Scan Stage Failed – Scan process ended after forking – AWS Bitnami Cloudflare

Hi, we have an AWS Bitnami WordPress instance and are using Cloudflare. We’ve been the victims of DDoS attacks and are hoping Wordfence can help. Unfortunately, Wordfence cannot complete the scan:

After researching other Support Tickets here in the forum, we followed the below instructions:

• Kill any existing scan if it is still running (The “Start New Scan” button turns in to a “Stop” button while the scan is running) 
• Go to your Scan > Scan Options and Scheduling page and locate the “Performance Options”
  Set “Maximum execution time for each scan stage” to 20 on the options page
• Click to “Save Changes”
• Go to the Tools > Diagnostics page
• In the “Debugging Options” section check the circle “Enable debugging mode”
• Click to “Save Changes”.
• Start a new scan
• Copy the last 20 lines or so from the Log (click the “Show Log” link) once the scan finishes and paste them in the post.

Here are the results of the log:

[Oct 18 19:18:24] Ajax request received to start scan.
[Oct 18 19:18:24] Got value from wf config maxExecutionTime: 20
[Oct 18 19:18:24] getMaxExecutionTime() returning config value: 20
[Oct 18 19:18:24] Test result of scan start URL fetch: array ( 'headers' => WpOrg\Requests\Utility\CaseInsensitiveDictionary::__set_state(array( 'data' => array ( 'date' => 'Wed, 18 Oct 2023 23:18:24 GMT', 'content-type' => 'text/html; charset=UTF-8', 'x-robots-tag' => 'noindex', 'x-content-type-options' => 'nosniff', 'expires' => 'Wed, 11 Jan 1984 05:00:00 GMT', 'cache-control' => 'no-cache, must-revalidate, max-age=0', 'referrer-policy' => 'strict-origin-when-cross-origin', 'x-frame-options' => 'SAMEORIGIN', 'vary' => 'Accept-Encoding', 'cf-cache-status' => 'DYNAMIC', 'report-to' => '{"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=qAONvnqkYM9ugJ50e8NC2IctjVJXxxsCT93VAiOZvY2Xj5V3BbIIvpmJFKMN2xoZurquhcpuu7lrQ%2BeNE2EawC6oX0RPmHq1dNSlUNH%2FXX3gDReiUJpxq4LtfVb4t4YITxsj6BIOnjz16pI%3D"}],"group":"cf-nel","max_age":604800}', 'nel' => '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}',
[Oct 18 19:18:24] Starting cron with normal ajax at URL https://oneoption.com/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&scanMode=standard&cronKey=f40141129198ff78075f3244c296f608&signature=422a9c7ea981c8e7cd7ebf7f0e77aca30bd8f29dcc76e614b156a2af50bccd64
[Oct 18 19:18:24] Scan engine received request.
[Oct 18 19:18:24] Verifying start request signature.
[Oct 18 19:18:24] Scan Engine Error: The signature on the request to start a scan is invalid. Please try again.
[Oct 18 19:18:24] Scan process ended after forking.

This page mentions wp-admin/ permissions or .htaccess could be the cause. Bitnami is notoriously difficult when it comes to permissions. Can you advise the correct permissions we should have set for wp-admin and other directories? They are all currently 775.

Also, in Tools it says:

wp_remote_post() test back to this server failed! Response was: 403 Forbidden

With logs:

HTTP/1.1 403 Forbidden
Date: Wed, 18 Oct 2023 23:30:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Auq0d422PFBOsMjLtg5D8G6r20zLQRDcbACsYD1AbY9Ly2G4GvXf0ZKyXRPj7P9%2B0BMTmhVhC7rx5YNhqosQitxMS25hAGcNLqWyWW0PjYvzvUCQPTe6A7%2FNq45WdcWEY029w%2BPjoI1TFYw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 8184916e4e0759ec-IAD
Content-Encoding: gzip

