• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

How can I disable wordfence database

A

adax2000

New Pleskian
Server operating system version
ubuntu 18.04.6
Plesk version and microupdate number
18.0.59
With today's update wordpress toolkit started pulling "vulnerabilites" from wordfence. Some of those will not be fixed any time soon, for example complaint that wordpress uses md5 to hash passwords. So now on all of the installations I have red exclamation mark and cannot tell which installation really needs some attention. I'm wondering if you know the way to disable wordfence database altogether. I can see that there is some filter via CVSS, but wordfence assigned quite high CVSS (5.9) to that md5. And I would like to know about all the vulerabilites that there is something I can do about them, and not about the ones there's nothing i can do about.
 
+1....

All of our customers are getting bombarded with vulnerabilities that have existed since 2012..
 

Attachments

  • Scherm­afbeelding 2024-03-28 om 11.46.56.png
    Scherm­afbeelding 2024-03-28 om 11.46.56.png
    188.9 KB · Views: 8
  • Scherm­afbeelding 2024-03-28 om 11.47.00.png
    Scherm­afbeelding 2024-03-28 om 11.47.00.png
    154.1 KB · Views: 8
For now:
Code: 
plesk bin notification -u -code ext-wp-toolkit-notification-client_vulnerability_found -send2admin false -send2reseller false -send2client false
 
Hey guys,

Yeah, that's not ideal... on one hand, this is what Wordfence reports, and it's sort of true. On the other hand, it's not like we can (or should) do something about it.

Anyway, we've brainstormed this issue earlier today and came up with a pretty good way to address it. I can't give you exact dates, but we're already working on the solution, so I'd expect it to arrive soon.
 
I not only get messages that are "and it's sort of true", but also those that have already been deleted as false on other services. (unfortunately in German: Alexander Heimbuch (@[email protected]))

Together with these strange, ancient messages, this puts Wordfence in a very bad light.

Can we please have a switch to disable Wordfence completely?
 
Seriously no one saw this in testing?? The toolkit is supposed to help us manage problems and now we are seeing all these vulnerabilities even though plugins have been update long time since those vulnerabilities were found. The versions are old. Even if we update the plugins or even delete them the vulnerability messages don't go away. The stupid wp-toolkit clear cache does absolutely nothing. This should not have been implemented in the first place like that. I really can't stress out how no one stopped this.

We are paying a good amount of money to have easier administration and not waste any time but with this we can't even clear out which plugins actually have a problem since we have to check each one's version to see if this stupid stupid false positive has any value. You are wasting our time.

It's so f..... frustrating and even the update didn't fix this already.
 
Hope this issue gets fixed, seems the WordFence database is not up-to-date as the PatchStack one: Wordfence seems to copy vulnerabilities list from PatchStack but forgets to update their version when PatchStacks sets the bug as resolved.
 
Update time!

So, remember the vulnerability filtering feature introduced in WPT 6.3? We've already redesigned it, replacing CVSS with our own internal Risk Rank that's calculated based on CVSS, EPSS, Patchstack Patch Priority and some other markers. Our risk rank does a much better job at reflecting the actual severity of vulnerabilities. CVSS is a good thing, but it's difficult to understand for non-tech users and, without going into details, it's not always accurately reflecting the actual severity of WordPress-specific vulnerabilities.

Anyway, vulnerability filtering will be switched from CVSS to risk rank in the next WPT release, and we plan to enable this filtering by default, meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.

This solution gives a better out-of-the-box experience (no more warnings that your WordPress is vulnerable on a fresh install), doesn't annoy users, retains the value of Wordfence database where it's actually needed (there are some genuine vulnerabilities only present in the Wordfence database at the moment), and leaves the control in the hands of users.

When this change will go live? I don't have an exact date (it depends on a certain other thing), but quite possibly sometime around next week...
 
custer said:
... meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.
Click to expand...
But what about mistakes in the Wordfence database? I posted in another thread about high-ranking vulnerabilities in the WordPress theme Ultra, which were fixed since v7.3.6 but Wordfence didn't update that these were fixed.
 
frogx said:
Oh no, with the update to 6.6.0 those pointless warnings are back. What happened to the fix?
Click to expand...

Apparently there was a mistake in the Wordfence database that was fixed quickly. I'm thinking we need to introduce the ability to ignore certain vulnerabilities to avoid these issues.
 
maestroit said:
But what about mistakes in the Wordfence database? I posted in another thread about high-ranking vulnerabilities in the WordPress theme Ultra, which were fixed since v7.3.6 but Wordfence didn't update that these were fixed.
Click to expand...

We're checking both vulnerability databases on a weekly basis and we report issues to both Patchstack and Wordfence whenever we find them. Your reports on the forum are also forwarded to the respective database vendors.
 
You must log in or register to reply here.

Similar threads

T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
G
Question WP installs are quarantined daily.
Replies
4
Views
2K
Bobbbb
B
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
2K
Change Maker
C
carini
Question How can I disable/forbid certain plug-ins in WordPress
Replies
1
Views
528
Maarten
M
S
Issue No database servers
Replies
8
Views
2K
Stettin
S
Back
Top