Hello @makhay,
Thanks for reporting this. We are aware of the issue and will be finding a fix to this as soon as we can.
-Scott
Thread Starter
makhay
(@makhay)
Hi @wfscott , do you have any updates on this?
USER in LOCATION left https://examplewebsite.com/wp-admin/post.php?post=2166&action=edit and was blocked by firewall for WordPress 4.7.0-4.7.1 – Authentication Bypass at https://examplewebsite.com/wp-json/wp/v2/posts/2166/autosaves
Thread Starter
makhay
(@makhay)
@wfscott – this was marked as resolved – but its not resolved.
@makhay
Sorry for the inconvenience — I was not notified of your reply until I saw it now.
I am currently unable to recreate any blocking issues with Gutenberg.
Have you tried setting the Firewall to Learning Mode and having your author/contributor submit a few posts so the action is whitelisted?
To do this, navigate to Wordfence > Firewall > All Firewall Options and change the Web Application Firewall Status option from Enabled and Protecting to Learning Mode. After you do this, try submitting a few posts with non-admin users and if they go through, head back and change the firewall back to Enabled and Protecting.
Please let me know if this works for you.
Thread Starter
makhay
(@makhay)
We uninstalled wordfence – deleted all its data – installed fresh – then placed it in learning mode for 2 weeks – had all our people that have unique roles create posts, delete posts, edit posts, save drafts, etc. Then took it out of learning mode – wordfence continues to block all the actions.
To clarify – these are custom roles created by the Members plugin.
Admin role has no issue.
Thanks for the update. Can you please send over an image of the block you’re seeing which is giving you the option to whitelist the action?
Thanks for the image. Are you on an up to date version of WordPress?
If you navigate to Wordfence > Firewall > All Firewall Options > Advanced Firewall Options and expand the Rules section, look for
auth-bypass WordPress 4.7.0-4.7.1 – Authentication Bypass: Page/Post Content Modification via REST API
auth-bypass WordPress 4.7.0-4.7.1 – Authentication Bypass
You can disable those. Try again and see if you are able to make posts/changes.
Thread Starter
makhay
(@makhay)
@wfscott
That did it – less protection, but it will have to do for now.
Thank you!
-
This reply was modified 6 years, 3 months ago by makhay.
You’re welcome @makhay
Feel free to let us know if you have any other questions. For the time being, I will mark this specific thread as resolved.