Home › Forums › BulletProof Security Pro › wp-config.php Via MSCAN
- This topic has 7 replies, 2 voices, and was last updated 2 years, 1 month ago by AITpro Admin.
-
AuthorPosts
-
LexParticipant
This is the third install and mscan I have done as I migrate over from WordFence. This is the first fatal error I haven’t been able to undo.
I did a new install of a site and after I got everything the way I wanted it, I ran MSCAN to make sure everything is clean so that I can run a backup and proceed. the MSCAN found two suspicious files:
Suspicious File
/home/xxxx/xxxx.org/wp-config.php
Pattern Match: o0
2022-03-21 01:13:00Suspicious File
/home/xxxx/xxxxx.org/wp-admin/error_log
File Hash: Altered or unknown WP Core file
2022-03-21So I proceeded to delete the suscpicious files because this is what I have been doing with the two previous installs with no problems. However, this I got the WP configuration screen asking for language choice, and database connection, It looked like my site was erased. However, I entered the database name and new password to connect, and this Is the message I get:
403 Forbidden Error
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: xxx.x.xxx.xxxx
BPS Pro Plugin 403 Error Page
What did I do wrong here? I just deleted all suspicious files as I did before in the exact same hosting environment.
Any way I can recover my work?
AITpro AdminKeymasterThe reason I chose the word “suspicious” instead of “malicious” is that any file that is detected as suspicious should be checked. And definitely checked manually before you delete the file. Your wp-config.php file is critical and should not have been deleted. There could be hacker code in your wp-config.php file. So you would want to check the file contents to confirm that. Without your wp-config.php file your website will not load.
The first and best way to quickly get your site back up are these steps:
Use FTP and rename the /bulletproof-security/ plugin folder to /_bulletproof-security/
Go to the autorestore backup folder here: /wp-content/bps-backup/autorestore/root-files/
Copy the wp-config.php file to your WordPress installation folder.
Your site should be loading normally again.
Login and go to the Plugins page > that will deactivate BPS Pro automatically.
Use FTP and rename the /_bulletproof-security/ plugin folder back to /bulletproof-security/
Go to the BPS Pro Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard.AITpro AdminKeymasterI will add a safety feature in the next BPS Pro version that will not allow the wp-config.php file to be deleted.
LexParticipantThank you so much for your help. I was able to get everything working again! A safety feature would be great.
AITpro AdminKeymasterGreat! Glad to hear that. I’m curious about what MScan detected as suspicious in the wp-config.php file. Did you check your wp-config.php file contents to see if any suspicious or malicious code is in it? Pattern Match: o0 could match a Salt or DB connection information in a wp-config.php file, which would be a false positive match.
LexParticipantThis is what it matched to:
define( ‘SECURE_AUTH_SALT’, ‘wcigccvrnnzkbh86z3fsapphkb8wtyruzo00mgaqq3ld2s6gyzbw54qoosguqoam’ );
AITpro AdminKeymasterYep, it is a false positive match in your Salt string. I will create an exclude rule for that. Thanks for letting me know this. Very much appreciated.
AITpro AdminKeymasterI have added a safety feature that will prevent the wp-config.php file from being deleted. Adding an exclude rule for Salt strings in the wp-config.php file creates an exploitable loophole. So will not be adding an exclude rule for that. You can either ignore the wp-config.php file from future scans or replace your Salt strings using the help info in the wp-config.php file for how to do that. It’s going to be very rare that MScan pattern matching code matches Salt strings.
-
AuthorPosts
- You must be logged in to reply to this topic.