wfmargaret

Hi @thebusinesscat,

Thanks for following up. Do you still see the same message under Wordfence > Tools > Diagnostics > Connectivity > Connecting back to this site? If so, please reach out to Cloudbric to ensure the site’s IP is allowlisted and that it can connect back to itself without needing to pass their browser verification.

Thanks,
Margaret

Hi @particulartastes,

Thanks for reaching out. I’m sorry your site’s been hacked.

It sounds like you may need to clean the site or at least follow the checklist here: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

It might also be a good idea to review any cron jobs configured on the server.

Make sure to get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here: https://www.ads-software.com/download/releases/

WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

Additionally, you might find the WordPress Malware Removal section in our free Learning Center helpful.??

If you are unable to clean this on your own there are paid services that will do it for you.? Wordfence offers one and there are others.? Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.?

Thanks,
Margaret

Hi @thebusinesscat,

Thanks for sending the diagnostics! When you allowlisted our IPs, did you also allowlist your site’s IP address as well? The site needs to be able to connect back to itself, however, it’s currently being presented with a browser verification from Cloudbric. The Cloudbric browser verification is preventing the connection from being made normally. You can see this in Wordfence > Tools > Diagnostics > Connectivity > Connecting back to this site.

Once you’ve allowlisted the site IP and the site can connect normally, please run a new scan. Let me know how it goes!

Thanks,
Margaret

Hi @kampot888,

Thanks for reaching out. Those files wouldn’t be standard WordPress file locations, so if you are seeing a number of access attempts, it would be safe to add those IPs to the blocklist when they access those URLs. You can configure this at Wordfence > Firewall > Manage WAF > Immediately block IPs that access these URLs.

You can find more information on this setting, along with some examples, here: https://www.wordfence.com/help/firewall/options/#immediately-block-urls

Please let me know if you have any questions!

Thanks,
Margaret

Hi @drauth,

Thanks for reaching out. First, head over to Wordfence Central and go to the?Connection Issues tab. Clear out any sites that appear in here.

Now go to your site and log in as an admin. Navigate to?Tools > Diagnostics > Other Tests > Clear all Wordfence Central connection data. Clear the connection data and then from the Wordfence Dashboard, click on “Connect this site” in the Wordfence Central widget.

https://www.wordfence.com/help/central/connect/#troubleshooting-connection-issues also has some troubleshooting steps you could follow.

Let me know how you get on!

Thanks,
Margaret

Hi @myhero,

Thanks for reaching out. When placing the error, Wordfence looks for particular selectors used by WooCommerce and WordPress. We use only unique selectors to avoid issues with compatibility and to ensure that Wordfence scripts only load where they absolutely have to. If your theme doesn’t use these selectors, the error may be misplaced.

To check for any JavaScript conflicts, can you use your Browser Console to see if you can detect any JavaScript errors or files that fail to load? If you see any red text in the console, please take a screenshot of it and send it to me, along with your site URL.

If you’d like to send those privately, please email us at wftest @ wordfence . com. Please add your forum username in the subject and respond here after you have sent them.

Thanks,
Margaret

Hi @thebusinesscat,

Thanks for reaching out. The site shows a 403 error for me currently. If on your configuration there’s an external load-balancer or firewall that is stopping the connection test between your site and our servers, you may need to add your site’s IP address (found in?Wordfence > Tools > Diagnostics > IP(s) used by this server) to its allowlist along with ours, which can be found here:?https://www.wordfence.com/help/advanced/#servers-and-ip-range

If this doesn’t help, please do the following for me:

• Stop any running scan by pressing the STOP SCAN button.
• Click on Scan Options and Scheduling.
• In Performance Options, set Maximum execution time for each scan stage to 20.
• In Advanced Scan Options, enable the option Use only IPv4 to start scans.
• Hit the SAVE CHANGES button.
• Go to Wordfence > Tools > Diagnostics and expand the Debugging Options section.
• Enable the option Enable debugging mode.
• Disable the option Start all scans remotely if it is enabled.
• Hit the SAVE CHANGES button.
• Start a new scan.
• Copy the last 20 lines or so of the activity log (click the “Show Log” link) once the scan finishes and paste them in this post.

Remember to disable Enable debugging mode after you have finished.

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,
Margaret

Hi @snarf5,

Thanks for reaching out. If the site can’t connect to our servers or to itself, it will prevent scans from completing. Please ensure the site can both make and accept connections and that the SSL certificate in use is up-to-date. If you have a shell on the server, try running?curl -v https://noc1.wordfence.com/?and send us the output. You may need your network administrator or host to perform this check – ultimately to see whether communications to our server are being blocked.

Please also do the following for me:

• Stop any running scan by pressing the STOP SCAN button.
• Click on Scan Options and Scheduling.
• In Advanced Scan Options, enable the option Use only IPv4 to start scans.
• Hit the SAVE CHANGES button.
• Go to Wordfence > Tools > Diagnostics and expand the Debugging Options section.
• Enable the option Enable debugging mode.
• Disable the option Start all scans remotely if it is enabled.
• Hit the SAVE CHANGES button.
• Start a new scan.
• Copy the last 20 lines or so of the activity log (click the “Show Log” link) once the scan finishes and paste them in this post.

