DEFENDER SCAN INDICATES MY WEBSITE IS HACKED!!??

Hello,

I just run the Defender scan and I am really worried now!

The Defender scan found 14 issues.
The issue log is attached to this post.

Does this mean my site is hacked?

In this case I need urgent support and I am willing
to grant access to my WordPress.

Couple of things I am wondering about though:
wordfence-waf.php
/wordfence-waf.php
WORDPRESS CORE Unknown file in WordPress core
wordfence-waf.php
/wordfence-waf.php
WORDPRESS CORE Unknown file in WordPress core

-->Does Defender actually automatically detect Wordfence as "suspicious"
or is there actually something wrong with the Wordfence files
that has been hacked?

error_log
/wp-admin/error_log
WORDPRESS CORE Unknown file in WordPress core
-->I suppose error_log is a normal fime in WordPress installation.
Why does defender state it as "unknown file in WordPress core?"

What about the modified files?
Is there actually something critical that indicates of hackers
or are they just normal changes to the files?

Thank you for support.
Urgent support is needed!

  • Kasia Swiderska

    Hello Tuomo,

    Defender does not indicate that your site was hacked. It shows things that are not part of WordPress core and that you should check those files.

    -->Does Defender actually automatically detect Wordfence as "suspicious"
    or is there actually something wrong with the Wordfence files
    that has been hacked?

    Wordfence files are not part of WordPress core files and this is why Defender shows them as suspicious. In clean WordPress installation those files woudn't be there, hence Defender is showing you them.
    You can ignore that. Don't remove those files thou.

    -->I suppose error_log is a normal fime in WordPress installation.
    Why does defender state it as "unknown file in WordPress core?"

    It is not usual file. It is not created on all servers. That depends on the server configuration. When you confirm that this error log contain logs with error then you can ignore it.

    wp-config-sample.php is often modifed (I would use that file to create wp-config.php and often by mistake click save instead of save as and then doing manual upgrade didn't override it) - of course you should open it as see if there is no suspicious code.
    You can compare file you have with file that is in WordPress core.

    There is no reason to be worried before checking files. In most cases this is false positive alert.

    kind regards,
    Kasia

  • Tuomo

    Hello Kasia and Thanks for the reply!

    Few guestions:

    In clean WordPress installation those files woudn't be there, hence Defender is showing you them.
    You can ignore that. Don't remove those files thou

    -->does this mean everything is Ok with The "Wordfence issue"?

    What does it mean there are Wordfence files in the core of WordPress and should I just ignore that?

    I Am worried because you said "cleaning WordPress installtion doesn't have those files there.

    What do you mean by "clean"?

    Is there something infected in my Wordpress?

    Also:

    wp-config-sample.php is often modifed (I would use that file to create wp-config.php and often by mistake click save instead of save as and then doing manual upgrade didn't override it) - of course you should open it as see if there is no suspicious code.
    You can compare file you have with file that is in WordPress core.

    -->I Am really not sure about how to tell whether a code is suspicious or not.
    What should I do?

    About the WP-config.php
    I use the free version of Wordfence.

    I constantly receive warning emails
    About files such as WP-config.php
    Being modified though I have not modified them myself.

    I also noticed there Defender recommended preventing the modifications of the WordPress core files.

    But I have always thought these files are changed when updating WordPress, updating themes or plugins.

    If I pervent changes to these files will the updates work nirmally?

    Thank you!

  • Kasia Swiderska

    Hello Tuomo,

    I'm sorry for the delay on our end.

    What does it mean there are Wordfence files in the core of WordPress and should I just ignore that?

    It means that WordFence plugin adds own files to WordPress to work correctly and provide security. If you would remove those files WordFence will stop working correctly.

    I Am worried because you said "cleaning WordPress installtion doesn't have those files there.

    What do you mean by "clean"?

    Is there something infected in my Wordpress?

    No. Clean mean fresh WordPress installation without any plugins and additional themes. I only meant that by clean. I'm sorry for creating confusion.

    -->I Am really not sure about how to tell whether a code is suspicious or not.
    What should I do?

    Download fresh version of wordpress from wordpress.org unzip it and open wp-config-sample.php and open your file and compare content. With that you will spot the difference if your file has additional code that it is not present in original file.

    About the WP-config.php
    I use the free version of Wordfence.

    I constantly receive warning emails
    About files such as WP-config.php
    Being modified though I have not modified them myself.

