• My site was running WordPress 4.6.10 and my Wordfence plugin was deactivated automatically due to missing files. I added the free Sucuri Security – Auditing, Malware Scanner and Hardening plugin, and retrieved an API during the process. Each time I go to Sucuri Security > Firewall (WAF) I see this message:

  SUCURI: Firewall API key was not found.

  I go to Sucuri > Settings where I can copy the API Key (in green) and go back to Sucuri Security > Firewall (WAF) and paste that code (no extra spaces etc) into the FIREWALL API KEY box, then after clicking Save at the top I get this message:

  SUCURI: Invalid firewall API key

  Followed shortly by this message below the FIREWALL API KEY box:

  SUCURI: Firewall API key was not found.

  Since then I updated to WordPress 4.9.4 and the same thing was still happening. Screenshot: http://ghcs.co/00/sucuri-2018-03-15.png

  I uninstalled, deleted files when prompted, reinstalled Sucuri and then retrieved the API key via email and the same thing is occurring still.

  I’ve got this message at Sucuri Security > Dashboard:

  Core WordPress Files Were Modified

  But the info enderneath of that is out-of-date still shwoing an Outdated WordPress under 4.8.

  Screenshot
  http://ghcs.co/00/sucuri-dashboard-2018-03-15.png

  I’m pretty sure I just need to get this API Key issue fixed so that Sucuri can scan again.

  The page I need help with: [log in to see the link]

1. Sucuri Won't Generate Free Api Key Download
2. Sucuri Won't Generate Free Api Key Pokebot Ninja 12 19 2018

• I will have to talk with our designers about this because…

  The “Sucuri API Key” and the “Sucuri Firewall API Key” are two different things.

  Sucuri API Key

  This key is the one that you can generate for free using the big “Generate API Key” button at the top of the plugin’ page. It takes your domain name and email address and creates an unique identifier for your installation. This key is used to store the event logs in a secure remote storage system managed by Sucuri Inc. When you click the “Recover” button, this is the key that you get back via email.

  Sucuri Firewall API Key

  This key is the one that you can generate from the Sucuri Firewall dashboard [1] which you can have access to if you are a paying customer. This key is used to authenticate your website against the firewall API to block malicious attacks, visualize the current settings and monitor the traffic in real time. You can only generate and/or recover this key if you are a Sucuri customer.

  I go to Sucuri > Settings where I can copy the API Key (in green) and go back to Sucuri Security > Firewall (WAF) and paste that code

  Please don’t do this. It will not work.

  You can only use the “Sucuri API Key” to authenticate here [2].

  You can only use the “Sucuri Firewall API Key” to authenticate here [3].

  Since then I updated to WordPress 4.9.4 and the same thing was still happening. I uninstalled, deleted files when prompted, reinstalled Sucuri and then retrieved the API key via email and the same thing is occurring still.

  Yes, this is because you are trying to use the free API key to activate a feature that is only available to paying customers. If you don’t have access to the Sucuri Firewall you will not be able to activate that feature with the key that you are getting via email. The key that you currently have can only be used to activate the audit logs.

  I’ve got this message at Sucuri Security > Dashboard: “Core WordPress Files Were Modified”. But the info enderneath of that is out-of-date still shwoing an Outdated WordPress under 4.8

  I think there are two things here that are adding more to the confusion.

  The message “Core WordPress Files Were Modified” is shown because your installation contains six files in the document root that are not part of a normal WordPress installation. Below is a description of each file, you will have to decide to either delete them or mark them as false/positives using the option “mark as fixed”.

  • .user.ini: I have no idea what this is.
  • fantversion.php: Fantastico website installer.
  • sitemap.backup.xml.gz: Regular sitemap.xml file (backup).
  • wordfernce-waf.php: Rudimentary firewall script by Wordfence.
  • wp-admin/error_log: Generic PHP error log file.
  • wp-includes/error_log: Generic PHP error log file.

  I’m pretty sure I just need to get this API Key issue fixed so that Sucuri can scan again.

