I decided to try Defender for the first time today

I decided to try Defender for the first time today and thought I'd provide some feedback and suggestions.

Installation went smoothly and I like that it guides you through the issues that need attention. I did strike some problems though.

1. As soon as I enabled the blacklist check I got a big red banner saying my site was blacklisted. It's a personal blog with a handful of posts with the last post being from May 2015. I have always run a security plugin on there and it has never been hacked and/or been in any blacklists. I immediately checked it on Google and it was all fine. I then reloaded the defender dashboard and the blacklist status had changed to green and all okay. It's not a good look though - I don't know why it would generate this false positive initially - perhaps it defaults to 'blacklisted' prior to performing the first blacklist check. Either way, if it is happening to others and not just me then it's going to cause a few heart flutters.

2. I tried doing the file scan and after 4% it came up with the 'server resource usage is too close to your limit'. My (CentOS) server is fairly busy and CPU load runs at around 1.5 - 2.5 most of the time. I tried again and it got to 8% before the same error came up. I then went back to the dashboard and it said there were 2 issues in the Wordpress core files. I clicked on the 'Fix' button and was taken back to the scan page which was still showing the 'resource usage' error. I clicked 'Try Again' and then 'Cancel Scan' but each time I clicked the cancel button the page reloaded and the scan restarted. There's no way to stop the scan it seems. I also noticed when I clicked the 'show log' button there was never anything there.

My suggestions for this are:

1. Separate the scan progress log page from the scan page and have it log all activity including the server load at the time the scan is aborted.
2. Provide a setting where I can set the server load threshold that will pause the scan.
3. Separate the scan results page from the main scan page. I have no way of telling which files it thinks are wrong because I keep getting the resource usage error. I really need to be able to see which files have been detected as incorrect and why.

Gary

  • Rupok

    Hi Gary

    Hope you had a wonderful day.

    I don't know why it would generate this false positive initially - perhaps it defaults to 'blacklisted' prior to performing the first blacklist check

    I tried doing the file scan and after 4% it came up with the 'server resource usage is too close to your limit'.

    I could tell you better about these issue if I could see it live, check your current configuration and make some tests on your site. Would you mind allowing Support Access so we can have a closer look at this?

    To enable support access you can follow this guide here:
    https://premium.wpmudev.org/manuals/wpmu-dev-dashboard-enabling-staff-login/

    And thanks a lot for your suggestions. I'll pass all info with your suggestions to our developer if I can confirm the issues on your site. I'm looking forward to hear from you and resolve these issues as soon as possible.

    Have a nice day. Cheers!

  • Hoang Ngo

    Hi @teckyhead,

    I hope you are well today and many thanks for your feedback.

    1. As soon as I enabled the blacklist check I got a big red banner saying my site was blacklisted. It's a personal blog with a handful of posts with the last post being from May 2015. I have always run a security plugin on there and it has never been hacked and/or been in any blacklists. I immediately checked it on Google and it was all fine. I then reloaded the defender dashboard and the blacklist status had changed to green and all okay. It's not a good look though - I don't know why it would generate this false positive initially - perhaps it defaults to 'blacklisted' prior to performing the first blacklist check. Either way, if it is happening to others and not just me then it's going to cause a few heart flutters.

    Perhaps this is cache from API server, usually that will be fixed it self in less than 30 seconds. I will check with the sysadmin team to see what we can do here :slight_smile:

    2. I tried doing the file scan and after 4% it came up with the 'server resource usage is too close to your limit'. My (CentOS) server is fairly busy and CPU load runs at around 1.5 - 2.5 most of the time. I tried again and it got to 8% before the same error came up. I then went back to the dashboard and it said there were 2 issues in the Wordpress core files. I clicked on the 'Fix' button and was taken back to the scan page which was still showing the 'resource usage' error. I clicked 'Try Again' and then 'Cancel Scan' but each time I clicked the cancel button the page reloaded and the scan restarted. There's no way to stop the scan it seems. I also noticed when I clicked the 'show log' button there was never anything there.

    Likely schedule scan enable and set as daily, and the current time is over the schedule time. That's why when you cancel, a new scan will set up right away.
    For control the CPU threshold, please add this code to your theme functions.php or use mu-plugins

    add_filter( 'wd_limit_cpu', 'wd_limit_cpu' );
    function wd_limit_cpu() {
    	//the maximum CPU scanning can use, usually 1 is 100%, but on some host like godaddy, 1 is only 1%,
    	//please feel free to modify it to fit your server
    	return 100;
    }

    After scan done, there will be a detail report for you. Scanning log just provide information, and it will need a little bit delay to load.