    You are using Defender and hardening in Defender requires adding some lines to wp-config.php file. Maybe that's why you are getting those emails.
    I'm not familiar with WordFence and if you have problems with that plugin it also have its own support forum https://wordpress.org/support/plugin/wordfence - developers of that plugin will be able to solve anything related to work of it much more quicker.

    If I pervent changes to these files will the updates work nirmally?

    Do you mean "PHP execution" or "Disable the file editor"? Any of those options will not prevent WordPress from updates. "PHP execution" is not about modification of the php files but prevents php files from executing them. File editor on the other had doesn't allow to edit core files only themes and plugins.

    Let me know if you have more questions.

    kind regards,
    Kasia

  • Tuomo

    Hello again!

    I only now got to check on these issues.

    1. First about the wp-config-sample-php

    Download fresh version of wordpress from wordpress.org unzip it and open wp-config-sample.php and open your file and compare content. With that you will spot the difference if your file has additional code that it is not present in original file.

    I checked both files, from my WordPress installation and the original file I downloades from WordPress.org

    I checked both files line by line and they are exacly the same.

    So now the question is why defender is telling the file is modified?

    Could this be because I have downloaded the Finnish version of WordPress
    from fi.wordpress.org

    If not then why does defender tell it has been modified?

    2. version.php
    This file is also exacly the same as the original file as I downloaded
    the WordPress an unzipped it as you adviced to do.

    Why does defender say it is modified?

    Is there possible there could be "invisible code"
    That I can not see?

    3. About the error_log
    The file is in there and it should be fine.
    But then I run into another issue when I opened it.

    There is a huge list of errors in there, I attached the error_log to this post.

    Could it be that there is so huge amount of problems because the site is not published yet
    or is there actually some "real problems" causing all these warnings on the error_log?

    Also I checked the most recent warning:
    [21-Jan-2017 23:17:37 UTC] PHP Warning: implode(): Invalid arguments passed in /home/kauneush/public_html/kauneushoitolanuusisivusto/wp-content/themes/spa/taxonomy.php on line 45

    The line 45 contains this code:
    echo '<li class="isotope-item all '.implode(' ', $terms_slug).'">'; ?>

    and the lines 46-53 contains this code:
    <div class="portfolio-container">
    ">
    <?php $params = array('width' => '460' , 'height' => $pf_img_height, 'crop' => true);
    echo kaya_imageresize($post->ID,$params,''); ?>
    <?php if( get_theme_mod('pf_lightbox_disable') != 'on' ): ?>
    " data-gal="prettyPhoto[taxonomy_gallery]"
    href="<?php echo $lightbox_url; ?>"> 

    What does it mean there is "invalid arguments passed in line 45" ?

    4. Lastly what should I do with the Defender given issues?
    There is three options for each issue:
    -resolve issus
    -false alarm? ignore it
    -delete

    Which one of these options should I use?

  • Nithin

    Hi Tuomo,

    Hope you are doing good today. :slight_smile:

    Could this be because I have downloaded the Finnish version of WordPress
    from fi.wordpress.org

    If not then why does defender tell it has been modified?

    I could only comment more about this, and other issues what you have pointed, if I could check your system, and your files. Could you please send us your credentials so that we could give a closer look.

    3. About the error_log
    The file is in there and it should be fine.
    But then I run into another issue when I opened it. What does it mean there is "invalid arguments passed in line 45" ?

    These are more of a notices, and it doesn't break your site, or affect the themes performance. I can only give a better idea about it, if I could check these files. If you are looking to correct this faster, would recommend that you get in touch with the theme developer.

    You can send credentials by using our secure contact form: https://premium.wpmudev.org/contact/#i-have-a-different-question

    - To Mark to my attention, the subject line should contain only: ATTN: Nithin Ramdas
    -WordPress admin username
    -WordPress admin password
    -login url
    -FTP credentials (host/username/password)
    -link back to this thread for reference
    -any other relevant urls

    Please let us know once you have sent the credentials, so that I could give a better idea about what to do with these mentioned issue, either to mark as ignore, delete, or resolve.

    Kind Regards,
    Nithin

  • Nithin

    Hi Tuomo,

    Hope you are doing good today. :slight_smile:

    I checked all the points you have raised above, and the files are safe, you can mark it as a false alarm, and ignore these mentioned files. I'll bring this in developers notice.

