CometCache and Wordfence? Might have an issue with them

#1

Hi guys!

I wonder if you can help me.

On my site I run S2Member.

Until last Saturday, I was running a caching plugin alongside it, called WP Rocket.

WP Rocket is incompatible with S2 Member Pro Forms now - so I uninstalled it properly and swapped it out for Comet Cache.

All seems to work great - but since installation, I’ve noticed something strange happening to WordFence.

The first thing I noticed, was that my scheduled WF security scan timed out after hitting the 3 hour max runtime.

I presumed this was down to CometCache caching 20,000 files to disk - and WF having to trawl those.

I thus excluded wp-content/cache from being scanned. The run time dropped to 1 hour and 33 minutes and all is good.

HOWEVER… I run a dedicated server, and since installing CometCache I have been receiving warning emails from my CPanel like this one below (152 of them so far).

Subject: lfd on mysite.com: Suspicious process running under user mysite
Date: Tue, 21 Feb 2017 14:48:29 +0000

Time: Tue Feb 21 14:48:29 2017 +0000
PID: 12854 (Parent PID:12163)
Account: mysite
Uptime: 162 seconds

Executable:

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Network connections by the process (if any):

tcp: 213.32.86.29:52450 -> 213.32.86.29:443

Files open by the process (if any):

/var/cpanel/locale/en.cdb.15857 (deleted)
/tmp/.ZendSem.5QFMe1 (deleted)
/dev/urandom
/home/mysite/public_html/wp-content/wflogs/ips.php
/home/mysite/public_html/wp-content/wflogs/config.tmp.7S6RE6 (deleted)
/home/mysite/public_html/wp-content/wflogs/attack-data.php
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db

Have you guys any idea what is causing these emails - I see WF noted many times - and it seems these scripts mentioned are taking way longer than normal to run.

It MUST be a cause of running WF and CC together, as this literally began THE MINUTE CC was installed.

I can see the timestamp of the first email, and it was minutes after installing CC - so something is conflicting somewhere.

Let me know your thoughts.

Thanks so much for your time.

Ross :slight_smile:

#2

@rossagrant: Ross, what is it that you use Wordfence for? I absolutely hate it and won’t run it on any of my sites, so I’m curious.

#3

Hey @rossagrant,

I’ve run Comet Cache Pro + Wordfence on a cPanel-based site (which is also running the lfd firewall) and I did not see that behavior.

The only “process” that Comet Cache might be responsible for would be the Auto-Cache Engine, which kicks off a process to pre-cache the site every 15 minutes. If you’re not running the Auto-Cache Engine, then I’m afraid I’m out of ideas.

I have seen the lfd firewall, especially the “Suspicious process” monitoring, report false-positives in the past on my own servers and I’ve even had to whitelist certain commands so that I don’t keep getting those alerts. In your case, I suggest trying to dig in a bit more and see if you can figure out exactly what is generating that alert. Judging by the “Files open by the process” list, it looks to me like the only WordPress-related paths are ones for Wordfence.

#4

Looking at the timestamps of the alerts, they are every 15 minutes - it looks like it is autocache running that is being picked up by WF.

My site is pretty big with a couple of thousand posts, so I see CC stats up at 20,000 files cached sometimes.

I wonder if WF is picking up the autocache stuff as some kind of attack?

Any ideas?

#5

That’s one of the main reasons why I hate Wordfence: false positives all over the place!

#6

I’ve got a feeling it’s maybe not a false positive - but rather WF processes being slowed down so much by the CC autocache every 15 minutes, that it’s taking much longer runtimes to run WF processes whilst CC is also running.

I kinda like WF - it’s without a doubt the most popular security plugin for WF, and has some great features - but with the firewall constantly running, I guess the autocache from CC is causing some slow down perhaps?

What do you think @raamdev?

My site is pretty large, so has lots of files to cache. Could it be this causing the longer runtime on the WF processes?

#7

Figured this out guys!

Will write up a full report soon. @raamdev - you’ll want to include what I’ve found in some docs - it will be useful for other CC users.

Will be back soon! :slight_smile:

#8

Okay @raamdev - here’s what’s going on with Wordfence and CometCache.

Cometcache is running it’s autocache script every 15 minutes to cache pages - crawling one page ever 500 miliseconds by deafult.

I run a large and active site, so the cache is being reset multiple times a day, as new posts and pages are being created.

This means each time AC runs, it’s hitting pretty big numbers in terms of page crawls.

Wordfence sees these page crawls as live traffic and starts throwing these ‘visits’ into the live traffic log - which runs and runs whilst AC is operational.

This is causing lengthy runtimes of WF logging scripts and triggering CPanel to throw the suspicious process emails EVERY 15 minutes.

There is a very simple fix for this, which ALL WF users should implement if running CC and AC together.

Go into the general ‘options’ of WF and scroll to the ‘Live Traffic’ section.

You’ll see an option labelled ‘List of comma separated IP addresses to ignore’

Paste your SERVER’S IP address(s) into that field and save changes.

Next, we want to purge that MASSIVE WF live traffic log, which has been created by the previous crawls.

Edit the ‘Amount of Live Traffic data to store (number of rows)’ option to 100 and save changes.

This will set up a cron to clear that log, the next time it runs, and reduce its entires to just 100. (default is 2000 rows)

AC can then continue to run, without creating huge logs each time - with all visits from your own server being ignored by WF.

Hope this helps anyone else experiencing the same issue.

Ross :slight_smile:

#9

Popularity does not mean quality, just that they are good at marketing. Wordfence apparently don’t know the difference, for example, between a brute force attack and a dictionary attack (or they are just happy to confuse users).

If you want a company that really knows about WP security, try White Fir Design. Here’s a post from the latter about a recent episode of Wordfence incompetence: https://www.whitefirdesign.com/blog/2016/12/22/wordfence-and-security-concern-trolling/ whose content links to various other useful pages.

There have been so many other incidents like this.

#10

Thanks for the link - will check this out! :slight_smile:

#11

Thanks so much for sharing that! I’ll work on getting that info into the KB article we’re drafting for Wordfence compatibility: https://github.com/websharks/comet-cache-kb/issues/114

#12

This is a solid option over using WF.

#13

@lukecav, if you go to the White Fir Design blog post to which I referred above, you’ll see that they carried out some tests on various so-called security plugins, and they all failed. All in One WP Security & Firewall was one of those failures.

The relevant post is here: https://www.pluginvulnerabilities.com/2016/12/16/no-wordpress-security-plugin-prevented-exploitation-of-unfixed-arbitrary-file-upload-vulnerability-in-popular-plugin/

I don’t consider that solid at all.

#14

I do agree that the best security is server-side then use something that provides an actual WAF or DDoS protection like StackPath or Sucuri.

#15

Exactly. This is when a good managed host is so worthwhile.

But the other point is that labels matter. Calling something “All in One” when it clearly is no such thing, and is actually inferior to an alternative approach is, in my view, seriously misleading.

#16

I did not blindly mention Wordfence or iThemes Security plugins. But sure we can agree to disagree, I am all for reasonable discussion.