Support » Plugin: Wordfence Security - Firewall & Malware Scan » How to whitelist AWS?

  • Resolved parakeet

    (@parakeet)


    I need to connect another service to my WordPress via xmlrpc.php.

    However, I have disabled all xmlrpc.php in Wordfence.

    Currently, the service is failing to connect with error 503.

    The service uses rotating IPs via Amazon Web Services. I need to whitelist all of its us-east-1 IPs. I know these are made available at https://ip-ranges.amazonaws.com/ip-ranges.json

    However, when I paste the IPs in to the box “Whitelisted IP addresses that bypass all rules”, still the service is blocked. Heck, even when I find the IP in Live Traffic and unblock it, it still gets blocked next time.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Hi @parakeet,

    Have you re-enabled xmlrpc.php? If not, could you re-enable and retest whether the IPs are still failing to connect to the service?

    @wfchar
    Presuming you mean “remove ‘/xmlrpc.php’ from the textarea for ‘Immediately block IPs that access these URLs'”…

    I just removed that and saved options…

    Yes, the service, which is Zapier, connects when I do that.

    When I put “/xmlrpc.php” back in the box…
    The first connection succeeded.
    The second failed.
    The third failed.

    First may have been using an IP range that remains in the “Whitelisted IP addresses that bypass all rules” textarea, “35.168.0.0/13”. Zapier rotates its AWS IP usage.

    It may help if I was more certain about how exactly to whitelist the AWS IPs.
    Amazon’s own list is JSON, which doesn’t make it easy to copy and paste from. https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

    Not sure if I’m doing something else wrong, though.

    Hi @parakeet,

    If you leave xmlrpc.php in place for Immediately block IPs that access these URLs, then any requests that leverage xmlrpc.php will in fact be blocked regardless of whether or not you have the IP addresses otherwise whitelisted.

    The initial success may have been due to an existing connection that was still open at the time you rechecked the connection, but the second and third failures would be the expected behavior when xmlrpc is blocked. Unless you have a need to keep xmlrpc.php blocked, in which case you won’t be able to use Zapier or any other external service that uses xmlrpc, you should go ahead and remove it from the block list.

    Let me know if you have any further questions!

    Since xmlrpc.php is a known exploit channel, and I have seen traffic attempt to use it, I like the sound of blocking this access.

    But I assumed whitelist could override that for predefined IPs, so I’m surprised.

    I wonder if I can use .htaccss to block xmlrpc.php access for all except stated IPs, using this method. If so, I assume I would have to remove it first from Wordfence to allow .htaccess to take effect… ?

    Sounds like it should have the intended effect, but I would lose Wordfence’s extra abilities like blocking upon detection of traffic to that URL… ?

    Hi @parakeet,

    I discussed your use case with the team, and the general recommendation is that you remove xmlrpc.php from the “access these URLs” block, as xmlrpc.php is protected by the brute force protection rules that also protect the login page. However, if you want to proceed with having xmlrpc.php explicitly blocked, you can do so and then go to Firewall > Firewall Options > Advanced Firewall Options and enter the AWS IPs to whitelist in the “Whitelisted IP addresses that bypass all rules” field. You will need to keep in mind that the AWS IP addresses listed in that json file can change, so you will need to keep that in mind when troubleshooting external service issues.

    Let us know if you have any further questions!

    Hi @parakeet,

    After doing some retesting, it looks like your original configuration should be working. If you’re taking the IP address ranges straight from the JSON file, they’re not going to work as the IPv6 addresses need to be formatted to match what is required by the parser: https://www.wordfence.com/help/firewall/options/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#whitelisted-ips

    Ah this may be the issue.
    I’m going to try it and reply to update.
    Thanks.

    Current state of play…

    I went back to Amazon’s list of IP ranges

    Being in JSON, it is unworkable to paste them in to Wordfence’s whitelist list.
    I bit the bullet…
    Added ImportJSON to Google Sheets, so as to display Amazon’s list in a sheet, then I was able to view only the us-east ones, in a column.
    I copy-pasted those in to Wordfence’s whitelist list, and saved…