  The malware scanner is automatically activated without an API key. You just need the key to activate the audit logs, and if you are a paying customer, you will need another API key to activate the firewall. If what you want is to get rid of that “Outdated WordPress” warning, then just delete this file [4] using the tool available in the settings page under the “Data Storage” panel, this will force the plugin to scan the website once again skipping the cache (the cache is alive for 20 minutes in your server, and 48 hours in the Sucuri servers).

  [1] https://waf.sucuri.net/
  [2] https://wordpress.sucuri.net/api/
  [3] https://waf.sucuri.net/api?v2
  [4] /wp-content/uploads/sucuri/sucuri-sitecheck.php

In order to make your Kodi categories more reliable, create your own API key below and add the information into your Kodi settings. How to Create Your Own TMDB API Key. Go to the TMDB website and sign up for a free account. Once you are logged in, click your Profile Icon in. Although the UUID RFC does not require a secure random number generator, a given implementation is free to use one. In the case of randomUUID, the API docs specifically state that it uses a 'cryptographically strong pseudo random number generator'. So that particular implementation is secure for a 128-bit API key. – Edward Brey Feb 7 '16 at 21:27.

• The topic ‘Invalid firewall API Key’ is closed to new replies.

Question #1: Can you clarify the repeat offenders limit with blacklisting?

Answer: If Google knows you are a malicious site, and you go back to doing malicious things after the blacklist is lifted, they may limit the number of review requests to once every 30 days.

Question #2: Hello, when I type in Google site:mysite.com, I have many results that are the hack content and not only my actual content, how can I have them easily removed from Google?

Answer: You can use the URL Removal Tool in Google Search Console. Be careful though, this removes pages from the Google index! If there are too many spam URLs you can use a robots.txt directive – read Cesar’s article for more specific steps.

Question #3: My site was blacklisted and then it was cleaned up. However the domain is blocked on many servers. What can I do to fix that?

Answer: You can check if you are on other blacklists for free at Sucuri SiteCheck and VirusTotal. Keep in mind there is a waiting period after submitting a review with each individual organization

Question #4: Tell us more about the free SSL with Firewall- how much is Firewall service?

Answer: We offer free LetsEncrypt certificates or we can generate a Comodo SSL cert for you, depending on your plan. We can also work with existing SSL certs if you already have one. You can find out more at sucuri.net and by chatting with our team.

Question #5: What is the best way to deal with black listing on third pary sites such as sitecheck. sucuri, mxtoolbox.com, virustotal. I have been blacklisted by them before. It was very frustrating. My site was cleaned. All of the lists spent more time trying to sell me products, rather than remove the site from their lists.

Answer:Once you submit the review request it can take time for the warning to be lifted. This depends on the number of sites in queue for review and the specific blacklisting authority. As far as MXToolbox, they are an email blacklist service and you would have to speak with your email service provider and look into using a new dedicated IP.

Question #6: What is the best way to deal with black listing on third pary sites such as sitecheck. sucuri, mxtoolbox.com, virustotal. I have been blacklisted by them before. It was very frustrating. My site was cleaned. All of the lists spent more time trying to sell me products, rather than remove the site from their lists.

Answer:There is usually no issue unless they conflict by blocking or logging each other. Read our CEO’s article on choosing WordPress security plugins to understand how to approach them, it will give you a great overview of the ecosystem. As a rule you should reduce the number of plugins on your site, each new plugin introduces more risks and potential for vulnerabilities.

Question #7: Do you have a WordPress plugin?

Answer:Yes we have a free auditing and scanning plugin. It will alert you if SiteCheck detects any malware or blacklisting and offers post-hack logs and recommendations.

Question #8: The blacklist is on page level, not on site level right?

Answer:It depends on the hack. Google Search Console should show which particular files are affected (if it the URL ends in .php or .html), directories (if it ends in with a slash), or subdomains.

Question #9: You mentioned that https is offered when a Sucuri plan is purchased… is this the Green bar Https and how is it implemented?

Answer:Yes, when you have an SSL certificate your site uses the secure HTTPS protocol and shows the lock icon in the browser address bar. The implementation steps vary depending on the cert and our firewall team can help you with that.

