Support » Plugin: Wordfence Security - Firewall & Malware Scan » Getting Error 403 when used with WP Staging

  • Resolved Rene Hermenau

    (@renehermi)


    Guys, what is the reason for that recently appearing issue?

    I got the second client today who tries to use WP Staging on a site where wordfence is activated and installed.

    Wordfence throws an error 403 on subsequent ajax requests made by Wp Staging.

    I am the developer of WPSTG so what can I do to prevent this annoying false errors by wordfence?

    These are the complete headers of the request:

    Request URL: https://example.org/wp-admin/admin-ajax.php?action=wpstg_processing&_=1550589436.24
    Request Method: POST
    Status Code: 403 Forbidden
    Remote Address: 41.203.18.240:443
    Referrer Policy: strict-origin-when-cross-origin
    Cache-Control: no-cache, must-revalidate, private
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    Date: Tue, 19 Feb 2019 15:17:11 GMT
    Expires: Sat, 26 Jul 1997 05:00:00 GMT
    Keep-Alive: timeout=5, max=86
    Pragma: no-cache
    Server: Apache
    Transfer-Encoding: chunked
    Accept: text/html, */*; q=0.01
    Accept-Encoding: gzip, deflate, br
    Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,he;q=0.6,nl;q=0.5,lb;q=0.4
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 11269
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Cookie: XXXX
    DNT: 1
    Host: example.org
    Origin: https://example.org
    Pragma: no-cache
    Referer: https://example.org/wp-admin/admin.php?page=wpstg_clone
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
    X-Requested-With: XMLHttpRequest
    action: wpstg_processing
    _: 1550589436.24
    action: wpstg_cloning
    nonce: 083ab46a3b
    cloneID: 1550589436238
    includedTables[]: wp_bp_activity
    includedTables[]: wp_bp_activity_meta
    includedTables[]: wp_bp_friends
    includedTables[]: wp_bp_groups
    includedTables[]: wp_bp_groups_groupmeta
    includedTables[]: wp_bp_groups_members
    includedTables[]: wp_bp_messages_messages
    includedTables[]: wp_bp_messages_meta
    includedTables[]: wp_bp_messages_notices
    includedTables[]: wp_bp_messages_recipients
    includedTables[]: wp_bp_notifications
    includedTables[]: wp_bp_notifications_meta
    includedTables[]: wp_bp_user_blogs
    includedTables[]: wp_bp_user_blogs_blogmeta
    includedTables[]: wp_bp_xprofile_data
    includedTables[]: wp_bp_xprofile_fields
    includedTables[]: wp_bp_xprofile_groups
    includedTables[]: wp_bp_xprofile_meta
    includedTables[]: wp_commentmeta
    includedTables[]: wp_comments
    includedTables[]: wp_gamipress_logs
    includedTables[]: wp_gamipress_logs_meta
    includedTables[]: wp_gamipress_user_earnings
    includedTables[]: wp_gamipress_user_earnings_meta
    includedTables[]: wp_gf_addon_feed
    includedTables[]: wp_gf_draft_submissions
    includedTables[]: wp_gf_entry
    includedTables[]: wp_gf_entry_meta
    includedTables[]: wp_gf_entry_notes
    includedTables[]: wp_gf_form
    includedTables[]: wp_gf_form_meta
    includedTables[]: wp_gf_form_revisions
    includedTables[]: wp_gf_form_view
    includedTables[]: wp_layerslider
    includedTables[]: wp_layerslider_revisions
    includedTables[]: wp_links
    includedTables[]: wp_options
    includedTables[]: wp_postmeta
    includedTables[]: wp_posts
    includedTables[]: wp_signups
    includedTables[]: wp_term_relationships
    includedTables[]: wp_term_taxonomy
    includedTables[]: wp_termmeta
    includedTables[]: wp_terms
    includedTables[]: wp_usermeta
    includedTables[]: wp_users
    includedTables[]: wp_wfblockediplog
    includedTables[]: wp_wfblocks7
    includedTables[]: wp_wfconfig
    includedTables[]: wp_wfcrawlers
    includedTables[]: wp_wffilechanges
    includedTables[]: wp_wffilemods
    includedTables[]: wp_wfhits
    includedTables[]: wp_wfhoover
    includedTables[]: wp_wfissues
    includedTables[]: wp_wfknownfilelist
    includedTables[]: wp_wflivetraffichuman
    includedTables[]: wp_wflocs
    includedTables[]: wp_wflogins
    includedTables[]: wp_wfnotifications
    includedTables[]: wp_wfpendingissues
    includedTables[]: wp_wfreversecache
    includedTables[]: wp_wfsnipcache
    includedTables[]: wp_wfstatus
    includedTables[]: wp_wftrafficrates
    includedDirectories[]: /usr/www/users/example/wp-admin
    includedDirectories[]: /usr/www/users/example/wp-admin/ 
    includedDirectories[]: /usr/www/users/example/wp-admin/css
    includedDirectories[]: /usr/www/users/example/wp-admin/images
    includedDirectories[]: /usr/www/users/example/wp-admin/includes
    includedDirectories[]: /usr/www/users/example/wp-admin/js
    includedDirectories[]: /usr/www/users/example/wp-admin/maint
    includedDirectories[]: /usr/www/users/example/wp-admin/network
    includedDirectories[]: /usr/www/users/example/wp-admin/user
    includedDirectories[]: /usr/www/users/example/wp-content
    includedDirectories[]: /usr/www/users/example/wp-content/backup-db
    includedDirectories[]: /usr/www/users/example/wp-content/languages
    includedDirectories[]: /usr/www/users/example/wp-content/mu-plugins
    includedDirectories[]: /usr/www/users/example/wp-content/plugins
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/akismet
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/buddypress
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/drip-gravity-forms
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/duracelltomi-google-tag-manager
