• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

How can I disable wordfence database

A

adax2000

New Pleskian
Server operating system version
ubuntu 18.04.6
Plesk version and microupdate number
18.0.59
With today's update wordpress toolkit started pulling "vulnerabilites" from wordfence. Some of those will not be fixed any time soon, for example complaint that wordpress uses md5 to hash passwords. So now on all of the installations I have red exclamation mark and cannot tell which installation really needs some attention. I'm wondering if you know the way to disable wordfence database altogether. I can see that there is some filter via CVSS, but wordfence assigned quite high CVSS (5.9) to that md5. And I would like to know about all the vulerabilites that there is something I can do about them, and not about the ones there's nothing i can do about.
 
+1....

All of our customers are getting bombarded with vulnerabilities that have existed since 2012..
 

Attachments

  • Scherm­afbeelding 2024-03-28 om 11.46.56.png
    Scherm­afbeelding 2024-03-28 om 11.46.56.png
    188.9 KB · Views: 8
  • Scherm­afbeelding 2024-03-28 om 11.47.00.png
    Scherm­afbeelding 2024-03-28 om 11.47.00.png
    154.1 KB · Views: 8
For now:
Code: 
plesk bin notification -u -code ext-wp-toolkit-notification-client_vulnerability_found -send2admin false -send2reseller false -send2client false
 
Hey guys,

Yeah, that's not ideal... on one hand, this is what Wordfence reports, and it's sort of true. On the other hand, it's not like we can (or should) do something about it.

Anyway, we've brainstormed this issue earlier today and came up with a pretty good way to address it. I can't give you exact dates, but we're already working on the solution, so I'd expect it to arrive soon.
 
I not only get messages that are "and it's sort of true", but also those that have already been deleted as false on other services. (unfortunately in German: Alexander Heimbuch (@[email protected]))

Together with these strange, ancient messages, this puts Wordfence in a very bad light.

Can we please have a switch to disable Wordfence completely?
 
Seriously no one saw this in testing?? The toolkit is supposed to help us manage problems and now we are seeing all these vulnerabilities even though plugins have been update long time since those vulnerabilities were found. The versions are old. Even if we update the plugins or even delete them the vulnerability messages don't go away. The stupid wp-toolkit clear cache does absolutely nothing. This should not have been implemented in the first place like that. I really can't stress out how no one stopped this.

We are paying a good amount of money to have easier administration and not waste any time but with this we can't even clear out which plugins actually have a problem since we have to check each one's version to see if this stupid stupid false positive has any value. You are wasting our time.

It's so f..... frustrating and even the update didn't fix this already.
 
Hope this issue gets fixed, seems the WordFence database is not up-to-date as the PatchStack one: Wordfence seems to copy vulnerabilities list from PatchStack but forgets to update their version when PatchStacks sets the bug as resolved.
 
Update time!

So, remember the vulnerability filtering feature introduced in WPT 6.3? We've already redesigned it, replacing CVSS with our own internal Risk Rank that's calculated based on CVSS, EPSS, Patchstack Patch Priority and some other markers. Our risk rank does a much better job at reflecting the actual severity of vulnerabilities. CVSS is a good thing, but it's difficult to understand for non-tech users and, without going into details, it's not always accurately reflecting the actual severity of WordPress-specific vulnerabilities.

Anyway, vulnerability filtering will be switched from CVSS to risk rank in the next WPT release, and we plan to enable this filtering by default, meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.

This solution gives a better out-of-the-box experience (no more warnings that your WordPress is vulnerable on a fresh install), doesn't annoy users, retains the value of Wordfence database where it's actually needed (there are some genuine vulnerabilities only present in the Wordfence database at the moment), and leaves the control in the hands of users.

When this change will go live? I don't have an exact date (it depends on a certain other thing), but quite possibly sometime around next week...
 
custer said:
... meaning that all vulnerabilities with "low" risk rank will be hidden and ignored by default. We've checked and confirmed that all these "annoying low-score, won't be fixed" WordPress core vulnerabilities reported by Wordfence will be filtered out when using our new risk rank, so unless end-users explicitly disable the filtering, it should be smooth sailing with no distractions from that moment on.
Click to expand...
But what about mistakes in the Wordfence database? I posted in another thread about high-ranking vulnerabilities in the WordPress theme Ultra, which were fixed since v7.3.6 but Wordfence didn't update that these were fixed.
 
frogx said:
Oh no, with the update to 6.6.0 those pointless warnings are back. What happened to the fix?
Click to expand...

Apparently there was a mistake in the Wordfence database that was fixed quickly. I'm thinking we need to introduce the ability to ignore certain vulnerabilities to avoid these issues.
 
maestroit said:
But what about mistakes in the Wordfence database? I posted in another thread about high-ranking vulnerabilities in the WordPress theme Ultra, which were fixed since v7.3.6 but Wordfence didn't update that these were fixed.
Click to expand...

We're checking both vulnerability databases on a weekly basis and we report issues to both Patchstack and Wordfence whenever we find them. Your reports on the forum are also forwarded to the respective database vendors.
 
You must log in or register to reply here.

Similar threads

G
Question WP installs are quarantined daily.
Replies
4
Views
2K
Bobbbb
B
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
2K
Change Maker
C
carini
Question How can I disable/forbid certain plug-ins in WordPress
Replies
1
Views
482
Maarten
M
S
Issue No database servers
Replies
8
Views
2K
Stettin
S
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
1K
HHawk
HHawk
Back
Top