wp-includes WordPress files quarantined

[jan]

After upgrading to 3.6.1, BPS Pro keeps quarantining the same files: I have manually compared the quarantined file to the backup and they are the same. I click the 4 backup buttons and then back them up. But every day, i get the 10 emails for each file quarantined.

/wp-includes/comment-template.php
/wp-includes/class-http.php
/wp-includes/js/tinymce/wp-tinymce.js.gz
/wp-includes/js/jquery/jquery.js
/wp-includes/theme.php
/wp-includes/post-template.php
/wp-includes/version.php
/wp-includes/link-template.php
/wp-includes/ms-functions.php
/wp-includes/pluggable.php

thanks much for any help you can provide.

[AITpro Admin]

This is a very old forum topic:
Important Note: If you have BPS Pro 12.8 or higher versions of BPS Pro installed click this link for quickier and easier steps to fix quarantined files problems: https://forum.ait-pro.com/forums/topic/website-not-loading-after-wordpress-upgrade-or-theme-upgrade-500-error-files-quarantined/. BPS Pro 12.8+ versions automatically deactivate/turn ARQ Off when the /bulletproof-security/ plugin folder is renamed instead of having to use the BPS Pro XTF Form Tools to deactivate/turn ARQ Off.

Very strange.  Do these steps:  Turn Off AutoRestore, reinstall WordPress, click the 4 Backup Files buttons and turn AutoRestore back on.  Let me know if the files are quarantined again.  If they are then something you have installed on your website (a plugin that is doing something to the /wp-includes folder) is interfering with the /wp-includes AutoRestore folder check.

[AITpro Admin]

Oh I forgot to ask if you restored the files from Quarantine.  When you restore files from Quarantine the original file is restored and a copy is also created in the AutoRestore backup folder.  The logic is the files may appear to be almost identical, but WordPress made some minor changes to these files so the files in backup are not actually the same.

[jan]

i did not restore files from quarantine. It just kept doing the 10 files every day.  I did as you asked and will know more tmw (disabled arq, reinstalled, backed up 4 buttons, re enabled arq).  will let you know tmw if it comes back. other plugins are not the issue here though. None were added and it was working before. Something about having turned off your plugin altogether to do the original WP upgrade (I suspect).

[AITpro Admin]

Yep, then that was the issue/problem.  When files are sent to Quarantine that are legitimate files then you would restore them using the Restore Files option in Quarantine.  The AutoRestore/Quarantine Guide link below explains how AutoRestore/Quarantine works.
http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

[jan]

ok. will try that now then. After deleting all the quarantined files, turning off ARQ, reinstalling WP 361, turning things back on, backing up, resetting everything, i noticed that this morning the same 10 files are throwing messages again. I’ll try and fight my way through that page and restore them.

Unrelated: how do i get rid of the “Your Root htaccess File is not Locked” alert at the top? I cannot turn off group reading privs or the site stops working.  Ditto on the php errors. Is there a way from keeping the yellow alerts from showing up without stopping the logging per se? I worry about the wall of yellow alerts when the client logs in themselves.

[AITpro Admin]

BPS Alerts are only displayed to you or other Administrators.  Something odd is going on if this problem is still going on.  Is this a WordPress Network/Multisite site?  Please create a temporary WordPress Admin login for me so that I can login to this site and see what might be causing this issue.  Send that temporary Admin login to edward [at] ait-pro [dot] com.  You can turn off that F-Lock alerts by going to the F-Lock page and choosing “Turn Off Checking & Alerts” for each / all files you do not want to have BPS check.  You can turn off php error logging or you can turn off just the php error log alerts.  To turn off php error logging go to P-Security >>> ini_set Options tab page and set Log PHP Errors: to Off and click buttons 1 & 2.  Or you can turn off only the php error alerts by going to S-Monitor and set this option:  PHP Error Log: New Errors in The PHP Error Log to Turn Off Displayed Alerts.

[jan]

i set you up as admin and had WP email you the creds. LMK if i need to send manually myself.  unfortunately i cleared the quarantine log after i restored them all. I just realized that the quarantining seems to happen at 3 am. Why 3 am only and only once a day? So then i realized that I THINK this is when Wordfence is doing its scanning for this site. So this then seems to point to them. I should have realized this earlier.  since a couple of sites out there push your two as playing nice together and the ultimate security solution, i think it would behoove you two to figure out what is going on. That is why i ended up with both your premium versions of the plugins.  if you want, change the wordfence schedule to manual to expedite. Or leave it as is until tmw. Your quarantine log seems to log activity around 3:06 and 3:10 am if i remember right.  and if this beyond what you are up for, i understand !

[AITpro Admin]

Thank you for the additional information and clues.  Things change fast in the coding world so this is probably something new that Wordfence is doing.  What it sounds like is Wordfence is restoring files at 3am and then BPS Pro is then autorestoring the files that Wordfence is restoring since those files are going to be different then the files BPS sees in AutoRestore backup.  Once I log into the site I will try and figure out exactly what Wordfence is doing.  I am currently working on a couple of things and ETA to login to this site is 30 minutes.  Thanks.