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/dw-question-answer-pro
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/dwqa-assign-ticket
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/dwqa-assign-ticket-1.0.0
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/elementor
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/email-marketing
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gamipress
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gamipress-buddypress-group-leaderboard
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gamipress-buddypress-integration
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gamipress-gravity-forms-integration
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-design-palette-pro-enews-widget
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-enews-extended
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-palette-pro
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-simple-edits
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-simple-faq
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/genesis-simple-hooks
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gppro-google-webfonts
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityforms
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityformsgutenberg
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityformsmailchimp
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityformsslack
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityformssurvey
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/gravityformsuserregistration
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/health-check
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/js_composer
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/LayerSlider
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/post-type-switcher
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/post-types-order
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/white-label-cms
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wordfence
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wordfence-assistant
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wordpress-importer
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wordpress-reset
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wp-dbmanager
    includedDirectories[]: /usr/www/users/example/wp-content/plugins/wp-staging-pro
    includedDirectories[]: /usr/www/users/example/wp-content/themes
    includedDirectories[]: /usr/www/users/example/wp-content/themes/example-base
    includedDirectories[]: /usr/www/users/example/wp-content/themes/genesis
    includedDirectories[]: /usr/www/users/example/wp-content/themes/genesis-sample
    includedDirectories[]: /usr/www/users/example/wp-content/themes/nimva
    includedDirectories[]: /usr/www/users/example/wp-content/themes/twentynineteen
    includedDirectories[]: /usr/www/users/example/wp-content/upgrade
    includedDirectories[]: /usr/www/users/example/wp-content/uploads
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/2018
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/2019
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/avatars
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/buddypress
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/dwqa
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/elementor
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/gravity_forms
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/group-avatars
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/js_composer
    includedDirectories[]: /usr/www/users/example/wp-content/uploads/wp-staging
    includedDirectories[]: /usr/www/users/example/wp-content/wflogs
    includedDirectories[]: /usr/www/users/example/wp-includes
    includedDirectories[]: /usr/www/users/example/wp-includes/blocks
    includedDirectories[]: /usr/www/users/example/wp-includes/certificates
    includedDirectories[]: /usr/www/users/example/wp-includes/css
    includedDirectories[]: /usr/www/users/example/wp-includes/customize
    includedDirectories[]: /usr/www/users/example/wp-includes/fonts
    includedDirectories[]: /usr/www/users/example/wp-includes/ID3
    includedDirectories[]: /usr/www/users/example/wp-includes/images
    includedDirectories[]: /usr/www/users/example/wp-includes/IXR
    includedDirectories[]: /usr/www/users/example/wp-includes/js
    includedDirectories[]: /usr/www/users/example/wp-includes/pomo
    includedDirectories[]: /usr/www/users/example/wp-includes/random_compat
    includedDirectories[]: /usr/www/users/example/wp-includes/Requests
    includedDirectories[]: /usr/www/users/example/wp-includes/rest-api
    includedDirectories[]: /usr/www/users/example/wp-includes/SimplePie
    includedDirectories[]: /usr/www/users/example/wp-includes/Text
    includedDirectories[]: /usr/www/users/example/wp-includes/theme-compat
    includedDirectories[]: /usr/www/users/example/wp-includes/widgets
    excludedDirectories[]: /usr/www/users/example/dev.example.org/wp-admin
    excludedDirectories[]: /usr/www/users/example/dev.example.org/wp-content
    excludedDirectories[]: /usr/www/users/example/dev.example.org/wp-includes
    databaseServer: 
    databaseUser: 
    databasePassword: 
    databaseDatabase: 
    databasePrefix: wp_
    cloneDir: 
    cloneHostname: 
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfdave

