Defender Multisite issue warning inconsistencies

Hi

I am running Defender on a multisite setup and I am wondering why Defender gives inconsistent warnings in the mails it sends out. For some of my sites it flags wordfence-waf.php as a non wordpress core file (technically correct, but still an annoyance, as it#s legit) + a warning for an "insecure function" in wordfence-class.php (probably the base64_decode).
For other subsites there only is the warning about wordfence-waf.php, and for my main site the mail comes back with congratulation, no issues found. Which is kind of odd, as all these messages are referring to the same multisite install - something I would not expect from a company who calls itself "the multisite" experts.
From my point of view the ideal solution would be to get only one email in case of a multisite install, because all the files are shared anyway and it is a real annoyance to sift through 100+ emails every day that come from the different sub sites of my multisite install.

Mike

  • Luís
    • Support

    Hi videomike ,

    Hope you're doing well today!

    Firstly, sorry for my late reply and all the problems it may have caused.

    After speak with the developer, we had some reports regarding to the false alarm given about the "wordfence-waf.php" file, the developer is aware and working in a way to avoid it.

    From my point of view the ideal solution would be to get only one email in case of a multisite install, because all the files are shared anyway and it is a real annoyance to sift through 100+ emails every day that come from the different sub sites of my multisite install.

    It works in that way, in each scan you should receive only one email regarding to the network. You are receiving an email from each subsite?

    Cheers, Luís

  • mbitcon
    • Problem solver

    Hello Luis

    Thank you for your reply. Looking forward to an update with the word fence issue resolved.

    It works in that way, in each scan you should receive only one email regarding to the network. You are receiving an email from each subsite?

    No it does not work that way for me - I get an email for each sub site, or at least for each sub site that uses domain mapping. As I use WPMU's domain mapping plugin I am sure this is an issue you can solve?

    Mike

  • mbitcon
    • Problem solver

    Hi is there any news about the domain mapping and the inconsistencies?
    I keep getting my email inbox flooded with scans from the mapped domains of my multisite install.
    I can't find a pattern how Defender determines between 0 and 2 issues found.
    for some pages it reports no issues found, for other one issue (wordfenceClass.php
    /wp-content/plugins/wordfence/lib/wordfenceClass.php Suspicious function foundLow)
    For others 2 issues (The issue above + wordfence-waf.php
    /wordfence-waf.php Unknown file in WordPress core)

    I need a solution for all three issues (The false positive for word fence and the inconsistencies, and the separate mails for mapped domains), as I am already thinking of switching off Defender completely again.

  • Hoang Ngo
    • Code Slayer

    videomike,

    I hope you are well today.

    For the issue with WordFence (wordfenceClass.php
    /wp-content/plugins/wordfence/lib/wordfenceClass.php Suspicious function foundLow), I'm improving the scan engine, so it can be smarter on this. However, this will be for future release. For now, please just ignore that issue.

    The wordfence-waf.php
    /wordfence-waf.php Unknown file in WordPress core
    is correct I think. As this purpose of this scan, is compare all your core files content, to a checksum list, to see if the content is untouch, or has been modified (in case someone inject bad code to your core files). Also, it can detect if a file placed inside your core file, which it should not be.

    To turn off this, you can ignore the issue, or turn off the WP Core Integrity scan in Defender->Settings.

    For the email issue, I can't replicate it on my end, does it ok if I can place some debug code on your site? All the debug will be silently, and a backup required.

    I'm sorry for this inconvenience, and many thanks for your patience.

    Best regards,
    Hoang

  • mbitcon
    • Problem solver

    Hello Hoang

    Looking forward to the update. (BTW I have tried to set this issue to ignore in Defender, but that did not work).

    I see how the core integrity scan works and this approach makes sense for files that I am not aware of. But as far as I know there are are couple of other plugins that might place a file outside their plugin folder, i.e. many caching plugins.
    I don't want to switch off the WP core integrity check as I want to get alarmed about modifications of core files. As wordfence-waf.php is not a completely unknown file (it is part of the word fence package, which many users of Defender will probably run in addition).
    A possible way to solve this would be:
    1. check whether word fence is installed
    2. if so, have a look at their installation function for getting the wordfence-waf.php file (public function performInstallation in lib/wordfenceClass.php, and get the file, create a hash from it and save that hash.
    3 on every scan compare the hash, if the hash differs, get the file again and create a new hash ( as the file might have changed from a newer word fence version. If it still differs, then alarm about an unknown file.

    I know that this is quite a bit of stuff to accommodate for a plugin that could possibly seen as a competitor. But unfortunately I have had to deal with some injected files recently and word fence has shown far more accuracy than defender has, so I will definitely not get rid of wordfence.
    It would be nice to see that those two can play along nicely. :wink:

    Mike

  • Travis
    • Design Lord, Child of Thor

    Wondering where this is at. I too am a little bit annoyed that defender is scanning the entire directory tree for every site on my network.

    It's also annoying that it puts a huge entry in every site's post meta.

  • Hoang Ngo
    • Code Slayer

    Travis,

    It will scan all files under your WordPress root, and avoid all files in nested WordPress install. However, if you are install other platforms under your WordPress root, then it will scan all of them.

    Defender only store 1 record at a time, so if you clean up your site, and the new scan result is ok, then all the old post meta will be removed.

    Best regards,
    Hoang

  • James Morris
    • WordPress Enthusiast

    Hello Nigel,

    The information in this thread is close to a year old and very likely outdated.

    In order to ensure that we are addressing the unique needs of your particular situation, would you be so kind as to contact one of our Support Specialists via Live Support?

    This will allow us to do some preliminary diagnostics on your site. If we cannot resolve the issue in chat, our staff will create a ticket just for you so that we're giving you individualized attention and not getting your site's issues mixed up with another member's. Also, this reduces the amount of notifications being sent to the original member's ticket.

    Thanks!

    Best regards,

    James Morris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.