How can I disable wordfence database

[adax2000]

Server operating system version

ubuntu 18.04.6

Plesk version and microupdate number

18.0.59

With today's update wordpress toolkit started pulling "vulnerabilites" from wordfence. Some of those will not be fixed any time soon, for example complaint that wordpress uses md5 to hash passwords. So now on all of the installations I have red exclamation mark and cannot tell which installation really needs some attention. I'm wondering if you know the way to disable wordfence database altogether. I can see that there is some filter via CVSS, but wordfence assigned quite high CVSS (5.9) to that md5. And I would like to know about all the vulerabilites that there is something I can do about them, and not about the ones there's nothing i can do about.

 

[Mark_NLD]

+1....

All of our customers are getting bombarded with vulnerabilities that have existed since 2012..

 

[Mark_NLD]

For now:

plesk bin notification -u -code ext-wp-toolkit-notification-client_vulnerability_found -send2admin false -send2reseller false -send2client false

 

[custer]

Hey guys,

Yeah, that's not ideal... on one hand, this is what Wordfence reports, and it's sort of true. On the other hand, it's not like we can (or should) do something about it.

Anyway, we've brainstormed this issue earlier today and came up with a pretty good way to address it. I can't give you exact dates, but we're already working on the solution, so I'd expect it to arrive soon.

 

[frogx]

I not only get messages that are "and it's sort of true", but also those that have already been deleted as false on other services. (unfortunately in German: Alexander Heimbuch (@[email protected]))

Together with these strange, ancient messages, this puts Wordfence in a very bad light.

Can we please have a switch to disable Wordfence completely?

 

[Tiria]

Hope it will be updated soon, it's just annoying to have several "false positive" security vulnerabilities on all wordpress installations

 

[Mark_NLD]

@custer unfortunately the solution you are working on did not make it into Plesk Obsidian 18.0.60. Any update on the matter?

 

[Panagiotis]

Seriously no one saw this in testing?? The toolkit is supposed to help us manage problems and now we are seeing all these vulnerabilities even though plugins have been update long time since those vulnerabilities were found. The versions are old. Even if we update the plugins or even delete them the vulnerability messages don't go away. The stupid wp-toolkit clear cache does absolutely nothing. This should not have been implemented in the first place like that. I really can't stress out how no one stopped this.

We are paying a good amount of money to have easier administration and not waste any time but with this we can't even clear out which plugins actually have a problem since we have to check each one's version to see if this stupid stupid false positive has any value. You are wasting our time.

It's so f..... frustrating and even the update didn't fix this already.

 

[maestroit]

Hope this issue gets fixed, seems the WordFence database is not up-to-date as the PatchStack one: Wordfence seems to copy vulnerabilities list from PatchStack but forgets to update their version when PatchStacks sets the bug as resolved.

 

[custer]

Update time!

So, remember the vulnerability filtering feature introduced in WPT 6.3? We've already redesigned it, replacing CVSS with our own internal Risk Rank that's calculated based on CVSS, EPSS, Patchstack Patch Priority and some other markers. Our risk rank does a much better job at reflecting the actual severity of vulnerabilities. CVSS is a good thing, but it's difficult to understand for non-tech users and, without going into details, it's not always accurately reflecting the actual severity of WordPress-specific vulnerabilities.

Anyway, vulnerability filtering will be switched from CVSS to risk rank in the next WPT release, and we plan to enable this filtering by default, meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.

This solution gives a better out-of-the-box experience (no more warnings that your WordPress is vulnerable on a fresh install), doesn't annoy users, retains the value of Wordfence database where it's actually needed (there are some genuine vulnerabilities only present in the Wordfence database at the moment), and leaves the control in the hands of users.

When this change will go live? I don't have an exact date (it depends on a certain other thing), but quite possibly sometime around next week...

 

[maestroit]

... meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.

But what about mistakes in the Wordfence database? I posted in another thread about high-ranking vulnerabilities in the WordPress theme Ultra, which were fixed since v7.3.6 but Wordfence didn't update that these were fixed.

 

[Mark_NLD]

Great stuff @custer !