    52.92.72.0/22
    52.92.64.0/22
    52.92.39.0/24
    54.232.0.0/16
    52.46.172.0/22
    54.231.253.0/24
    52.94.198.16/28
    54.207.0.0/16
    54.240.244.0/22
    52.95.163.0/24
    52.95.136.0/23
    54.233.64.0/18
    54.94.0.0/16
    52.95.164.0/23
    52.95.240.0/24
    177.71.128.0/17
    52.94.248.48/28
    177.72.240.0/21
    18.228.0.0/16
    52.95.255.0/28
    18.231.0.0/16
    52.95.138.0/24
    54.233.0.0/18
    54.239.0.64/28
    52.94.7.0/24
    52.67.0.0/16
    52.94.206.0/23
    54.233.128.0/17
    177.71.207.128/26
    54.232.40.64/26
    52.92.72.0/22
    52.92.64.0/22
    52.92.39.0/24
    54.231.253.0/24
    52.95.163.0/24
    52.95.136.0/23
    52.95.164.0/23
    52.95.138.0/24
    54.232.0.0/16
    54.207.0.0/16
    54.233.64.0/18
    54.94.0.0/16
    52.95.240.0/24
    177.71.128.0/17
    52.94.248.48/28
    18.228.0.0/16
    52.95.255.0/28
    18.231.0.0/16
    54.233.0.0/18
    52.67.0.0/16
    54.233.128.0/17
    54.233.255.128/26
    177.71.207.16/29
    18.231.194.8/29
    18.208.0.0/13
    52.95.245.0/24
    54.196.0.0/15
    216.182.224.0/21
    52.119.224.0/21
    216.182.232.0/22
    52.144.193.128/26
    107.20.0.0/14
    52.94.224.0/20
    67.202.0.0/18
    205.251.246.0/24
    52.93.249.0/24
    207.171.160.0/20
    184.73.0.0/16
    54.80.0.0/13
    52.144.192.192/26
    54.221.0.0/16
    54.240.202.0/24
    54.156.0.0/14
    54.236.0.0/15
    52.144.194.0/26
    54.226.0.0/15
    52.90.0.0/15
    100.24.0.0/13
    52.119.232.0/21
    54.231.244.0/22
    205.251.244.0/23
    54.231.0.0/17
    52.144.192.0/26
    54.210.0.0/15
    54.198.0.0/16
    52.20.0.0/14
    52.200.0.0/13
    52.95.48.0/22
    54.240.232.0/22
    54.240.228.0/23
    176.32.120.0/22
    54.160.0.0/13
    54.239.108.0/22
    52.94.192.0/22
    205.251.247.0/24
    35.153.0.0/16
    52.144.195.0/26
    52.94.124.0/22
    52.70.0.0/15
    52.94.248.0/28
    52.119.212.0/23
    52.95.62.0/24
    52.93.1.0/24
    52.54.0.0/15
    52.93.3.0/24
    54.152.0.0/16
    52.144.193.64/26
    54.239.16.0/20
    54.92.128.0/17
    54.239.0.0/28
    52.0.0.0/15
    184.72.128.0/17
    205.251.248.0/24
    54.240.216.0/22
    52.93.51.29/32
    23.20.0.0/14
    52.46.168.0/23
    52.92.16.0/20
    172.96.97.0/24
    52.94.68.0/24
    18.204.0.0/14
    54.88.0.0/14
    54.240.196.0/24
    52.119.196.0/22
    54.204.0.0/15
    52.86.0.0/15
    52.44.0.0/15
    18.232.0.0/14
    52.93.51.28/32
    54.174.0.0/15
    50.16.0.0/15
    35.168.0.0/13
    52.144.192.64/26
    54.239.8.0/21
    207.171.176.0/20
    54.240.208.0/22
    52.94.240.0/22
    174.129.0.0/16
    72.44.32.0/19
    34.224.0.0/12
    52.94.0.0/22
    205.251.240.0/22
    52.93.4.0/24
    54.224.0.0/15
    52.46.128.0/19
    75.101.128.0/17
    52.46.164.0/23
    72.21.192.0/19
    52.95.63.0/24
    52.94.252.0/23
    34.192.0.0/12
    54.208.0.0/15
    54.242.0.0/15
    216.182.238.0/23
    54.234.0.0/15
    52.94.254.0/23
    52.46.170.0/23
    52.95.108.0/23
    52.144.193.0/26
    52.119.206.0/23
    54.144.0.0/14
    52.2.0.0/15
    176.32.96.0/21
    184.72.64.0/18
    52.94.244.0/22
    205.251.224.0/22
    54.239.104.0/23
    204.236.192.0/18
    52.144.192.128/26
    52.216.0.0/15
    54.239.98.0/24
    52.4.0.0/14
    52.119.214.0/23
    52.72.0.0/15
    52.95.255.80/28
    50.19.0.0/16
    54.172.0.0/15
    54.243.31.192/26
    107.23.255.0/26
    54.231.0.0/17
    52.92.16.0/20
    52.216.0.0/15
    18.208.0.0/13
    52.95.245.0/24
    54.196.0.0/15
    216.182.224.0/21
    216.182.232.0/22
    107.20.0.0/14
    67.202.0.0/18
    184.73.0.0/16
    54.80.0.0/13
    54.221.0.0/16
    54.156.0.0/14
    54.236.0.0/15
    54.226.0.0/15
    52.90.0.0/15
    100.24.0.0/13
    54.210.0.0/15
    54.198.0.0/16
    52.20.0.0/14
    52.200.0.0/13
    54.160.0.0/13
    35.153.0.0/16
    52.70.0.0/15
    52.94.248.0/28
    52.54.0.0/15
    54.152.0.0/16
    54.92.128.0/17
    52.0.0.0/15
    184.72.128.0/17
    23.20.0.0/14
    18.204.0.0/14
    54.88.0.0/14
    54.204.0.0/15
    52.86.0.0/15
    52.44.0.0/15
    18.232.0.0/14
    54.174.0.0/15
    50.16.0.0/15
    35.168.0.0/13
    174.129.0.0/16
    72.44.32.0/19
    34.224.0.0/12
    54.224.0.0/15
    75.101.128.0/17
    34.192.0.0/12
    54.208.0.0/15
    54.242.0.0/15
    216.182.238.0/23
    54.234.0.0/15
    54.144.0.0/14
    52.2.0.0/15
    184.72.64.0/18
    204.236.192.0/18
    52.4.0.0/14
    52.72.0.0/15
    52.95.255.80/28
    50.19.0.0/16
    54.172.0.0/15
    34.226.14.0/24
    34.195.252.0/24
    34.232.163.208/29
    34.228.4.208/28
    18.233.213.128/25
    52.55.191.224/27
    35.172.155.192/27
    35.172.155.96/27
    52.95.0.0/20
    52.144.196.192/26
    52.94.248.160/28
    52.219.96.0/20
    52.94.4.0/24
    13.58.0.0/15
    52.95.24.0/22
    52.15.0.0/16
    54.239.0.224/28
    52.219.80.0/20
    18.220.0.0/14
    18.191.0.0/16
    52.14.0.0/16
    18.216.0.0/14
    52.92.76.0/22
    52.95.28.0/24
    52.95.16.0/21
    18.188.0.0/16
    52.94.199.0/24
    18.224.0.0/14
    52.95.251.0/24
    52.219.96.0/20
    52.219.80.0/20
    52.92.76.0/22
    52.94.248.160/28
    13.58.0.0/15
    52.15.0.0/16
    18.220.0.0/14
    18.191.0.0/16
    52.14.0.0/16
    18.216.0.0/14
    18.188.0.0/16
    18.224.0.0/14
    52.95.251.0/24
    52.15.127.128/26
    18.216.170.128/25
    13.59.250.0/26
    52.15.247.208/29
    18.188.9.0/27
    18.188.9.32/27