<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><link href="https://wordpress.org/cdn-cgi/styles/challenges.css" rel="stylesheet"></head><body class="no-js"><div class="main-wrapper" role="main"><div class="main-content"><noscript><div id="challenge-error-title"><div class="h2"><span class="icon-wrapper"><div class="heading-icon warning-icon"></div></span><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '2',cZone: "oneoption.com",cType: 'managed',cNounce: '81631',cRay: '8184916e4e0759ec',cHash: '9daf990490b3df5',cUPMDTk: "\/wp-admin\/admin-ajax.php?action=wordfence_testAjax&__cf_chl_tk=G_3ymCuIFLuCStYUqLWwAuRWy8E78oUd0jqLLWShcKc-1697671815-0-gaNycGzNCvs",cFPWv: 'b',cTTimeMs: '1000',cMTimeMs: '0',cTplV: 5,cTplB: 'cf',cK: "visitor-time",fa: "\/wp-admin\/admin-ajax.php?action=wordfence_testAjax&__cf_chl_f_tk=G_3ymCuIFLuCStYUqLWwAuRWy8E78oUd0jqLLWShcKc-1697671815-0-gaNycGzNCvs",md: "CwDNuXC9fdXdVsgWF2acaZtPrT0R0iISXFP6urmMHZI-1697671815-0-AWESilgM1dBWmDdRjZwZERMv5CJgsm9RerWFC5xdpJ6rg8rv6fzrYdy4JLcQ-luzH8TxKY4ZWHoiaaZ6nR6TP6zTEDsAA0XQO_z-f7oxYWJs1qBWcQOXW18mIlnjIcgykVEHcdw0A_HfEWy10cTmMxNvZbBELlPYyvXXCuJdEXIsSdGv9-CPnAH-Dvf0NiXd68yq-z4h6a2qq0rlloKJ2r30yn4LgyJVdUkQXzxGiGF04MBQlcn7XExZMR5YKUCL5_FwG34Ytt-MchM-mS44plc8TNY_hkXijU4qfC9Exkf101RjxX3z7QnBPTFebpoTa-2-ObF1hyQ5cngwlhwWjgHc2mh3HGi0UwUFaePLwLTE91gsqlevwU1eeSHJfBCVYznYKzHlBobVZVZb-VFh9yPnENzNEBiNz-DHIHszrZyp5yBSdZjG_dlbR42UPTvmZ6V7Db7bGuoaIn-t8OBmWo7tFFV5WvAza6CcxU2Q16JMqC_3blGgfY8hd9BPdCA5onx9rL9G1XxFn3_YWhJ4HGe6NVeE3esvjs2nG7RRSIxLNOkEqa1VQRARPFCpEotTEAQ73mh8iDbSnmM1Coy-AUEo7VuINNHU6dUic-4siSlZwV44g64OriFOhNiYN202RtX0Vyl6I9nZQiC8BXldYw5LAMkfmeAkwLcZDpLns10ZCFDkKRXgyyWYQ_OlmxjkA0QxIJ-0pUezTnORXvh008YKKN34hi5mbicy8uW9zrunbbk5LFRtA1gZCDcjBZdIYHOmVy3ch91vkiewUtvuIRooDHdllSXqUihF8S3lbej_73n3JR0senlBST-zEpgL7f6b0inqGSnx7X9BbgyZcHe3QHYcGIYMSE_Ly7vI4nqj2qQM3F87t6b2e7L9vx_cq-uVegdiIUjcJW9vf92sxLgSQEsF1nE7wE7usyMk4d-2SYu_2PkCFDpQB1IWPZxhGV4JMnuV0TQop9mG9-9BzxrlQZ9-Orp-p_3n25ihth_ntHAUF_7HkYkjAbJYLFwWPdQcvFfg0_jRVI-h0EzPNAmPeylIdcr5V0wBf3ehrsZ1ZAOEijLJZ_wWPqh4HouosGhaKL3PjXndorYpeJKPPB0Vuv42mXL-ktUZfj1XSLRkW-f1inTQZh0VZV9rLdAtc5bLGmpmdSOjafGMHAWU1cKxV8KHVMZiYMFtwHOxHKxTGuJVBlZmvLjkRtk9nqEtZlK_ICXGzKh4nJQZ9eTln1QzxQUCmgZXS6My9fFeXBC--iSMxa57CJaWAirxW7rFLGaRfe_xJlWQlGQKh5GY3oKaMoFGJ-lC8c8kR80N3HJyjRjKct0hKzYnxGeaJiArrfhdcaWc2ragOzY9DvTTPo-yaqt4DwaFRdECuew1FYPyjIpr2gam4LYK9wvhKbkQa4-z5NaQVCP8ejg6trCVO4Hd5AjNgDdndrfxnBYc2xBklUnkizMyDvNk6HSMpjqWq4wfAoN5aoyV6Y8GV8NAzW5qxgVQ5KYuqjnuo3KCSUzlHCvGtAnyMN2yLy-1T_QKfWtUiDRGQcKH1jG6t7-AP82xHgsAwhyPsd3_lvR7-JTYqc8D0A3aysvpDnBobCur9rbxtwQMtr3aZA8FMQlbb_4FBgJjAdoqj62NTB6G7xjS7xYN5DTXlb7D0JPu1orZsLq6DDT1NpBlE0XrRKeJMesBQ9cVOc-xVt6_QjEYLIGOHldL_m2JZ1yEHl12lHD2MDVaTmIQZQkFMtP7IQErDlrmS6uC7mKbOgp4JxkXxyxVAnu3y8CbyjYOFRjiBfAX9gAYthWPfnFOJ-fEmAkxvJp53e0IVAbriqqN-95xQp4ElaEuZcg3-WQDaFybTveqgWDXhQ2YxXzkM0L53AvHuRO-DaOTj9NZAk4