the first plugin loading and causing the first error message. However, if the paths are valid, since the file failing to load is a Wordfence file the issue would likely not Wordfence-specific. In that case, it seems likely that another plugin or mu-plugin is loading part of WordPress too soon.

• This reply was modified 6 years, 4 months ago by wfchar. Reason: formatting