wp-includes WordPress files quarantined

[jan]

Almost 30 years in software dev periphery, i had to laugh when i read that.

His email suggested: “… Have you considered changing the permissions on those files to be “read-only” to the user that the web server runs as. That will ensure they can’t be modified by any plugin unless you change the permissions back. It does make it slightly harder to upgrade your WordPress installation though. ”

i posted an update there too: https://www.wordfence.com/forums/topic/bps-pro-issue-quarantined-files/ sent you admin credentials again too. thanks so much. i really, really appreciate all this.

[AITpro Admin]

Hmm yeah the only time you should have to mess with file or folder Ownership is if you have a DSO VPS or Dedicated Server/Hosting.  Wierd reply from him?  Yep, got the login info.  I was a little backlogged and am now caught up again.  Will be logging in in about 10 minutes.  Thanks.

[AITpro Admin]

And I think if you did something like that on a CGI suPHP Server you would be really screwed.  LOL

[AITpro Admin]

Ok I am logged out of your site now.  Please change the temporary Admin account you created for me from Administrator to Subscriber.

I do not think Wordfence is involved, but I could be wrong.  I believe this could be coming from your Host or an external Cron job.  I did find some anomalies that could actually be part of the problem.  First let me get all the troubleshooting facts on the page and then I will do a final summary.

These are the only scheduled crons on this site that are around the time the files are being sent to quarantine, which is between 3:08 AM and 3:25 AM
Sep 25, 2013 @ 3:55 AM Once Daily wp_scheduled_delete
Sep 25, 2013 @ 6:06 AM Once Daily bpsPro_update_check
Sep 25, 2013 @ 7:39 AM Once Daily wordfence_daily_cron

The files that are in Quarantine, in bps-backup and your actual website files are all WP 3.6.1 files.  The content of the files appears to be exactly the same.  Only the Last Modified times of the files are different, which does not come into play with BPS Pro ARQ since ARQ does not check by Last Modified file times and checks by file size.

Files were sent to quarantine between this time period:

Note:  It is odd and significant that all of the files are not being quarantined at the same time and are being quarantined over a time period of 17 minutes.  All of these files should have been sent to quarantine at the exact same time.  Logically for files to be quarantined over a period of 17 minutes and in groups of files would mean that the files were replaced at different times and then ARQ quarantined each of those files as they were changed.  That does not explain why the file sizes are the same, yet the files were still quarantined.

first file quarantined
2013-09-22 03:08:48

last file quarantined
2013-09-20 03:25:04

This is the anomaly:  The Total Backup files for wp-admin and wp-content were different.  This is probably simply because some files no longer exist under your actual website files, but still existed in bps backup.  This has been known to cause some minor issues.  So what I did was to click all the Delete Backup Files buttons for all folders and then create new backup files by clicking the Backup Files buttons.

Root Files
Backup: Sep 17 2013 21:48:34
Total Backup Files: 21

wp-admin Files
Backup: Sep 17 2013 21:48:46
Total Backup Files: 366

wp-includes Files
Backup: Sep 17 2013 21:48:56
Total Backup Files: 566

wp-content Files
Backup: Sep 17 2013 21:49:33
Total Backup Files: 115

New backup files by clicking the Backup Files buttons
Root Files
Backup: Sep 24 2013 17:44:55
Total Backup Files: 21

wp-admin Files
Backup: Sep 24 2013 17:45:04
Total Backup Files: 362

wp-includes Files
Backup: Sep 24 2013 17:45:16
Total Backup Files: 566

wp-content Files
Backup: Sep 24 2013 17:45:31
Total Backup Files: 114

Summary:
Ok here is what I want you to do.  Check with your Host and ask them if they have something automated to run at 3AM every night.  This could be a scanner of some sort or some other file integrity check.  Also check for any external Cron jobs setup in your Host Control Panel.  It is possible that by deleting and backing up AutoRestore backup files then this problem might not occur again so wait until tomorrow to check with your Host.  Please post back here tomorrow on the status of this issue.  Either the same problem will occur again or the problem will no longer be occurring.  Thanks.

[jan]

The issue went away this AM. I did not check with the host about other chron jobs running as the issue seems to have gone away. It is weird that the count difference in the folders you mentioned accounts for only 6 files whereas 9 were getting quarantined. Furthermore, I believe that total was 10 until i reinstalled (jquery got skipped).

So back when, 9/17, i did re-back up everything (as you suggested) but did not purge the backed up files first. And I think what may have set this process in motion is the fact that i disabled your plugin before upgrading the first time. I wonder if in the end, that accounted for this mess. If so, i sincerely apologize. Am mentioning it here again just in case there is something you can change to your plugin to prevent this occurring with other (knucklehead) users.
– – –
All i can say, as i did in my 5-star rating, is WOW. Your plugin is not for the faintest of hearts because of its power but your support is unmatched by any plugin i have ever had dealings with. I will start rolling the premium version out to other customers starting tmw. Thank you so much for getting to the bottom of this.

[AITpro Admin]

Great!  Thanks for confirming everything is ok.

We will be adding additional checking conditions to AutoRestore so that his type of issue/problem will be detected immediately and an alert will be displayed that AutoRestore needs to be turned Off, backup files need to be deleted, files need to be backed up again and AutoRestore turned back on again.

[jan]

FYI. this i sstill happening with new files i manually FTP’d to the server. Here is the process i followed:

1. i turned off ARQ
2. i ftp’d and uploaded these files
3. i clicked all 4 backup buttons
4. turned on ARQ again.

now it keeps restoring all these files. So as per your prev solution post, i need to delete all my backups before i back them up again? will let you know if i run into this issue again (after tmw 3 am)

[log entries removed for privacy]

[AITpro Admin]

Normally no you would not have to delete your files in backup.  There must be another factor involved here that is not obvious.  Instead of clicking the 4 backup files buttons use the Setup Wizard instead.  Click the Pre-installation Wizard button and then click the Setup Wizard button.

[jan]

after the last upgrade of WP and various plugins, this is happening again. 2nd day of 150 emails about quarantined files; seems all are twentythirteen theme related (not the other updates althouygh i did not go back and scour the logs for yesterday’s errors). I turned arq off, backed up all 4, then reactivated. But i guess i need to turn arq off > restore all files > delete all 4 backups > back up all 4 > turn arq back on…

[AITpro Admin]

Was the WP upgrade an automatic update or a manual update?  How were the plugins installed?  Automatic plugin updates?  Manual plugin updates?

[jan]

all through WP admin. One by one.

[AITpro Admin]

You can restore files from Quarantine using the Restore File checkboxes and do not need to turn Off ARQ or do anything else.  When you restore files from Quarantine the file in Quarantine is copied back to the original location and another copy of the file in Quarantine is copied to AutoRestore backup so that the files match.

[AITpro Admin]

Where in WP admin?  On the Plugins page by clicking the update now link?  On the WordPress Updates page by selecting the checkboxes?  Also is this the same website with the strange 3am Cron issue?

[jan]

Not sure if i used the check box or update now button for the 2013 theme upgrade. Sorry.  Yes, this is the onthec…hai.org one. just noticed that the /wp-admin page comes up blank. i wondered about all the restoration of files after the db was updated and possible issues. i guess i have to reinstall WP now. What a pain.

[AITpro Admin]

Do you have BPS Pro 7.8 installed?  Did you see these displayed messages in the link below?
http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#automation

FTP to your website and rename the plugins folder.  Can you login to your site now?

[Author]

Posts