wp-config file appears to be malicious or unsafe

  • Resolved Milestone Apps

    (@milestoneapps)


    3 months, 4 weeks ago

    Wordfence scan is flagging the line code added by Wordfence at the start of wp-config.php as critical malware. 

    <?php
    @include '/home3/public_html/.website_7ow2/malcare-waf.php';
    • Filename: /wp-config.php
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php\x0d\x0a@include ‘/home3/public_html/.w

      The issue type is: Suspicious:PHP/include.13668
      Description: Inclusion pattern often encountered in malicious files

    While I can mark this as ‘ignore’ but why Wordfence can not recognize its own work and not unnecessarily flag the code added by Wordfence? This is continuously causing ongoing distraction.

    How to fix this issue?

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    3 months, 4 weeks ago

    Hi @milestoneapps,

    Wordfence isn’t Malcare, they’re two different security plugins. \x0A is the escaped hexadecimal line feed, equivalent of \n and \x0D is the escaped hexadecimal carriage return, equivalent of \r. The solution may be as simple as deleting any line breaks and spaces like<?php@include and then manually re-adding the line break yourself and saving the file.

    Wordfence is picking this up as potentially suspicious obfuscated code, but when Wordfence defines its WAF, it uses .htaccess and I believed Malcare did the same. You may need to check with them or your host that this is correct and not a genuine security risk, as I know Malcare can be installed by default on Cloudways sites.

    Let us know what you find out,
    Peter.

    r1k0

    (@r1k0)

    3 months, 4 weeks ago

    Hey @milestoneapps,

    The line of code is not from WordFence but from a competitor security plugin: MalCare.

    This line and the actual file can be deleted if you were using and are no longer using MalCare. If you’re still using it, consider marking it as ignored. This will prevent WordFence from showing false positives.

    I would recommend you choose one security plugin, if you’re using both.

    Best of luck,
    Erick

    Plugin Support wfpeter

    (@wfpeter)

    3 months, 4 weeks ago

    Thanks also for your input @r1k0.

    We agree. Overlapping features can result in more of your site’s resources being used during scans etc. when installing more than one security suite/firewall. Wordfence does have some modules that can be disabled but not all products do so be careful in which features you like/dislike from each. Ultimately, the choice of which security strategy to implement on a site is that of the administrator but Malcare could be installed by the host in this case.

    Many thanks,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.