[Defender Pro] Defender finding suddenly lots of suspicious directories

Defender jumped from 8 to 33 "suspicious files" in its reporting - it is a MU installation, and my sense is that these are false positives. Are you aware of these issues with Defender, that it isn't really compatible with the latest WP update, i.e returning "false positives"?

  • Nithin
    • Support Wizard

    Hi Peter,

    What Defender Pro File Scanning does is, scan the whole site, and list out files which aren't part of the default WordPress core.

    Defender is compatible with the latest version of WordPress, and such files will only be listed in the above use case. There could be files which might be generated by the plugins etc which would be a false positive, however, it's tough to say what whether it's false positive or not without checking the dashboard.

    Could you please grant support staff access so that we could give a closer look. You can grant access from WPMU DEV > Support > Support Access > Grant Access, or check this manual: https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-5

    Please let us know once you enable access so that we could get this sorted. Have a nice day. :slight_smile:

    Kind Regards,
    Nithin

  • Nithin
    • Support Wizard

    Hi Peter,

    Thanks for enabling support access, I gave a closer look, and it seems more like a false positive. It seems like where the current WordPress site is installed, there are many WordPress websites, and custom folders with HTML files present in the root directory.

    It's quite common for Defender Pro to list out such folders, and custom folders present inside the root directory which isn't part of Core WordPress files, so that the admin can manually check these files for any issues.

    If you can confirm these directories are created by you it should be fine. Files like php.ini, and php_errorlog seems to be part of server side.

    Then there is a file called evalmath.class.php which seems to be part of Moodle:
    https://github.com/moodle/moodle/blob/4efc3d4096bc1d29e9d77f9af7194b2babfa2821/lib/evalmath/evalmath.class.php

    I suppose these are added by you?

    Other than these files, most of the directories have WordPress installed, and rest of the folders for example "lospelicanos" etc seems to have custom PHP files, and txt files which look like created from your side. Since there isn't any way to read the content of the files inside a folder via the Dashboard, I couldn't check the content of these files.

    You can delete any unwanted folders or files from the root directory if needed and can mark the important folders, and files as "Ignore" in Defender Scan results, so it wouldn't be listed again.

    Please do let us know if you need us to check further regarding any of the files reported in the File Scan if required. Have a nice day ahead.

    Best Regards,
    Nithin

  • Peter
    • Flash Drive

    Excellent support, Nithin, your assumptions sound logical and put me a bit at ease. I didn't want to go through all those folders right now, but yes, they are all created by me.

    As you noticed so astutely, the moodle file does not make sense: I do not use moodle, and the only reference I can think off is that for many, many months I keep getting emails from moodle, which treats me as if I was a student in one of their systems. I would like to eliminate anything having to do with moodle. - Can you guide me to that file, or, just go ahead and delete it?

    THANK YOU FOR YOUR EXCELLENT SUPPORT!

    Peter

  • Peter
    • Flash Drive

    PLEASE READ FIRST - IMPORTANT!

    Just found out that the evalmath.class.php is a legitimate file, DO NOT DELETE IT!

    TRULY appreciate your support, here is what I found about that file:

    No worries, this warning is a false alarm.

    The evalmath.class.php is a legitimate file and has been part of TablePress for several years now. It contains the code that is responsible for parsing math formulas in tables.
    For that, the file also uses those eval() and unpack() PHP functions. While these might be useful for hackers, they also have legitimate use here. The code is taking precautions to only pass valid parameters to the functions, so that they can not be abused.

  • Nithin
    • Support Wizard

    Hi Peter,

    I haven't made any changes there. Thanks for updating further details regarding this. Since the file is part of the Tablepress the mentioned file should be good too, you can mark it as false positive by clicking the "Ignore" button, so it won't get listed again in a new Defender scan.

    Please do let us know if you have any further query regarding this. Have a nice day ahead.

    Kind Regards,
    Nithin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.