wfpeter

Hi @lcaines100, there should absolutely be ways in which you can clean your site to gain back full control.

Generosus helpfully included our site cleaning instructions, which would be in our recommendations as we’re unable to walk customers through this process ourselves on an individual basis here. Additionally the WordPress Malware Removal section in our free Learning Center may be helpful to you during this time.

If you’re unable to clean this on your own, we do offer paid services but are unable to discuss those here – also keep in mind that site cleaning services are available from other sources too. Please contact presales @ wordfence . com if you’d like to discuss things further.

Make a full backup of the site before making any changes yourself, or letting somebody else take a look.

Make sure all plugins and themes are up-to-date and that WordPress core is on the latest version. We always recommend that you update your passwords for your hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change or upload things on your site. Make sure to do this! Naturally we’d recommend strong passwords with 2FA where possible in the long-term, so something to consider once you’ve dealt with the issue at hand.

Also make sure to check for administrative users you don’t recognize in WordPress > Users > All Users, just in case there is anything suspicious there. Delete any that you know shouldn’t have this kind of access to your site.

If you find anything that you’re suspicious of but isn’t being picked up in scans or you’re just unsure, you can send files/code to samples @ wordfence . com. If you do, just make sure to remove any database credentials or keys/salts in any files you do send over. Our team can help advise if it’s something to be concerned about, and which steps to take next.

Many thanks,
Peter.

Hi @lubos55, thanks for getting in touch.

As Generosus provided our site cleaning instructions, I will just highlight some additional details. You might find the WordPress Malware Removal section in our free?Learning Center?helpful too.

Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest suitable version. Any time someone thinks their site has been compromized, we recommend to ?update passwords for hosting control panels, FTP accounts, WordPress admin users, and the database?in order to cover the key access points where somebody could change or upload things on your site. Make sure to do this!

Check for administrative users you don’t recognize in WordPress > Users > All Users, just in case there is anything suspicious there. Delete any that you know shouldn’t have this kind of access.

If you find anything that you’re suspicious of but unsure what to do next, you can send files/code to?samples @ wordfence . com.?If you do, just make sure to?remove any database credentials or keys/salts?in any files you do send over. Our team can help advise some steps from there.

Whether you choose to follow our guides yourself, or let someone else take a look, we recommend that you always?make a?full backup of the site beforehand.

Many thanks,
Peter.

Hi @jglazer63, thanks for reaching out.

As Generosus said above, you can by all means revert to Wordfence’s reCAPTCHA if you’re using the default registration/login screens for WordPress and/or WooCommerce. There should certainly be some benefit to disabling XML-RPC as you’ve already done but if you’re finding that registrations still come through, Wordfence’s ?Brute Force?or?Rate Limiting?features may help too. Traffic may be targeting the site itself rather than XML-RPC so it’s good to time the IPs out for a period. The settings are explained in more detailed by using the links provided.

Many thanks,
Peter.

Thanks @generosus for the suggestion, I’ve forwarded it to the team to check out in closer detail. Naturally as you know I can’t follow-up on these requests but I’ve already put it forward before responding here.

Peter.

Hi @decwodie, thanks for getting in touch.

If you still receive this result after running another scan, it has been seen from time-to-time that issues with the WordPress core update process not completing fully, file access permissions on your server, or something just temporarily failed when the update was done.

For example, WordPress 6.6 had some files not flagged for removal as they should have been. It was corrected for the next release.

Make sure to back up your site first if you attempt to delete the listed files yourself. Alternatively, you can exclude results for “Old WordPress core file not removed during update” from future scan results in Wordfence > Scan by selecting Ignore > Ignore Until File Changes next to the result. This will ignore the file until further modifications are detected or a future WordPress update removes them.

Many thanks,
Peter.

Hi @miroslavglavic, thanks for getting in touch.

There’s no need to pause or disable Wordfence. The issue happened on Wednesday and was due to the process that mirrors new core releases not completing normally and stopping halfway. The issue was fully resolved soon after, we have additional alerting in place in case it occurs again and we’re refactoring the code that runs this process to make it far more robust.

Subsequent automatic or manual scans should no longer show the files as unknown. We have some documentation on these scan results here in general for reference, and restoring deleted or repaired files from a backup if the site has issues is the best option: https://www.wordfence.com/help/scan/scan-results/#unknown-file-in-wordpress-core

Please also check the following topic: Check or Subscribe to the Wordfence status updates

Many thanks,
Peter.

Hi @labaticuevatienda, thanks for including the scan log.

When it seems to just stop without a termination message, a timeout is still a possibility. When using Litespeed, for example,?noabort?code usually needs to be added to prevent communication stopping abruptly during scans.

If that’s not the case, visit the?Wordfence > Tools > Diagnostics?page. You can send the output to us at?wftest @ wordfence . com. Click on?“Send Report by Email”. Please add your forum username where indicated and?respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

We may be able to see settings or responses that might point to the cause.

Thanks,
Peter.