Best Regards,
Ed

[AITpro Admin]

I am logging into your website now.  Thanks.

Ed

[AITpro Admin]

There was some sort of problem going on with the Plugin Firewall/Plugin Firewall .htaccess file that was causing the BPS Pro pages to display broken so I deleted it and created a new Plugin Firewall .htaccess file and BPS Pro pages are displaying normally now.

I added these additional Plugin Firewall whitelist rules for the Wordfence plugin since I assume that the Wordfence plugin needs full unrestricted access to your site, but maybe these Plugin Firewall whitelist rules are not needed.  In any case, it does not hurt to add them.

/wordfence/(.*).php, /wordfence/(.*).js

I wonder if Wordfence also needs to have the wordfence.com website whitelisted in the Plugin Firewall. Please send an email to the Wordfence plugin author and ask the plugin author if this plugin needs to have the Wordfence.com domain whitelisted or an IP address whitelisted in the Plugin Firewall or maybe the above whitelist rules are all that is needed.

It looks like you are using both Wordfence Login Security and BPS Pro Login security. It appears that BPS Pro Login Security is working correctly so I assume they are both working together without any problems.

I turned off php error log alerts in S-Monitor so you will no longer see php error log alerts in your WP Dashboard.

I checked all Wordfence settings and did not find any settings that would allow me to check the /wp-includes possible issue or any settings to do anything about this issue.

So my hunch is that something like this is occurring:

Since Wordfence does a check for WP Core files in the WordPress.org Repository and compares them to your WP Core files on your website then maybe Wordfence is restoring older WP Core files from the previous version of WordPress back on your website?  Not really sure if that is what is going on.  Everything is fine at this point so it is hard for me to see exactly what the issue is that is going on at 3am.  Please check with the Wordfence plugin author and see if there is a known issue going on with something like this.  Thanks.

Logged out of your website now.  Please change this temporary Admin login account from Administrator to Subscriber or just delete this login account.

Ed

[jan]

So the plot thickens a little bit. Today 9 out of the 10 files that were getting quarantined daily are still getting quarantined. The only one that does not (anymore) is: /wp-includes/js/jquery/jquery.js  Yesterday, i restored files, reinstalled WP, backed up and then you went over the settings and made some tweaks. So the only read difference is the WP 361 reinstall.  As per your request, i posted questions to the WordFence people viewable here http://www.wordfence.com/forums/topic/bps-pro-issue-quarantined-files/  Will keep you posted.

[AITpro Admin]

Great!  Yep, this issue is not directly related to BPS Pro, but there could be some kind of a chain reaction going on or my original theory is what is happening – older WordPress Core files are being restored by Wordfence and BPS Pro is then autorestoring those older WP Core files with the WP 3.6.1 files that are in AutoRestore backup.  Thanks.

[jan]

OK. WordFence is throwing it back in BPS’ court: please see post: https://www.wordfence.com/forums/topic/bps-pro-issue-quarantined-files/#post-11295

it says: “It sounds like BPS quarantines files that have had their timestamp changed in some way.

Wordfence only reads files when it scans them, it does not write to files. It sounds like BPS is checking the “last accessed time” and deciding how to quarantine files based on that instead of checking the “last modified time” and using that instead. We don’t modify files we scan so not sure why BPS is misbehaving.“

[AITpro Admin]

Yep, not surprised at all about that – that is the typical response from most plugin authors – not my problem. 😉  I really only wanted you to get some basic information about what Wordfence might be doing.  The plugin author’s answer is vague and not helpful at all.   He guessed completely wrong on what and how BPS Pro AutoRestore/Quarantine does what it does.  This is explained in the AutoRestore/Quarantine Guide here:  http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/  but it would very unusual for another plugin author to check how another plugin works.  Plus we are competitors (loosely and not directly since the 2 plugins do/utilize completely different security methods – Scanner vs IDPS/Firewalls/etc.) so I would not expect him to try and be helpful in any way.  Ha ha ha.  😉

Ok I will handle this and if necessary add additional coding to BPS Pro to compensate for whatever is happening here.

Based on what is stated on the Wordfence plugin description page on the WordPress.org site:

Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.

Obviously BPS Pro does this as well with AutoRestore/Quarantine and additionally has the capability to autorestore all website files (WP Core files, free and premium theme and plugin files, additional non-WordPress folder and files that you tell ARQ to monitor – ALL website files) and not just WordPress core files, free theme files and free plugin files. 😉  But does require that you have backed up files in ARQ.

Based on this statement by Wordfence my theory about Wordfence “repairing” core files is still valid since how the “repair” is most likely being done is copying a file from the WordPress.org Repository to your website and overwriting/replacing your existing website file.  Odd that the Wordfence plugin author would contradict what he is stating his plugin does. 😉 Maybe he misunderstood the question???

Send me an Admin login to your site so that I can check some more things and dig a little deeper into this issue to confirm exactly where the issue is.  Send that login info to edward {at} ait-pro {dot} com.  Thanks.

[Author]

Posts