Support » Plugin: Wordfence Security - Firewall & Malware Scan » Blocked by firewall for Directory Traversal in query string: lang=..

  • Hi,

    Of course, Wordfence blocks for suspicion of directory traversal, how do I know if its a false positive, to be sure?

    With an international customer base my concern is that these firewall blocks are actually genuine customers seeking information but being blocked. Google is being shown as the source of referral of the traffic.

    We have /lang folders and my concern is that it could be malicious activity probing for a vulnerability but they could also be genuine customers being blocked?

    I understand I can add manually add the string /lang to the whitelist.

    What other investigations can I do to decide on whether to add to a whitelist or allow the blocks to continue?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfdave

    (@wfdave)

    Hi @stemcpt,

    Can you post some examples of some traffic that you suspect to be legitimate?

    Here’s some tips you can keep in mind:

    1. The referrer can be changed to anything, so a bot can pretend that it came from Google

    2. Google will avoid indexing pages that return a 403, so it’s unlikely that your customers are will follow a link and be blocked on the spot

    As for knowing which requests to whitelist and which ones to block, it’s all down to seeing if the request came from a link on your site / plugin, or something that looks crafted.

    Dave

    Thanks for your reply Dave, appreciated.

    Looking at the live traffic the bot blocks tend to be ‘undefined’ / only IP addresses in terms of browsers/OS’s, where as the human blocks give those identifier’s. How accurate this is I don’t know as anything can be made to look like something else 😊

    The directory traversal blocks are identified as human and I’m for the life of me trying to find if that URL exists /?lang=..%2F on the site as we do have several lang sub folders and they are under a /lang parent sub folder (until they are streamlined later this year). Pasting the full URL into a browser redirects to our blog page but I can’t find that redirect in htaccess.

    Interestingly, on the directory traversal blocks, response codes are 403’s.

    I think I’m gonna go with the WF recommendation on these for the moment unless it continues (only 3 incidences so far), but they are from countries we do get enquiries from, although we also get attacks from those countries as well (US & DE).

    I’ve just made some other changes to reduce the number of brute force incidences, which seems to have improved the situation but these popped up and I wanted to be sure the changes I made haven’t created another problem.

    Will monitor, thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.