Hidden Plugin Folder|Files (HPF) Alert

Home Forums BulletProof Security Free Hidden Plugin Folder|Files (HPF) Alert

This topic contains 68 replies, has 13 voices, and was last updated by  AITpro Admin 1 year, 6 months ago.

Viewing 15 posts - 1 through 15 (of 69 total)
  • Author
    Posts
  • #30020

    Pauline
    Participant

    Hi,

    I recently updated BPS and as soon as update was complete an error came up.

    PS Hidden Plugin Folder|Files (HPF) Alert
    An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the file name in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.
    File Path: /home/agingnat/public_html/wp-content/plugins/php_errorlog
    Last Modified Time: October 3, 2015 @ 11:00 am
    Last Change Time: April 16, 2016 @ 6:08 am
    Last Access Time: April 16, 2016 @ 6:08 am

    I have no idea what this hidden plugin is, is it ok? I have no idea and I also have no idea how to get rid of it. As BPS only lets me know how to get rid of warning if I think the file is safe to ignore.

    I am assuming it is not safe to ignore and am completely lost as what I can do to remove this file myself.  Can you please tell me what I can do?

    Thank you 🙂

    #30021

    AITpro Admin
    Keymaster

    What to do if a hidden plugin folder or file is detected
    If a hidden or empty plugin folder is detected or a non-standard WP file is detected then you would use FTP to check the folder or file. If the folder or file contains hacker code or is a hidden plugin or is a non-standard WP file then make a copy of it and delete it. If the plugin folder is just an empty plugin folder then delete it. If you recognize the folder or file you can use the Ignore Hidden Plugin Folders & Files textarea box option to ignore/not check this folder or file.

    Ignore Hidden Plugin Folders & Files:
    This option is for adding ignore rules for Hidden or Empty Plugin Folders Detected by BPS or Non-standard WP files detected by BPS in your /plugins/ folder. This is an independent option setting that does not require clicking any other buttons. Example Usage: If you intentionally have an empty plugin folder in your /plugins/ folder or you have a custom file in your /plugins/ folder then you can add the plugin folder or custom file name in the Ignore Hidden Plugin Folders & Files textarea box so that the HPF Cron check will ignore any folder or file names that you add. Add Ignore rules using plugin folder names or file names. Use a comma and a space between folder and/or file names. Example Ignore Rules: plugin-folder-name, example-file-name.php

    Most likely this file:  /plugins/php_errorlog is not a hacker file and is just a php error log that was automatically added/created in your /plugins/ folder by your web host or another plugin, but you should check the file using FTP just in case.  Most likely you will just find php error log entries in the php_errorlog file and not any malicious code.  If you want us to look at/check the php_errorlog file then send it to info at ait-pro dot com and we will let you know whether or not it contains malicious/hacker code.

    #30047

    Manuel
    Participant

    Hi,

    thank you for this new feature. Unfortunately, I cannot make the error notice go away by entering the file and folder name (which are clean). I get two error messages every ~15 minutes since I updated BPS this morning. Even after shutting off the Cron and setting the interval to 60 minutes. I run a WP MS install.

    Also, I would like to suggest to ask for complete path to file/folder. So a false negative in case of a hacker using the same folder/file name which I had whitelisted is ruled out.

    Best,

    Manuel

    #30055

    AITpro Admin
    Keymaster

    @ Manuel – Turning Off the HPF Cron unschedules the HPF Cron job. Are you clicking the Save HPF Cron Options button after selecting HPF Cron Off setting?

    Copy and paste the HPF Dashboard alerts in your reply so I can see them.  Is WP MS a WordPress Network/Multisite site?  The full path to the /plugins/ folder is already included in the check:  /folder-path-to/wp-content/plugins/.  So you only need to use a filename or a folder name to ignore/whitelist a file or folder.  It is not be possible to have 2 files or 2 folders with the same name in the same place/location.

    #30085

    Manuel
    Participant

    @ Edward – It seems it doesn’t turn off. Yes, I clicked the button, and got the message “Hidden Plugin Folders|Files (HPF) Cron has been turned Off.” I also checked my NinjaFirewall log, but nothing there.

    Maybe the problem comes from some additional .htaccess rules which I inserted with AIOWPS plugin (and have then put into the BPS custom code section)? In particular, the 6G Firewall list had one character that lead to 403 on the whole site, maybe this time it does not show?

    Okay, what you write about the folder makes sense. I thought it was a complete check. The box content already reads:
    functions.php, Backup
    Yes, it is a multisite install. The error messages are not shown on the domain site, and only on one subsite – the one I mainly use:

    BPS Hidden Plugin Folder|Files (HPF) Alert
    An unrecognized/non-standard WP file was found in your /plugins/ folder. This file may be a hacker file or contain hacker code. If you recognize this file and/or it is safe to ignore this file you can ignore this file check by adding the file name in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.

    File Path: /***/wordpress/wp-content/plugins/functions.php
    Last Modified Time: 21. Juli 2015 @ 16:31
    Last Change Time: 7. Februar 2016 @ 01:28
    Last Access Time: 7. Februar 2016 @ 01:27

    BPS Hidden Plugin Folder|Files (HPF) Alert
    A plugin folder was found in your /plugins/ folder that is either a hidden plugin (plugin that is not displayed on the WordPress Plugins page) or an empty plugin folder. You can either delete this folder or if you recognize this folder and/or it is safe to ignore this folder you can ignore this folder check by adding the folder name in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.

