Support » Plugin: Wordfence Security - Firewall & Malware Scan » Access limited for rule that isn’t even enabled

  • Resolved ennovate

    (@ennovate)


    Hi team!

    I’ve got an interesting problem. I’ve got a site where the web application firewall is in learning mode, and users are getting blocked for:
    “Reason: POST received with blank user-agent and referrer”
    Click here to view the error message.

    The weird thing is that this is specifically NOT enabled in the WF options:
    Click here to view.

    Any help that you can offer? As I understand it, since the option is not enabled, users should not be getting blocked for it. And, as I understand it, since the WAP is in learning mode, it shouldn’t be blocking any users for any reason yet.

    Can anyone give me guidance on how to resolve this without removing wordfence entirely? Using wordfence 6.3.0.

    All the best,
    Kristopher

Viewing 10 replies - 1 through 10 (of 10 total)
  • Any guidance? It appears to only be happening on the home page, and it doesn’t actually seem to add the user to the blocked list in WF. It seems like it just gives them the blocked message but doesn’t prevent them from viewing any of the other pages in the site. it’s really wierd.

    any help?

    Thanks,
    Kristopher

    I’ve had some weird stuff like that happen as well. Usually my own fault, in that I don’t completely clear my browser history, cookies, cache, etc. That’s me, anyway… MTN

    Thanks MTNguy2. Those were my initial “go-to” ideas as well, but they haven’t proven to be systematically reproducable solutions to the problem. A wide variety of users are experiencing the problem. I’ll double check my assumptions however and keep trying.

    Plugin Author WFMattR

    (@wfmattr)

    Hi,

    It’s definitely unusual — is it happening when users are simply visiting the page, and not submitting a form?

    It seems most likely to be caused by caching on the server. If you’re using a caching plugin, you could try temporarily turning it off, or if not, you can check with the host to see if they’re running “Varnish” or another type of cache. It’s still strange that visitors would randomly see that block message, unless there is a cluster of servers with their own caches, and only one of them is “stuck”.

    Another possible cause would be if the host has multiple servers that have their own copies of the database — this is uncommon for most WordPress sites, but if one server has a copy of the database that somehow fell out of sync, it could still have the old value of that option stored.

    -Matt R

    HI Matt!

    Thank you for your kind and helpful reply. Yes, we had caching enabled on the site (w2), but I turned it off completely (disabled the plugin) in order to eliminate it during troubleshooting. So yes, the problem is still happening even without web site caching.

    The site is only running on one server. It’s a regular old wordpress install on one single server, so no, there are not multiple servers with multiple copies the database.

    Man I wish that one of these ideas would shine light on this issue for me, but so far no luck!

    Thanks for the help however!

    Here is a quick short little video screen share that I just made that illustrates the problems. Please take a minute to watch it and understand how weird this problem is:
    https://youtu.be/xyDCL5tBUQc

    Bump. This is still a major problem for our users! They are still regularly getting blocked.

    bump. still a major problem for our users. Dont want to remove wordfence, but might have to.

    Plugin Author WFMattR

    (@wfmattr)

    Hi,

    You mentioned in the video that you don’t appear in Live Traffic when you’re blocked — that is usually a sign that there is a cache of some sort, so WordPress & Wordfence aren’t even being run for that request.

    I tried visiting the site again, and I see the same behavior now. I found when the block occurs, the headers in the browser’s dev tools show a header from W3 Total Cache — that might mean that when it was disabled, it didn’t remove its code from the .htaccess file. These are the headers I see:

    Expires: Fri, 17 Feb 2017 23:00:10 GMT
    Pragma: public
    Cache-Control: max-age=3600, public
    ETag: "20d4de46302b2cdd3594ad8b0c9a1eba"
    X-Powered-By: W3 Total Cache/0.9.5.1

    I’d first recommend re-enabling W3 Total Cache, clearing the cache, and disabling it again — then check if the same issue still occurs. If you know how to edit your .htaccess file, you can also check to see if some W3TC code is still in there. Right now, I’m not sure why it only happens on some hits when refreshing the page or normally.

    If that doesn’t help, it’s possible W3 Total Cache left some other files in place, and/or other constants set in the wp-config.php (it’s been a while since I looked at their setup.) It might also be possible that the host has Varnish or some other caching “in front of” Apache, which could have cached W3TC’s cached response.

    -Matt R

    Hi Matt R,

    Thank you for investigating this for me. You hit the jackpot there. The w3 cache remnants in the public_html .htaccess file were causing the behavior.

    MUCH appreciated, especially when the cause of the problem turns out to not even have been part of Wordfence, but rather was caused by another application.

    Really superior tech support assistance! A million thanks!

    Kristopher

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Access limited for rule that isn’t even enabled’ is closed to new replies.