    As of now, I am getting repeating success trying to connect Zapier to my WordPress.

    We’ll see if their IP rotation is stuck or something, but it looks good.

    We’ll also see if this is too liberal and dangerous.
    But I think you already confirmed that Wordfence will effectively backstop xmlrpc.php protection by banning repeating failed authentication attempts by xmlrpc.php? Because access via that method relies on successfully authenticating, does it?

    Thanks.

    Hi @parakeet,

    Glad to see that you’re getting successful connections!

    That’s correct — brute force protection will also protect xmlrpc.php, plus you have the other options for whitelisting the IPs with an explicit block.

    Let us know if you have any further questions or concerns!

    I wanted to revive this since Wordfence appears still to be blocking Zapier for me. I do not have xmlrpc.php in “Immediately block…” and haven’t added all those IPs to the whitelist (which seems improperly open). Can the team take another look at this issue or perhaps suggest where I’m going wrong?

    octanage

    (@octanage)

    Hello there – same here: having issues with Zapier and IFTTT and xmlrpc after a recent update of Wordfence. Wondering what is the solution other than importing the (rotating) IP list into Wordfence? thanks

    octanage

    (@octanage)

    For reference, I’m getting error 405 – XML-RPC service is disable on website from both Zapier and IFTTT. I’m unable to reconnect either service.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘How to whitelist AWS?’ is closed to new replies.