Question #10: Is there a detailed report that identifies geo location of attacks shown within Website Firewall Blocked threats in order to determine Country black listing?

Answer:No, our firewall block page lets you know if you were blocked due to geo-location, but you would need to contact the website owner to ask them to unblock your country.

Question #11: How can I stop weird sites pointing back to mine that have malware on them? Does this affect my rankings/black list chances?

Answer:If you have low quality or spam sites linking to you, Google may penalize your site because it thinks you bought links. If dangerous sites are redirecting to yours (not linking) then it may indicate your site has been compromised and is hosting malware for the attacker.

Sucuri Won't Generate Free Api Key Download

You can use the URL Removal Tool in Google Search Console. Be careful though, this removes pages from the Google index! If there are too many spam URLs you can use a robots.txt directive – read Cesar’s article for more specific steps.

Question #12: If I pay for the Sucuri services do I need to do anything regarding blacklisting or does the service clean it up for me?

Answer: Yes, our complete security offerings include unlimited malware removal requests throughout your subscription, and we take care of any and all website blacklist removal requests for you.

Question #13:I’ve been using the Sucuri plugin for a couple of years now after being the subject of a hack and have been very happy with the service. I was unaware of the included ssl certificate so was wondering if you could give a little more detail about that.

Answer: The SSL certificate doesn’t come with the free plugin, but if you have a plan with us then I recommend chatting with our firewall team to get it implemented on your site.

Question #14: The blacklist is on page level, not on site level right?

Answer: Yes Google is the top blacklisting authority by far. Google does not blacklist by IP, but by domain. Google Search Console will give you a clue as to where it found the malware on your site.

Question #15: So is Google the most discriminating search engine for website? I.e. to the page level. My site was blacklisted at the IP Address level by another Service as was all the website sharing that IP addresss.

Answer: There is usually no issue unless they conflict by blocking or logging each other. Read our CEO’s article on choosing WordPress security plugins to understand how to approach them, it will give you a great overview of the ecosystem. As a rule you should reduce the number of plugins on your site, each new plugin introduces more risks and potential for vulnerabilities.

Question #16: Does Google blacklist the domain only or the IP at which the domain is hosted?

Answer:The domain only

Question #17: I would like to choose a forms plugin for my WordPress site but the one I was going to choose features in your regular security reports. So I started searching for alternative form creation plugins. What security considerations should I make when choosing a plugin for my site (apart from the obvious like number of downloads and recency of updates)? Thank you and keep up the awesome job!

Answer: Just because a plugin has a vulnerability at some point does not mean that the plugin is bad. All software is potentially vulnerable. How the plugin developer reacts to a security bug is what really counts. The best software is actively developed and maintained by people who care about answering support tickets and keeping users safe.

Question #18: Is there a difference between hacks that effect site FILES and hacks that effect the DATABASE (as well as site files) – [WordPress specifically]

Answer: They can be quite similar when it comes to the types of malicious code being injected, but in my opinion cleaning up a database is can be much more time consuming, especially for SEO spam infections.

Question #19: : We have a list of domain names that are newly registered and have nothing hosted on the website. The domains are pointing to the default name servers from the Registrar and still we find our domain names blacklisted by Google safe browsing. Why has this occurred? Is it that Google has a listed of blacklisted registrar or is it the pattern of bulk registrations or the name servers or anything apart from this? Thank you!

Answer: I don’t believe Google blacklists registrars. You can check Google Search Console to see if they have listed the reason why, but if you are on a shared server I would recommend checking to be sure your sites are indeed empty.

Question #20: My website does not appear to be blacklisted (no red page) but Google is sending all email from our domain’s email addresses to Gmail addresses Junk Mail. We believe this is because a previous site on the server we are on was spamming. We have NEVER done so. Our email list is opt-in only and we only send 2-3 emails per month all directed toward our nonprofit’s educational mission. Is there a separate list they keep for this that we would need to figure out how to get removed from?