    (@wfdave)

    Hi @renehermi,

    The string /usr/www/users/example/wp-admin is setting off Local File Inclusion.

    You can whitelist it by following these steps:

    1. Go to Wordfence -> All Options
    2. Scroll down until you see Whitelisted URLs
    3. Put /wp-admin/admin-ajax.php for the URL
    4. Select Param Type: POST Body for the dropdown
    5. Put includedDirectories for the Param Name
    6. Add, and Save Changes

    For example: https://i.imgur.com/EYohB0x.png

    Dave

    Rene Hermenau

    (@renehermi)

    @wfdave Dave, thank you very much mate, this is extremely helpful.

    Is there a way for me as the developer of WP Staging to change something in WP Staging to prevent this false error of WordFence?

    Something like escaping those path strings to bypass the WF blocking or any chance to get you guys applying an exception rule for wp staging in wordfence per default?

    (If these are Wf algorithm internals that should not be discussed publically you can also reach me directly at support [at] wp-staging.com )

    WP Staging already has nearly 40.000 active installations and it’s still growing.

    Yes, I can communicate this and explain to my users how to apply that whitelisted rule to wordfence but it would be much easier if I can do something internally to prevent the WordFence block from happening at all. This would be much better from a total UX.

    I am looking forward to hearing again from you.
    René

    (Great support btw.)

    Plugin Support wfdave

    (@wfdave)

    Hi again!

    You mentioned two solutions and I think both are viable.

    1. Something like escaping those path strings to bypass the WF blocking

    When sending off the array of includedDirectories, use urlencode on all the directories.

    This will convert /usr/something into %2Fusr%2Fsomething, which will not set off the firewall rule.

    Then when you parse includedDirectories again, you can use urldecode.

    2. Any chance to get you guys applying an exception rule for wp staging in wordfence per default?

    I think having a list of whitelisted post parameters / url handles for popular plugins is a great idea. I’ll bring this up with the team to see what they think about it.

    Dave

    Rene Hermenau

    (@renehermi)

    Excellent Dave. Thank you very much for the tip.
    I will be going to escape those strings with the next update of WP Staging.

    You fully deserve my 5-Stars: https://wordpress.org/support/topic/usually-i-do-not-pay-attention-to-security-plugins-at-all-nor-use-it-on-my-own/

    I close it here for now.

    Cheers
    René

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.