WP Toolkit and wordfence-waf.php, can't fix permissions

[CoyoteKG]

Hi,

I installed on all sites Worfence plugin.
Just on few sites I set Optimized Firewall. That includes adding
auto_prepend_file = '/var/www/vhosts/*******/httpdocs/wordfence-waf.php' in php.ini, and also it create file wordfence-waf.php in root of site.
Site works perfectly, but when I check security with WP Toolkit, I have problem with "Permissions for files and directories". When I try to secure it, nothing happens. That option is still red, and unsecured.

I set on wordfence-waf.php file permissions to 644, but nothing better.

Why WP Toolkit marked that Permissions for files and directories are not secured when this file exist in root of site?

 

[mr-wolf]

I have this problem with several sites too.
I never linked this with wordfence-waf.php, so I just checked some sites.

Some sites have this problem, but I'm now looking at a Wordfence protected site that has everything secured....
So it may be something completely different that's causing it.

Still I would like to know why some sites can't be secured. The WP Toolkit is not very helpful in telling us why...

 

[IgorG]

As for the conflict between security check in Wordpress Toolkit and Wordfence plugin, developers confirmed this behavior as a bug, its internal ID is EXTWPTOOLK-1103. Thank you for bringing this to our attention.
Until a fix becomes available, the only way to get rid of the red exclamation mark in Security checker is disabling Wordfence plugin. Or just ignore the security checker report.

 

[TomBoB]

Hi,

The issue between Wordfence and the Toolkit security check seem to still exist.

When checking for file permissions other than 644 - recommended by Plesk and set by the toolkit security check I get:

$ find /var/www/vhosts/xyz.com -mindepth 2 -type f -not -perm 0644
/var/www/vhosts/xyz.com/httpdocs/wp-content/wflogs/ips.php
/var/www/vhosts/xyz.com/httpdocs/wp-content/wflogs/config.php
/var/www/vhosts/xyz.com/httpdocs/wp-content/wflogs/attack-data.php
/var/www/vhosts/xyz.com/httpdocs/wp-content/wflogs/rules.php
/var/www/vhosts/xyz.com/httpdocs/wp-config.php
/var/www/vhosts/xyz.com/logs/access_log.webstat
/var/www/vhosts/xyz.com/logs/access_ssl_log.webstat

When testing further, we find that the files in the /wflogs folder are automatically being reset to 660 / 664 by Wordfence.

EDIT: Just found this on wordpress.org . They are also aware. Lets hope for solution soon

Cheers,
Tom

 

[TomBoB]

As for the conflict between security check in Wordpress Toolkit and Wordfence plugin, developers confirmed this behavior as a bug, its internal ID is EXTWPTOOLK-1103. Thank you for bringing this to our attention.
Until a fix becomes available, the only way to get rid of the red exclamation mark in Security checker is disabling Wordfence plugin. Or just ignore the security checker report.

In the latest changelog from April 19 2018 it is claimed that bug EXTWPTOOLK-1103 is repaired.
Maybe there is a mistake with the bug trackers number.
The permissions clash between Worpress Toolkits security check and the Wordfence plugin still exists on Plesk Onyx 17.8#5 with latest WP toolkit.

 

[zanuda]

This bug was fixed in the following way:
WPToolkit detects files and folders with permissions 755/644 and more strict (754, 753, 752, 751, 750, 643, 642, 641, 640) as secured and does not require any additional actions. (Before this fix WPToolkit detected more strict permissioms than 755/644 as insecure)
But we've found that Wordfence plugin (and maybe some others) resets permissions for some files/folders on its own to 660, 664. WPToolkit detects this as insecure.
It looks like we need some an additional time to decide how to deal with such situations

 

[Brujo]

WPToolkit detects files and folders with permissions 755/644 and more strict (754, 753, 752, 751, 750, 643, 642, 641, 640) as secured and does not require any additional actions.

@zanuda - well I just created a test.php in the wordpress instance and tested with permission between 640 - 643 and all get recognized as unsecure in wordpress toolkit

 

[Aleksey Filatev]

@zanuda - well I just created a test.php in the wordpress instance and tested with permission between 640 - 643 and all get recognized as unsecure in wordpress toolkit

Thank you for investigation! We will definitely check this case as soon as we can to confirm a bug.

 

[zanuda]

Oh! My bad. I was wrongly informed about security policy of WP Toolkit.
I've just checked sources and see that we currently check files by the mask 644 and directories by the masks: 755, 754, 753, 752, 751, 750
It looks like that permisions 643, 642, 641 and variations like 634... are not realy secure. So we need to do not detect permisions like 644, 600, 640, 604 as Unsecured for files.
Also permisions like 755, 754, 753, 752, 751, 750, 745, 735, 725, 715, 705 and other variations of such a set of permissions for directories shouldn't be detected as Unsecured.
I've created bug: EXTWPTOOLK-1576. I hope we will finally fix this in one of the nearest releases