    Regarding the error_log file, I could see all the latest logs are more of notices, and it will not break the site, or the themes performances, it should be good. If you are looking to fix it, you can edit the file located under, /wp-content/themes/spa/taxonomy.php, and replace line: 45, with the following code:

    if (is_array( $terms_slug )) {
    
           	echo '<li class="isotope-item all '.implode(' ', $terms_slug).'">';   ?>
    }

    Please do note that since it's a premium theme, I'm not sure exactly how it works. If you still find issues, would recommend you to get in touch with your themes support.

    Regarding your website being slow, I checked your website in pingdom:
    https://tools.pingdom.com/#!/b7WI5i/http://www.kauneushoitoladayspa.fi/kauneushoitolanuusisivusto/

    And it seems like the main issue is related to your server having slow response time, ie over 3 seconds, you might find the following article helpful:
    https://varvy.com/pagespeed/improve-server-response.html

    I could see Hummingbird is disabled at the moment, enabling minification, Gzip, and browse cache should help improve you scores. However, improving the server response time seems to be main factor here.

    I hope this helps. Please let us know if you still need any further assistance. Have a nice day. :slight_smile:

    Kind Regards,
    Nithin

    • Tuomo

      Hello again Nithin,

      Thank you for checking those files and verifying my site is not infected which is of course a relief.

      About the speed issue yes, the it really is because of slow server response time.

      There was no problem with the response time though before I enabled the security updates recommended by defender. (screenshot of applied improvements).

      The funny thing is that I did run speed tests to the site by google page speed test, Gmetrix and Pingdom before I applied the security udates.

      And before the updates none of the speed tests were saying I have a slow response time with the server, but after updating the security issues it has been complaining about those.

      I actually deactivated hummingbird and WP Fastest cache to test if it works when I reinstall them, but it doesn't help either.

      Also we have our current website published at http://www.kauneushoitoladayspa.fi
      and when I run the Pingdom test on it it does not complain about slow server response time.

      But when I run test to the Wordpress site at http://www.kauneushoitoladayspa.fi/kauneushoitolanuusisivusto/blog
      Then the Pingdom says there is slow server response time!

      So this is obviously indicating that there is something with the WordPress code etc. which makes the server response time slow.

      The issue is not with the host provider since there is no problem with the current website, but only with the website under development with Wordpress and with this one too only after applying the seciruty udates.

      I also noticed a wierd thing when running test on Pingdom to the Wordpress site
      http://www.kauneushoitoladayspa.fi/kauneushoitolanuusisivusto/blog
      It says there is "Connection error" in the response codes.

      What does this mean?
      This could obviously be the issue.
      How can we fix this?
      You can see the issue bun running the test

      Can you telle me which one of the security features is that is slowing my site down?

      Maby if we found one option I could compromise for security I could live with it because I also use the Wordfence firewall and Clef logging with phone instead of password and limited logging attempts.

      Can you tell which one of the security features is it that is slowing the site down so dramatically?

  • Kasia Swiderska

    Hello Tuomo,

    Can you tell which one of the security features is it that is slowing the site down so dramatically?

    It very hard to tell which one are doing this because I tested that on my server and I'm not able to replicate this issue with increase of server response time.
    In this case you have to make test by reverting changes that can be reverted, so:
    - Prevent Information Disclosure
    - Disable the file editor
    - Disable trackbacks and pingbacks
    - Prevent PHP execution

    Revert those and check again the server response in the site speed test - if it will be improved then start to enabling those rules one after one and after each one make test. If after one you will get a jump of server time response then you will have answer what is causing this spike.
    Let me know then which one was that and we will investigate problem.

    kind regards,
    Kasia

  • Tuomo

    Hello,

    I troubleshooted it according to your instructions Kasia.

    The server response time is slow even when setting all the security updates off.

    The only option which I can not revert is "Change default database prefix"

    I would like to verify from you though is that something that could affect to the server response time?

    I would like to know it before I will restore the website from old backup.

    BR
    Tuomo

  • Nithin

    Hi Tuomo,

    Hope you are doing good today. :slight_smile:

    I would like to verify from you though is that something that could affect to the server response time?

    I don't think this would be the source of your issue, however just to be sure I'm pinging the developer regarding this to check whether he's aware of any such issue that is related to slow page speed when the prefix is changed.

    If you still think that this would be the reason, would recommend you to check this with your host to see whether there is any such known conflict when the database prefix is changed in the database.

    Will keep you posted once I get an update from the developer asap. Have a nice day. :slight_smile:

    Kind Regards,
    Nithin

    • Tuomo

      Hello Nighin!

