False positive admin user Alert: Database changes detected

  • Resolved markussss

    (@markussss)


    1 year ago

    Hello,

    I think I get false positive email notifications for the following setting:

    “Send me an alert whenever → An administrator account is created, modified or deleted in the database (default)”

    I have seen this on several websites. I cannot reproduce it.

    What could be the reason for this? If this email gives me false warnings than I will start to ignore them, and then they become useless.

    ChatGPT gave me the following hint:

    Even if you didn’t change the password manually, something may have rehashed the password field in the database — for example:

    • Logging in can sometimes trigger WordPress to rehash the password if the hashing algorithm has changed.

    Any feedback on this from other users or any experience with this?

    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor bruandet

    (@bruandet)

    1 year ago

    NinjaFirewall monitors the administrator data, which is stored in the database. That includes the password hash because if a hacker changed your password, that would changed that hash.
    WordPress can indeed change it but that should happen once only. For instance if you forget your password and create a new one in the DB using a MD5 hash format with phpMyAdmin, WordPress will automatically change your hash to a safer one using Bcrypt.
    Does that alert occurred once only (on many different sites), or multiple times on the same site ? The former may be due to an upgrade to WordPress 6.8 (see post), the latter to a plugin that changed it (for what reason, I cannot say).

    Thread Starter markussss

    (@markussss)

    1 year ago

    As of now it seems the alert occured only once on a few different sites. With the information you gave me my theory is: Each first admin login after upgrade to WP6.8 triggers the email one single time only.

    Could this be it? That would mean the PW hash value does not get changed when upgrading to WP6.8. It would mean the PW hash value gets changed only after a login attempt with an Admin user is made (after the WP6.8 update)

    Why I think that can be the reason:

    • I could not reproduce the behavior so far a second time, I got this false positive alert only once
    • I checked my email history and it seems whenever I got this email in the past, there was a real Admin change where the email as sent correctly

    Why I think that might still not be it:

    • It would mean I should get this email on every website and not just some websites, which did not happen

    Plugin Contributor bruandet

    (@bruandet)

    1 year ago

    It would mean I should get this email on every website and not just some websites, which did not happen

    I can’t say why you didn’t receive the notification for those sites, but you can check the firewall log and look for “Database changes detected”, as it writes the incident to the log as well.

    John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    1 year ago

    @markussss This is indeed how password rehashing behaves when users log in to WordPress 6.8+.

    When a user first subsequently logs in after the update – or when they next change their password – their password will automatically get rehashed with bcrypt and resaved in the database.

    WordPress 6.8 will use bcrypt for password hashing
    Thread Starter markussss

    (@markussss)

    1 year ago

    Understood, thanks that explains it and means soon this will stop after every admin logged in at least once

    Li-An

    (@li-an)

    10 months, 3 weeks ago

    Hello, just to say that I had the messages… when my sites were hacked. The hacker connects as admin, install an upload files plugin, upload files and delete the plugin. Thanks to Ninjafirewall, I was warned.

    Thread Starter markussss

    (@markussss)

    10 months, 3 weeks ago

    I have never seen the message twice on a site. After any update to WP6.8.x I have seen it exactly one single time (it could be that I had sites where it did not send me the alert at all, so it was either sending it 0 or 1 time but never more than that) – that means in that case the theory discussed in this thread is still valid

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘False positive admin user Alert: Database changes detected’ is closed to new replies.