Answer: You may be right. Email blacklists are very different from website blacklists. You can speak with your email service provider and look into using a dedicated IP for your email list.

Question #21: So, you may drop in Google SEO rank for duplicate content on multiple sites, but you won’t be black listed?

Answer: Duplicate content used to be penalized and I believe it’s still not good when it comes to ranking. You want original, highly valuable content to rank well. /sftp-key-generation-in-linux.html. Duplicate content won’t get you blacklisted – unless of course it’s malicious content.

Question #22: A Customer recenty had Google adwords account suspended due to site hack but site never went offline. is there a different adwords removal process?

Answer: We have written about AdSense being abused due to issues with partner networks (showing ads on your site), but if your AdWords account (used to bid for keywords) has been suspended then you likely got an email with some reason why. You can Google to find out why.

Question #23: Where do I find in your control panel to remove countries from site?

Answer: If you are logged in and using the new dashboard – go you’re your firewall settings for the site in question and you’ll find it under Access Control > Geo Blocking.

Question #24: Have you seen Google incorrectly blacklist a site? I have couple sites incorrectly blacklisted because of using Amazon shopping ads. Once removed the Amazon ads Google lifted the blacklist.

Answer: Unfortunately, false positives can happen in any security scan.

Question #25: Does Sucuri back up our websites? And keep it.

Answer: Yes we offer a website backup service for existing clients only, for $5 a month.

Question #26: Does blocking Google from accessing the site via robots files after the site is flagged will remove the flag after some days as Google is not able to access it or it will be still there?

Answer: Don’t try to trick Google. You could get slapped as a repeat offender and be stuck with the blacklist for 30 days.

If you block Googlebot, your site won’t be crawled and indexed in search results.

Question #27: Do you recommend hosting companies that are thinking of these security issues? What are the top hosting companies for security?

Answer: : I’m not an authority on this by any means, but I personally use Siteground. Talk to your host about their security configurations, isolation of accounts, and the steps they might take if your site is hacked (including if they suspend your site).

Question #28: How is Sucuri helping for performance of a website?

Answer: Our Firewall offers caching and content delivery from our points of presence around the world. Our SOC built our own proprietary data centers with hand-picked hardware. Some, including WPBeginner and iThemes, report over 400% increase in performance with our firewall. It also lessens the load on your origin server.

Question #29: What about security on websites that really can’t be updated? What plugins for security as well? Joomla and WordPress. For example if you are stuck with 2.5 Joomla what would you suggest using?

Answer: Our firewall includes virtual patching, effectively plugging the holes so visitors can’t exploit them. It’s one of my favorite features because it is also effective against zero-day vulnerabilities, which do not have a patch yet!

Question #30: Does your service work along with Cloud Flare?

Answer: You bet, we even have a support article that describes how to implement it properly with your DNS settings.

Question #31: Are there any instances when you might want to bypass a cloud based firewall rather than preventing bypass using HTACCESS on the origin server?

Sucuri Won't Generate Free Api Key Pokebot Ninja 12 19 2018

Answer: Yes, there are instances when you might want to bypass but that’s usually reserved for your development team. While we don’t advise it, some development teams work right from the production environment. In these instances they might be making changes real time, bypassing the Firewall might be the best option to avoid any potential blocks that might impede their work. That being said, there shouldn’t be a case like this for the everyday website users.

Question #32: If someone hacked the site, then I checked index page removed from server, so what is the solution to take backup of that index file from public_html?

Answer: You can certainly restore your index file from a backup as long as the backup has not been hacked too.

Question #33: What about SSL and the way Google is indexing secure sites?

Answer: Google has confirmed that SSL is a ranking signal. Brian Dean from Backlinko released an article back in September that confirmed the correlation between HTTPS sites and higher rankings as part of his experiments.

Question #34: How can i prevent sites like social-button.xyz and social-button.to to link to my site?

Answer: If you are seeing this in Google Analytics, you can watch my last webinar on how to defend your reports against spam. If the sites are linking to your site, see my advice above regarding the URL Removal Tool in Google Search Console.