      Thank you for the support.

      I now completely uninstalled the Wordpress and reinstalled it
      and it still has the slow server response problem though
      Defender is not even installed and the prefix has not been changed.

      I am reinstalling Wordpress and the theme tomorrow to a new host provider.

      I hope that will solve the slow server response time.

      I will create another thread if I still have issues.

      By the way is there a way to make a fullscreen backround slider
      like this
      with some of the WPMUDEV Themes?

      Thanks!

    • Tuomo

      Hello,

      I tried one of your themes and I could not make a fullscreen backround slider.
      What I mean is that there would be a "global background slider"
      And containers on top of it.

      But the slider would always remain fullscreen on the backround.

      This is quote from the link you posted:

      Slider Region
      Slider regions provide a way for you to create full-width sliding image carousels for your website. Sliders can rotate automatically after a timeout or when manually navigated by visitors. You can choose between five different transitions and whether or not the slider controls are visible at all times or on hover only.

      it says it is possible to make full width backrounds but it doesn't say it is possible to create a full screen backround slider like this

      If I can not make bacround slider like that it means that when I scroll down I won't see anymore the slider on the backround.

      If this could be done I would like to try it but I would need assistance implementing it.

      I like the current theme I use but I am worried because it is only updated at july 2016 and I run theme check on it and it gave issues that I attached to this post.

      I also found out solution to the other issue about slow server response time.
      It was that when I Prevented tht PHP execution it slowed the server response significantly and gave javascript errors concerning the theme's Css style file.

      By looking at the theme check report I can see the theme uses plugin PHP filesystem calls instead of the WP-Filesystem methods that are recommended according to the theme check plugin.

      So when I put the PHP execution hardening that is why it causes code errors and javascript errors and slows down the site.

      So this explains the speed issue that I asked for support in my another post

      I would like to ask an honest opinion of somebody that knows for sure could the issues stated in the theme check cause issues later on?

      I would definitely not want to put all the effort in building the website only to see later it doesn't function properly because of theme issues.

      I am sad though because I liked the theme but if those issues are too serious I'm going to have to use another theme just right from the beginning.

      And for that I would especially want to find a WPMUDEV theme that supports the fullscreen backround slider.

      By the way, please thell if I sould start a new thread since this conversation is not related to the issue I originally posted.

      Thanks a lot!

  • Nithin

    Hi Tuomo,

    Hope you are doing good today. :slight_smile:

    it says it is possible to make full width backrounds but it doesn't say it is possible to create a full screen backround slider like this

    You can create full width slider region, and then add elements by dragging it on top of it, and it'll display, just like as shown in your example website. When comparing with your example website, the menus, the Site URL Text, phone number etc all will be added as an element. However, if you are looking to implement the same styles, and effects it would require a bit of custom CSS to achieve something similar.

    The only way you could check whether it would fit entirely up to your needs is by testing it, by testing it, you'll have a better idea whether it would fit your needs, or whether you'll have to make use of another theme, or not. You can make use of Upfront Builder plugin, if you are looking to build a theme from scratch.

    You might find the following docs helpful:
    https://premium.wpmudev.org/docs/upfront-and-themes/using-the-upfront-builder/
    https://premium.wpmudev.org/project/upfront-builder/#product-usage
    https://premium.wpmudev.org/docs/upfront-and-themes

    I like the current theme I use but I am worried because it is only updated at july 2016 and I run theme check on it and it gave issues that I attached to this post.

    What the Theme check plugin does is point out themes which aren't following the WordPress coding standards, that are set by the WP Theme Review Team. However, the theme should still work fine, despite all the notices posted in the plugin. Since it's a premium theme, I'm not sure how the theme functions, would recommend you to get in touch with your themes developer in order to get this sorted, or for a new theme update.

    I would like to ask an honest opinion of somebody that knows for sure could the issues stated in the theme check cause issues later on?

    Theme Check plugins are used during the development phase of a theme, and following the required points stated would be ideal, so that the theme works with less hassle. However, as mentioned above, the theme should still work fine, would recommend you to get in touch with your themes developer, so that he would be able to get these sorted.

    Would recommend you to create new threads for new issues, or any discussion which doesn't seem related to the current thread. So that it's easier for both of us to follow.

    I hope this helps, please advise if I had missed out anything, have a nice day. :slight_smile:

    Kind Regards,
    Nithin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.