New to the community? Start here

Defender scan doesn't run

Defender scan doesn’t run, seems to be a conflict with Jetpack.

After disable it, I was able to run a scan.

This seems to happen after the last change of the UI, not sure if version 1.4 or 1.4.1

Sat, 22 Apr 2017 13:40:37
More Defender Pro discussions
Defender Pro
  • Dimitris Kalliris
    • Support Team Lead

    Hey there Fabio Fava,

    hope you’re doing good and thanks for reaching us! :slight_smile:

    I just confirmed that this is an issue with latest Defender versions (1.4 & 1.4.1) and latest Jetpack plugin (even if no Jetpack module is active, it just needs to be activated and connected).

    I’ve already created a bug report for plugin’s lead developer and this will be addressed hopefully in next plugin update.

    As our internal bug report is connected with this forum thread, me or another colleague of mine will keep you posted here, if there’re any updates/insights before next plugin release.

    Warm regards,

    Dimitris

  • Fabio Fava
    • Proud WPMU DEV Member

    Hi Dimitris ! Hope you’re doing great!

    Since last updates, scans appears to be performed. Many known files as being marked as suspicious (php.ini on WP root and wp-admin, my media folder on the WP Root, and so on), but the hardest thing is that Defender is pointing to a “Host Header Injection in Password Reset”. My wordpress is latest version and Defender keeps giving me this error.

    Please let me know if you need a screenshot, I have one but don’t know how to attach here.

    I would like be informed if this is a real hole on my WP Install or just Defender got crazy.

    Support access is enabled on my site, and I would appreciate any help on solving that.

    Thank you very much and best regards!

  • Dimitris Kalliris
    • Support Team Lead

    Hey there Fabio Fava,

    hope you’re doing good and I’m glad that the initial reported issue here, has been resolved!

    There are indeed some “common” files which aren’t included in WP core and Defender is moaning for these. There are going to be some fine tuning on these error reports in the future releases, so you could at least concentrate in real threats, rather than log and/or configuration files.

    but the hardest thing is that Defender is pointing to a “Host Header Injection in Password Reset”. My wordpress is latest version and Defender keeps giving me this error.

    One real threat is this one though! This is a recently reported bug in WP core, considering a vulnerability in password reset emails.

    http://thehackernews.com/2017/05/hacking-wordpress-blog-admin.html

    This isn’t addressed yet, it will be in a future security WP release (there’s no estimated time for this).

    Warm regards,

    Dimitris

  • Fabio Fava
    • Proud WPMU DEV Member

    Thank you Dimitris !

    On the link you’ve sent, they propose to:

    Since the vulnerability has now been publically disclosed with no patch available from the popular CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.

    Is there something I can do on my host’s configuration? Should I address that with my Hosting Company? What for my Local Server, is there something I can change on my Apache Config?

    Thank you and best regards!

  • Dimitris Kalliris
    • Support Team Lead

    Hey there Fabio,

    I trust you’re doing good today and I appreciate your kind words here! :slight_smile:

    This is something that could be set in the server level, so please contact your hosting provider about it.

    As for the local installation, as long as this isn’t publicly available (via a public IP address), then you shouldn’t confront any issues. :wink:

    Take care,

    Dimitris

  • Fabio Fava
    • Proud WPMU DEV Member

    Hi Dimitris thank you again!

    I understand and believe your words, but my Local Server responds to some dynamic dns names I’ve set: without accessing the site, some plugins like WPMUDEV Dashboard can’t register. I’m sure that this won’t be a problem, bu I’m one of those guys that love to learn.

    So I would appreciate any effort to point me on how to fix this on my local Apache/PHP7.1 installation… If some day I decide to build my own server to host my sites, that may be a very important issue to have in mind on building a solid, reliable internet server.

    Thank you once more for your time and patience, and have a very good one!

  • Fabio Fava
    • Proud WPMU DEV Member

    Replying to myself: I assume that this will be only a problem if I (the Admin) use this feature. Other users may have their accounts invaded but they’re not admins, so I’m sure my site is fine. But, as I said above, when is there something to be learnd, I love to be there.

  • Adam
    • Support Gorilla

    Hello Fabio!

    Basically you’re right, as long as nobody gains access to your Admin account, you should be safe. Still though, it would be best that nobody gained unathorized access to your site at all, even to “subscriber” accounts. That’s because there’s always a chance that an attacker can find some way to turn that subscriber account to an admin account. You never know that :slight_smile:

    That being said, what you would like to do would be to edit your Apache configuration file and make sure that the

    UseCannonical Name

    configuration directive is set to “On”. You’ll also need to make some additional small changes (“ServerName” directive in “VirtualHost” section of httpd.conf file) so take a look at this doc please:

    https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

    I hope that helps :slight_smile:

    Best regards,

    Adam