    I think for now, please add the code above, and let's see if the scan can run through :slight_smile:

    If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,
    Hoang

  • teckyhead

    Hi Hoang,

    Thanks - I added the code and the scan ran through and completed this time. I also could see the names of the scanned files in the log. The scan took around 5 minutes to complete.

    A couple of worrying things - just prior to receiving the scan results I received two alerts from my server. One was that there were 147 process running for that specific blog and another that the server load had peaked at 20.74. I'll paste excerpts from those below.

    I had hoped to check this when the scheduled scan ran at 3am this morning but it didn't run. I'll see if it runs tomorrow morning.

    Gary

    Time: Wed Mar 30 22:59:39 2016 +1100
    Account: garyblog
    Process Count: 147 (Not killed)
    Process Information:
    User:garyblog PID:2781 PPID:1813 Run Time:32(secs) Memory:149092(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php User:garyblog PID:2783 PPID:2630 Run Time:32(secs) Memory:149092(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php User:garyblog PID:2789 PPID:2623 Run Time:31(secs) Memory:148960(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php User:garyblog PID:2798 PPID:2272 Run Time:31(secs) Memory:148848(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/wp-cron.php User:garyblog PID:2800 PPID:2278 Run Time:31(secs) Memory:149148(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php User:garyblog PID:2813 PPID:2631 Run Time:30(secs) Memory:149148(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php User:garyblog PID:2818 PPID:2795 Run Time:30(secs) Memory:148224(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php
    User:garyblog PID:2819 PPID:2816 Run Time:30(secs) Memory:148224(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php
    User:garyblog PID:2824 PPID:1806 Run Time:30(secs) Memory:148224(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php
    User:garyblog PID:2825 PPID:2037 Run Time:30(secs) Memory:148224(kb) exe:disappointed:usr/bin/php cmd:disappointed:usr/bin/php /home/garyblog/public_html/index.php
    [...]

    Time: Wed Mar 30 23:00:10 2016 +1100
    1 Min Load Avg: 20.74
    5 Min Load Avg: 6.18
    15 Min Load Avg: 2.94
    Running/Total Processes: 4/552

  • Hoang Ngo

    @teckyhead,

    Thanks for your information. One more question, can you please let me know how it setup? Example
    What is the OS, if it is Linux, so what's the distro?
    What's the server type, Apache, Nginx, or Nginx as proxy, and Apache as backend?
    How PHP is running, it is PHP-FPM service, or apache PHP_Mod?

    I'm sorry for this inconvenience, and many thanks for your patience.

    Best regards,
    Hoang

  • teckyhead

    Hi Hoang,

    The server is a WHM/CPanel server - OS is Centos 6.7 with standard WHM Apache setup (i.e. php_mod).

    It also looks like the plugin doesn't look at the server timezone. I had the schedule set for 3AM but it ran a little after 4PM. I saw the same load issues - this time it was 144 apache instances and the CPU load peaked at 24.45.

    I'll have to disable it for now. I understand that there's going to be some server load whilst scanning files but this really seems excessive. I've used other plugins that do security scans of files but haven't ever seen them hit the server anywhere near this hard.

    Gary

  • Hoang Ngo

    @teckyhead,

    I hope you are well today and I'm sorry for the issue :slight_frown:

    With the code I posted above

    add_filter( 'wd_limit_cpu', 'wd_limit_cpu' );
    function wd_limit_cpu() {
    	//the maximum CPU scanning can use, usually 1 is 100%, but on some host like godaddy, 1 is only 1%,
    	//please feel free to modify it to fit your server
    	return 100;
    }

    100 will let it run maximum, I think in your case, please change it to 1. Mean 100% CPU if needed.

    Also, if possible please change to php-fpm, instead of the old php_mod. This module very famous for resource leaking.

    Best regards,
    Hoang

  • teckyhead

    Hi Hoang,

    As the web server is a WHM/CPanel hosting server with some of my customer's websites on it, it isn't practical to switch to php-fm.

    I ran some more tests. With the return value in the code you sent set to 1 it brought up the server resource usage error. I then changed it to 5 and the scan ran through - took around 40-60 seconds. This time the CPU usage was okay until the scan got to around 91%. Then it went a little bit nuts and spawned a whole lot of processes that were all pointed at index.php on the website. The CPU was around 2.0 - 2.4 until this point (that's normal load on the server) and then it peaked at 8.45.

    Regards,

    Gary

  • Hoang Ngo

    teckyhead,

    For now, can you please upgrade to 1.0.4? And when scanning, please use background mode(don't open the scanning page, just close it and background mode auto activate)

    As due to the mod_php, every ajax request, it might create a new thread, and that will make your server fill up with tons of www-data thread quickly.

    For checking scanning progress, you can visit this page http://domain.com/wp-admin/admin.php?page=wdf-debug

    I think that can decrease the usage of resource. If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,
    Hoang

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.