Hi @mari68,

wp-includes/js/imgareaselect/imgareaselect.min.js is a legitimate file present in my installation and the repository but imgareaselect.min.css is not.

If you delete it and it returns, the cause may be an optimization/site speed plugin but it’s generally not good practice to add files to WordPress core as they will be flagged as differences from the repository versions by Wordfence.

Many thanks,
Peter.

Hi @spig707, thanks for your message.

As you’ve already set the trusted proxies and IP detection according to our documentation, I think it’d be worth sending a diagnostic over to us. If we see that there’s no visitor IP being passed by your host for any of the options, they may have to intervene – but it could be another issue.

Visit the Wordfence > Tools > Diagnostics page. You can send the output to us at wftest @ wordfence . com. Click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE:?It should look as follows – Screenshot of?Tools > Diagnostic > Send by Email

Thanks,
Peter.

Hi @kcgeorge, thanks for reaching out.

We will automatically collect and log legitimate files for repository plugins and WordPress itself, but with off-repo files for paid/pro versions we don’t get the same updates or notifications. It does look like an issue that has arisen due to this kind of problem by the reason given in the scan.

I would recommend pasting the helpful information from your post above to?wfi-support @ wordfence . com?to reach our team to see if we can find a solution for you. For anybody finding this topic, that’s for Wordfence Intelligence only and is not available for plugin support queries.

Many thanks,
Peter.

That’s okay @les-m,

When you no longer have access to your 2FA recovery codes either, follow these steps:

• Please use FTP/SFTP — or any file manager your web host provides via their administration panel.
• Look inside the?/wp-content/plugins/?directory and rename the?wordfence?directory to?wordfence.bak. This will deactivate Wordfence and allow you to login without the 2FA code.
• Once you have logged in to your WordPress admin you can name the folder back to?wordfence?again.
• Go to your user profile and add 2FA back to your account, making sure to download the new backup codes in case of problems in the future.

Many thanks,
Peter.

Hi @cefabricationaz, thanks for reaching out!

I’ve never seen our Login Security features cause email issues as our reCAPTCHA is only required to be passed by a browser visitor at the default login/registration pages on WordPress or WooCommerce. If you’ve correctly set up reCAPTCHA with the keys in Wordfence, and Google is configured to allow reCAPTCHA v3 on your domain, you should see the logo displayed on your site.

Emails from WordPress (including Wordfence alerts) come from your site and not our servers so if you’ve already checked spam folders and possibly marked your domain as a safe source, take a look at the following:

• Usually, a restart of postfix or sendmail (whichever is installed on your server) can fix it. Your hosting provider may have access to logs if you aren’t and could help with this.
• If you have a third party plugin for sending emails with another service, like Gmail, it could be failing. Reaching out to the plugin author for support can help, but again there may be logs that can help you figure out what’s going wrong yourself.

If your emails only work when Wordfence is disabled, but stop when you reenable it, take a look at your?Live Traffic?(after trying to send an email again so it appears at the top of the list) to see what the reason given for any blocks are. This will be in red text after expanding the entry by clicking the line itself, or eye icon in the corner.

Many thanks,
Peter.

Hi @pixee22,

I’ll be happy to look into this further, but 3.11.10 seems to be the patched version whereas 3.11.9 and below are flagged. Is the detection of your “current plugin version” at 3.11.2 (which is in the unpatched range) incorrectly detected? Independently of Wordfence, what version is being displayed on your WordPress > Installed Plugins page?

Sometimes with non-repository plugins the responsibility is with the developer to correctly report the version number to WordPress – which Wordfence uses during its scans.

Many thanks,
Peter.

Hi @slamchez, thanks for your detailed description of what you’re seeing.

I think if you’ve already tried clearing caches, could I just ask if you still experience the missing button when Wordfence is the only enabled plugin? Even though it seems like a platform/browser correlation, there’s a chance that a JavaScript conflict from another plugin’s code could be handled better or ignored/unsupported on some browsers where it’s not happening. It would be good if we could rule this in/out.

Many thanks,
Peter.

Hi @giannisdigitup, thanks for getting in touch.

We don’t currently permit wildcards in the Allowlisted URLs created either manually or via Learning Mode. This sounds to me like a case where the unique IDs in every submission may be stopping the save operation, although the role may have something to do with it if they have elevated permissions over the defaults.

If Wordfence is blocking the custom product edits, the attempts will be logged in Live Traffic at the time you tried to submit the form. If there is a block, check the red block reason after expanding the entry with the eye icon in the corner. You can filter Live Traffic by “Blocked” so it’s easier to find. You may find a specific firewall rule or Wordfence setting stated here after expanding the entry as the reason is shown in red text.

If the Live Traffic entry doesn’t point to a clear fix you can try immediately, please let us know the block reason with any other relevant information from the block so we can try to assist further. It may also be helpful to know if you’re using a plugin to edit your homepage such as Elementor, etc.

Thanks,
Peter.