Remember to disable Enable debugging mode after you have finished.

Then, can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,
Margaret

Hi @sarahtopfstaedt,

Thanks for reaching out!

From the error message, it looks to me like?curl_exec()?can’t run because it isn’t enabled on your current version of PHP. If you can modify the extensions included in your PHP installation, please enable cURL. Otherwise, please reach out to your host to enable cURL on your behalf.

Please let me know if you have any questions!

Thanks,
Margaret

Hi @minterrors,

Thanks, I hope your weekend was long and relaxing as well!

Regarding the memory error, this error means that the site needed more memory than the maximum amount of memory the site is currently allowed. Please try setting memory_limit to at least 256M in php.ini or .user.ini. Next, ensure WP_MEMORY_LIMIT in wp-config.php is at least 256M to mirror the other change, as similar issues can be caused by timeouts or memory being maxed out during scans or periods of heavy activity on your site.

Thanks,
Margaret

Hi @crazyhamster,

If you’re receiving true DDoS, or at the very least a huge increase in attempted page views, protection at the server’s end such as Cloudflare (as one example)?should?be the most effective solution. I say this because Wordfence is an endpoint firewall, so can catch/restrict/block users using?Brute Force?or?Rate Limiting?settings after PHP loads but, when optimized, before the point your site tries to host content to them. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

Think of the visitor’s journey through various layers of protection. When they reach your server, they’ll first pass the server firewall, then they’ll access the web server, and then request a specific page. When they request the page, Wordfence will then be loaded, review the visit, and determine a response. In this case, it returns a 503 response (the Wordfence block page) to block the visitor. It’ll continue to return a 503 response every time it sees a visitor from the blocked IP until the block expires.

While Wordfence is effective at blocking unwanted visitors and preventing malicious activity on the site, it can’t prevent them from reaching the web server in the first place. Instead, it serves a block page that stops access to your content and unwanted actions. To block unwanted traffic at the outset, a server-side solution is essential, as it screens traffic before it reaches your web server.

Please let me know if you have any questions,
Margaret

Hi @crazyhamster,

Thanks for reaching out.

In your access logs, a 503 is being returned. ?This is the Wordfence firewall at work blocking the attacker. ?When optimized, the Wordfence Firewall will significantly reduce the resources used by each blocked request made to your site.

However, as a web application firewall, while Wordfence can prevent access to the site content, it can’t prevent bad actors from accessing the server altogether.?Consider implementing a firewall or DoS mitigation service before the server to prevent the attacker from hitting the server altogether.

Please let me know if you have any questions!

Thanks,
Margaret

Hi @minterrors,

Thanks for following up. Since your MySQL permissions are normal, the table shouldn’t grow in size after each scan. Please try a few scans in a row to double-check this, and let me know if you see the size doubling each scan or if it remains roughly the same.

These two tables track the files that are scanned to check for modified files. Please check over your site to see what folders contain a large number of files. It’s possible your cache plugin stores cached files somewhere else, or that the backup plugin may be storing the backup files inside of the site. The easiest way to check this depends on your host, but if you have access to a tool such as phpMyAdmin, you could check the tables themselves to see what files are being tracked.

Because servers and sites can vary a lot, there is no hard maximum on these tables, as they’re tracking any files that are scanned. I recommend reviewing your site’s structure closely to see what files on the site are being scanned.

Let me know if you have any questions!

Thanks,
Margaret

Hi @samuelroguez,

Thanks for reaching out. Outside of the suggestions from @generosus, please double-check that your site’s IP is allowlisted in the Cloudflare firewall. You can find our guides for this process here:
https://www.wordfence.com/help/advanced/compatibility/

If your host doesn’t support IPv6, please make sure to enable Use only IPv4 to start scans (as mentioned by @generosus in step 5) in Wordfence > Scan > Scan Options and Scheduling > Advanced Scan Options. A site may try to connect to itself using IPv6 when using Cloudflare, which can cause timeouts during Wordfence scans if the host does not support outbound IPv6 connections.

If your scans are still failing after checking those settings, I’d like to get a debugging log and diagnostics report from you.? If you could do the following steps for me:

• Go to the Wordfence > Tools > Diagnostics page
• In the “Debugging Options” section check the circle “Enable debugging mode”?
• Click to “Save Changes”.
• CANCEL any current scan and start a NEW scan
• Click the “Email Activity Log” link once the scan finishes and send that to wftest @ wordfence.com and respond here after you have sent it.

Wordfence > Tools > Diagnostic > Debugging Screenshot

This will help me see exactly what is happening when the scan fails.

Then, can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Let me know if you have any questions!

Thanks,
Margaret

Hi @minterrors,

The TRUNCATE TABLE command would do the trick, as it empties the table completely without removing it. Since you’re not familiar with MySQL, I urge you to make a backup of your database before doing anything, as removing data can cause errors if done incorrectly.

Please keep in mind this table is regenerated when a scan occurs, and removing the table will prevent Wordfence from properly checking for modified files between scans. If it’s not possible to reduce the amount of scanned files, please check to see if there’s a way to exclude this table’s data from the backup rather than removing it entirely.

Please let me know if you have any other questions or concerns!

Thanks,
Margaret