    Plugin Folder Path: /***/wordpress/wp-content/plugins/Backup
    Last Modified Time: 30. März 2016 @ 23:48
    Last Change Time: 30. März 2016 @ 23:48
    Last Access Time: 30. März 2016 @ 23:02
    #30086

    AITpro Admin
    Keymaster

    @ Manuel – This is Jake by the way, but not important, just one of the BPS team members. 😉

    Of course HPF can be turned Off.  So that is another issue like maybe something else you have installed is breaking things or some other issue/problem.  So before troubleshooting your specific particular install/host/server/website issue/problem, let me do some general testing in all Network/Multisite test servers/environments to see if I can replicate/reproduce this error scenario/condition.

     

    #30087

    AITpro Admin
    Keymaster

    @ Manuel – Recreating/replicating/reproducing all of the conditions stated above in all Network/Multisite site types has the same results.  Whitelisting/ignoring files and folder works perfectly.  Turning HPF On or Off works perfectly.  So if whitelisting/ignoring files and folders is not working on your site then 1 of these 2 things is true.  1. You have not added whitelist/ignore rules using the correct format:  functions.php, Backup and/or you have not saved your whitelist/ignore rules or 2. Something you have installed on your site is breaking things.  Double check that you have created the correct whitelist/ignore rules (in the correct format).

    #30088

    Pauline
    Participant

    Hi,
    I have confirmed with my Hosting company the hidden plugin alert I am getting is safe.
    I have tried to add the file path to the ‘Ignore Hidden Plugin Folders And Files’.
    I am not sure if I am doing it right, I just copied the file path and inserted it into the box and clicked save.
    But it keeps coming back. I have no idea how to get rid of this warning and it is so annoying and I keep getting emails about it and it is driving me mad.
    Can you please tell me what I am doing wrong, other than copying the file path, I have no idea what else to put to get rid of the warning.
    I tried to deactivate the plugin that didn’t work either.

    Thankyou 🙂

    #30090

    AITpro Admin
    Keymaster

    Do these steps.
    1. Go to the Ignore Hidden Plugin Folders & Files textarea box.
    2. Paste this into the textarea box:  php_errorlog
    3. Click the Save Plugin Folder|Files Ignore Rules button.

    -ed

    #30094

    Manuel
    Participant

    Jake, I can confirm I really typed into the box what needed to be, and which I pasted here (the div styling came from the Visual Editor in this forum, you seem to have corrected it, thanks). So something must be breaking things. But I do not know what…

    I will try with what was suggested by ed, and will post what happened.
    EDIT: Still the mails. I will try with this code now:
    functions.php, Backup, php_errorlog
    EDIT 2: Mails continue. I can’t find any error log on my server…?

    #30098

    AITpro Admin
    Keymaster

    @ Manuel – You would whitelist the folder or file names displayed to you in the HPF Alert.  If doing these steps below does not stop new email alerts from being sent then send a WordPress Administrator login to this website to:  info at ait-pro dot com.

    Do these steps.
    1. Go to the Ignore Hidden Plugin Folders & Files textarea box.
    2. Paste this into the textarea box:  functions.php, Backup
    3. Click the Save Plugin Folder|Files Ignore Rules button.

    #30105

    AITpro Admin
    Keymaster

    @ Manuel – I logged into your website and did not see the HPF Dashboard Alert.  So your whitelist/ignore rules are good.  Are you still receiving new HPF email alerts?  If so, then we need to check BPS code to see if there is a bug somewhere in the BPS email alert code.  I’ll let you know if we find any bugs or not.

    #30107

    Manuel
    Participant

    I still get the alerts every 15 minutes, unfortunately. I will downgrade BPS now, looking forward to your inquiries. Hope you will find the problem; if I can help, I will.

    #30108

    AITpro Admin
    Keymaster

    @ Manuel – Ok I will check and see if there is some sort of bug with HPF email alerts on Network|Multisite site types.  I have feeling what is missing is a conditional check in the HPF email alert code something like this:  if multisite and blog id = 1 then send the alert.  I think what may be happening is that if that extra conditional check is not there then the alert/check code may also be checked in subsites instead of just the Primary site.  Will let you know what I find after checking this out.

    #30109

    Manuel
    Participant

    Thanks. Interestingly, after downgrade to .53.8, I still see the HPF module – so this had already been introduced in .53.8, I was not aware. Why did I not receive any alerts before, then?

    Without having made any changes to the database, the HPF check was marked ON, scheduled at 15min-intervals, which should not come as a surprise – this is what the system seems to have been set all the time, regardless of any changes. However, the whitelist now reads “functions.php, Backup” – I suppose you changed that. And… I still get the emails. Even after downgrading. Will try disabling again now, maybe this time it works.

    EDIT: Got the mail because I made an “old” folder for backing up BPS .53.9. Turned off HPF now. Will post if worked.

    EDIT 2: Seems turning it off works now. Will try turning it on in some minutes and see what happens.

    EDIT 3: So, it seems that everything worked in .53.8. No emails, whitelist works, and we already have seen that alerts come if there is unexpected activity. So there must have been something new in .53.9 that broke HPF.

    EDIT 4: Still the error messages all over my backend in my main subsite. No mails, though.

    EDIT 5: And now, the alert mails are back. It did not do that until I upgraded to .53.9! Now I am back on .53.8, it’s broken. How can that be…?

Viewing 15 posts - 1 through 15 (of 69 total)

You must be logged in to reply to this topic.