[Defender Pro] Scan file repository when suspicious code is found

I have 10 to 30 false positives per site right now because Defender started marking all plugins that use eval(). In all these cases I have looked at the source code from the repository, and found that these lines are as they were intended to be. It would save some time (and some panic) if Defender marked them as Insecure rather than Suspicious. I woke up yesterday thinking all my hosting accounts were compromised. Now I still have to go to each site and bulk ignore if I am going to get Defender to alert me of real problems.

  • Myke
    • Flash Drive

    I’ll see if I can carve out some time for that today.

    It would be a lot easier if we could see all these things from the WPMUdev dash. This, especially since I have masked all my login areas and WPMUdev’s dash does not seem to know where they are (even though they are masked through Defender).

  • Adam Czajczyk
    • Support Gorilla

    Hi Myke

    I think by “WPMUdev dash” you mean The Hub rather than WPMU DEV Dashboard plugin? I’m assuming that because you mentioned that it “does not seem to know where they (masked logins) are” and that’d be something that actually applies to The Hub.

    We’re working on changes on how this works so in future even the masked login shouldn’t be an issue in logging in directly to the site’s back-end from The Hub. But the communication between the site and The Hub happens through the API and doesn’t related to login masking. The security tab in The Hub gives a basic summary of the issue but you’re right – there’s no details until you actually head on to the site itself. We’ll be improving the “informational” aspects of The Hub though with (and after) 2.0 release which is coming up soon. Hopefully that will make things much easier for you over time :slight_smile:

    As for now, once you got a chance, please let us know about those plugins and issues (as asked by my colleague Predrag) and we’ll look into it.

    Best regards,

    Adam

  • Myke
    • Flash Drive

    Here are a few of them:

    /plugins/accelerated-mobile-pages/pagebuilder/modules/code-module.php

    /plugins/custompress/ui-admin/export.php

    /plugins/LayerSlider/wp/actions.php

    /plugins/media-library-assistant/includes/class-mla-polylang-support.php

    /plugins/media-library-assistant/includes/class-mla-settings.php

    /plugins/my-custom-functions/inc/php/functional.php

    Also, this file is giving a false positive on all websites (Wordfence is also doing the same though):

    /wp-admin/includes/class-wp-site-health-auto-updates.php

  • Predrag Dubajic
    • Support

    Hi Myke,

    It seems that everything is ok from the plugins end but eval() is often misused and can cause security issues and that’s why it’s reported by Defender even if it’s included in the original code.

    Those reports are best to be investigated to be sure that eval() is used in the correct way and that it doesn’t make your site vulnerable.

    Also, this file is giving a false positive on all websites (Wordfence is also doing the same though):

    /wp-admin/includes/class-wp-site-health-auto-updates.php

    Can you tell me which report are you getting for this file?

    I tested two of my installations and Defender is not showing any reports for this file for me.

    If you are hosting your sites with GoDaddy and getting a report that file is changed that’s because they are editing that file on their hosting and it will no longer match the core file provided with default WP installation and Defender (and Wordfence) will report such changes.

    Best regards,

    Predrag

  • Myke
    • Flash Drive

    I think you are right. I am only finding it on sites that are on Godaddy, or sites that have been migrated from Godaddy. They have remarked out two lines.

    public function run_tests() {
    $tests = array(
    $this->test_constants( 'DISALLOW_FILE_MODS', false ),
    # $this->test_constants( 'AUTOMATIC_UPDATER_DISABLED', false ),
    $this->test_constants( 'WP_AUTO_UPDATE_CORE', true ),
    $this->test_wp_version_check_attached(),
    $this->test_filters_automatic_updater_disabled(),
    $this->test_if_failed_update(),
    $this->test_vcs_abspath(),
    $this->test_check_wp_filesystem_method(),
    # $this->test_all_files_writable(),
    $this->test_accepts_dev_updates(),
    $this->test_accepts_minor_updates(),
    );

  • Myke
    • Flash Drive

    BTW – When I choose “ignore file”, is that treated like Wordfence where it is ignored until it is changed again? The lack of that wording in Defender makes it seem like it is permanently ignored. I’d much prefer they be ignored until they change again.

  • Adam Czajczyk
    • Support Gorilla

    Hi Myke

    Thanks for confirmation!

    The issue with GoDaddy and alikes is that by changing some files they are making them different to a standard core and while that’s done for some reason, it’s not really in compliance with WP standards. It’s also difficult, if not even impossible, to include all those possible “exceptions” (from GoDaddy and possibly other hosts) is that nobody actually shares any “changelog” and up-to-date information on what, where, when and why was changed – so it takes kind of “reverse engineering” to find out about these changes and keeping it all up to date would be basically an “endless effort”.

    In case of GoDaddy it’s a known thing that the changes are there so I’d honestly suggest to just mark them to be ignored. Plugin will ignore only these particular changes so if e.g. some new unexpected “eval’d” gets into the file – it should be reported again, pointing to that new code.

    Best regards,

    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.