Wa5uTIyd-3d2iNx4zjfX2rEkj46gXU2y8ITB_3jrVV9WGNlf9le-Yv94VWvo77JLENCmfN_Uu5auCTmaGiC5DSEj74uWyx5FBTauWWIZiQkgrBZRmwx7WszOinR1hODllUJuKtIUxTOOesRcm2mIpm0ih2xyS76fT8q9EiwGN31hsFXx9c3p4xlNIbKAja986ttNeOlz0WxEj7ljgVDclWnudZlmw-yBaqw6qU3qZanJ60KXg15W8SjNmOi1R_9-2n216tcYs4yTl3xOZZ8uMPNUMUTaeD4F-oOXulS4tcMU8SbEUXYJoureezmej8hexFdK94TEGLNrYnK2kTDLxjEaRrZQDLXhnf1bUc7m7aZEHWhVfh0vmABm6w0hw3R6-paG1f_l-XuNW4ntP8TbP47nUM5zXWmwTRzVftDFhrWCD-mY8EA6HQdKLkmQFif_omjmwKeKVuibnFRXrh8Xs1YW6ClSR3ffmIyG4CJq7NCDIEV1OhPUlaHrgjY9EZe-9SIkIMV2M1kC2pbOkBE6vRRQdpANMJvxgi3wdRhM6ouH4shfL68cv1lNuErL6z5JQOJmKQCjtwrJ0R1xdwvT5djLuh6wbvgW1Uh07ksYhejNoPwc-M93YWa0d2FI1_HkRKk7-tBOcrHHnrqDDrR5020nomBK0-xvw9LGWj6VMkhd4S3zqD4MY06_JHVkr8V0aygrjvsxqhKLEDYF-01VgrLuWIFR8dJsD4CTnWhVlJU8UqOLCl6siJ52PxFyGFbsNFyMPks5vL26xuMZLpS-2MpGg83QXBd9FtQNth0TcWfBQL883pEqToMIIc_h4v06YfrLMGKR-mk53r82dlIKHyUhNQ_R3ow",cRq: {ru: 'aHR0cHM6Ly9vbmVvcHRpb24uY29tL3dwLWFkbWluL2FkbWluLWFqYXgucGhwP2FjdGlvbj13b3JkZmVuY2VfdGVzdEFqYXg=',ra: 'V29yZFByZXNzLzYuMy4yOyBodHRwczovL29uZW9wdGlvbi5jb20=',rm: 'UE9TVA==',d: 'TUQ9olHFRpy6J9VYroq/oskg2t7SvWzhuh448mixLDNarNYLa8r1oL7/jVksY9zRjGYRJkHXgUmu+h06FhvpcfUeZQtKkyIxyUXPhzp0cp73USHWx55mpTXFSQz1L+m4hrtGRczRN41iea1pDYVvCvPDTfCp3zADovl2+xMYKg019ozAk0+W9JSHIccPdi9Jo4tHi6x8GV1m+zVr6fhtu5b7zIEmLivxrYIAnNSDHpqpxaOPLYlbqQ16l+QvtrQvOsdbcky1HlWIB8QcBrlzN8biKTV0lfzUMinKwb1OP11w/VzDRz/FPoE56AsVgyNxDd+kfddqy6Sj6OGSEW1zFXpr/d3HfxGWi5H11sha6tx3TMQBbaXK+LfPSgbgCQMj2ornv1PRvSebHn8auqAM0JN3UhXZF2efysTSsxMQctcCaghQtD8FECA7JlWZWqSjEzCSj8a3SRF1oKh5wY1EZSb+9qAVTxzuf1E6R35Gz5Z7+7gr2JDxiVUygTRwgGdk',t: 'MTY5NzY3MTgxNS40MTQwMDA=',cT: Math.floor(Date.now() / 1000),m: 'nyrpqwSc7dpy1xNvZbCSxGDxFUbXoo+yTLpxowrW6zI=',i1: 'l6P+UvkhepehLXPnWxL3uw==',i2: '1Ys/+I9dpbRlBzKDX1ialQ==',zh: 'MXFoi0DKc9UMksfpBIoKADXg9AGsbA9xA15XB5t1QGc=",uh: "k9Pt5kCtzvFH3HHaIC0ueQf3LXznyQKyxoUyFpl/b5g=',hh: 'zDIyBJW1RmD63CKCUsAt+fU6b6U9uhmugingMghJIiQ=',}};var cpo = document.createElement('script');cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8184916e4e0759ec";window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null, "\/wp-admin\/admin-ajax.php?action=wordfence_testAjax&__cf_chl_rt_tk=G_3ymCuIFLuCStYUqLWwAuRWy8E78oUd0jqLLWShcKc-1697671815-0-gaNycGzNCvs" + window._cf_chl_opt.cOgUHash);cpo.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v84a3a4012de94ce1a686ba8c167c359c1696973893317" integrity="sha512-euoFGowhlaLqXsPWQ48qSkBSCFs3DPRyiwVu3FjR96cMPx+Fr+gpWRhIafcHwqwCqWS42RZhIudOvEI+Ckf6MA==" data-cf-beacon='{"rayId":"8184916e4e0759ec","b":1,"version":"2023.10.0","token":"195f088bc3bb40a58d82d3cae2843bd3"}' crossorigin="anonymous"></script>
</body></html>

We’ve also tried adding Cloudflare IP Access Rules to Allow Wordfence IPs and our sites IPs (from IP(s) used by this server on Wordfence’s Diagnostics page)

Thanks,

Will

The page I need help with: [log in to see the link]