Title: Site Scan Error After Enabling Basic Auth Last modified: April 5, 2024 --- # Site Scan Error After Enabling Basic Auth * [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [2 years, 1 month ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/) * My WordPress with (iThemes Security Plugin installed) is hosted on AWS EKS, behind NGiNX Ingress. Ever since we have enabled basic authentication login at the path`/ wp-login.php`, our twice daily scheduled site scan has been failing consistently with the following error: * ```wp-block-code Error The scan failed to properly scan the site. Error Message: Unable to determine if the scan target is allowed: Scan target is not publicly accessible. Error Code: site_verification_failed.private_host If you contact support about this error, please provide the following debug details: Array code => site_verification_failed.private_host data => Array url => https://:8443 ``` * ```wp-block-code id => 3671705 module => site-scanner type => warning code => scan-failure-client-error timestamp => 2024-04-04 17:16:05 init_timestamp => 2024-04-04 17:16:05 remote_ip => user_id => [empty string] url => https://:8443/wp-login.php memory_current => 7023904 memory_peak => 7060576 data => Array results => Object WP_Error errors => Array site_verification_failed.private_host => Array 0 => Unable to determine if the scan target is allowed: Scan target is not publicly accessible. error_data => Array site_verification_failed.private_host => Array url => https://:8443 cached => [boolean] false ``` * This error has not appeared prior to this basic authentication login change. Any assistance on this issue would be very much appreciated, thank you! Viewing 14 replies - 1 through 14 (of 14 total) * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [2 years, 1 month ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17559057) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), glad you reached out! * The error message indicates that Solid Security can’t scan the site because it is not publicly accessible. * Was this site recently moved from a staging site to a live one? Which plugin version are you using, the Solid Security Pro version or the Basic version? * Also, which basic authentication are you using? Can Solid Security scan your site if the basic authentication is disabled? * Looking forward to hearing from you. * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [2 years ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17686164) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), Thanks for the reply. * > Was this site recently moved from a staging site to a live one? * No. * > Which plugin version are you using, the Solid Security Pro version or the Basic > version? * iThemes Security Pro, version 7.1.3 currently. * > Also, which basic authentication are you using? * As mentioned, my WordPress is hosted on AWS EKS, behind NGiNX Ingress. The basic authentication is enabled via Ingress object with the following annotations: * ```wp-block-code nginx.ingress.kubernetes.io/auth-secret: / nginx.ingress.kubernetes.io/auth-secret-type: auth-file nginx.ingress.kubernetes.io/auth-type: basic ``` * > Can Solid Security scan your site if the basic authentication is disabled? * We did try this to check, the answer is no as well. Whenever it fails, we’d notice that the Security dashboard logs would show the following: - Host: It’s a private IP, beginning with `10` (e.g. `10.0.0.1`). Upon further checking, this IP belongs to cluster’s worker node’s IP. - URL: The URL would be `https://10.0.33.21:8443/wp-login.php`. This IP belongs to the WordPress deployment pod within the cluster. * Not sure what else we could be missing, looking forward to your next reply. Appreciate the help! * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [2 years ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17686877) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), thanks for the additional details. * > We did try this to check, the answer is no as well. * Can you please confirm if the Site Scan ever had a successful scan on your site before? If so, it started having issues after enabling basic auth, but when you tried removing basic auth it did not help, correct? * Is your site publicly accessible? If so, can you please double-check that the** Licensed URL** in WP Admin > Settings > [SolidWP Licensing](https://help.solidwp.com/hc/en-us/articles/20774277846683-How-do-I-license-Solid-Security-Pro) is correct? Please try also to re-license the plugin after saving the correct Licensed URL. * If the issue persists, please try to whitelist the [Site Scanner’s IP addres](https://help.solidwp.com/hc/en-us/articles/8724067314459-Security-Scanner-IP-Address) s via NGiNX Ingress to bypass the basic auth. * Please let me know how it goes! * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [2 years ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17703857) * Hi there, * I’m circling back here to check if the previous reply helped resolve the issue. Tracking notifications on this forum can become tricky over time, and since we haven’t received a response, I’ll mark this post resolved. If you still require further assistance, feel free to open a new support topic, and we’d be happy to assist.Thank you! * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17956384) * Hi, [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/) * Sorry for replying late as this item was deprioritised on my end previously. * > Can you please confirm if the Site Scan ever had a successful scan on your > site before? * Yes. * > Can you please confirm if the Site Scan ever had a successful scan on your > site before? If so, it started having issues after enabling basic auth, but > when you tried removing basic auth it did not help, correct? * Yes & yes, but sometimes (even with Basic Auth still enabled) it might still be successful. * > Is your site publicly accessible? If so, can you please double-check that the** > Licensed URL** in WP Admin > Settings > [SolidWP Licensing](https://help.solidwp.com/hc/en-us/articles/20774277846683-How-do-I-license-Solid-Security-Pro) > is correct? Please try also to re-license the plugin after saving the correct > Licensed URL. * Yes, publicly accessible but we’re not licensed. We’re using the free iThemes security plugin. * > If the issue persists, please try to whitelist the [Site Scanner’s IP addres](https://help.solidwp.com/hc/en-us/articles/8724067314459-Security-Scanner-IP-Address) > s via NGiNX Ingress to bypass the basic auth. * Will consider doing this, thank you! Though It’s worth noting that all successful attempts we’ve had so far, had never needed this whitelisting to be done. * Additionally, here’s more context. Usually when it’s successful (do note that the difference in URL, i.e. `url =>`), the logs would look like this: * ```wp-block-code id => 3674473module => site-scannertype => critical-issuecode => vulnerable-softwaretimestamp => 2024-08-15 15:09:37init_timestamp => 2024-08-15 15:09:36remote_ip => 204.246.166.146user_id => [empty string]url => https://www..com/memory_current => 8295960memory_peak => 8497448data => Array results => Array url => https://www..com version => 1.0 entries => Array blacklist => Array 0 => Array report_details => https://transparencyreport.google.com/safe-browsing/search?url=www..com status => clean vendor => Array slug => google label => Google Safe Browsing vulnerabilities => Array 0 => Array type => wordpress issues => Array 0 => Array title => WordPress core < 6.5.5 - Contributor+ Path Traversal (Windows Only) vulnerability description => Contributor+ Path Traversal (Windows Only) ``` * When it’s failing (`10.1.0.1` is a sample of internal IP): * ```wp-block-code id => 3674444module => site-scannertype => warningcode => scan-failure-client-errortimestamp => 2024-08-15 03:09:34init_timestamp => 2024-08-15 03:09:32remote_ip => 10.9.68.67user_id => [empty string]url => https://10.1.0.1:8443/wp-login.phpmemory_current => 7858472memory_peak => 7895080data => Array results => Object WP_Error errors => Array site_verification_failed.private_host => Array 0 => Unable to determine if the scan target is allowed: Scan target is not publicly accessible. error_data => Array site_verification_failed.private_host => Array url => https://10.1.0.1:8443 cached => [boolean] false ``` * My next few questions are: - Am aware that free and paying are able to do site scan, but is paying necessary for specific support to resolve this issue? - How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise. - Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise? * Thanks for reading & looking forward to your further assistance, appreciate it! * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17965716) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), * Would appreciate your assistance on the matter, many thanks in advance. * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17967473) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), sorry for the slow turnaround here! * First, premium support is certainly not necessary to get this resolved, we’re here to help all our users. * Our team reviewed this case and we think that there is something within your server configuration that’s returning the host IP to Solid Security instead of the actual public-facing URLs. So, what’s happening is that the failed scans are running via Cron, and during those scans, Solid Security picks up the host IP because of how it’s resolved on the server and returns an error (which is the expected behavior) because it thinks it’s a private site. * _How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise._ * The scanner will use `get_home_url` to retrieve the URL to scan. You may be experiencing an error if your home URL is set dynamically based on the request URL. When running Cron, often times there is no site URL, and so the IP address of the machine is being provided instead. You’ll need to update your server configuration to ensure `get_home_url` returns valid values in all runtimes. * _Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise?_ * Yes, the site scanner is designed to scan publicly accessible sites and not private sites * Moving forward, can you please check into how your site’s URL is being configured on your server? Please also check and let us know how Kubernetes handles DNS resolutions because it could be causing inconsistencies in how URLs are resolved on your site. * Looking forward to your update! * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17970425) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), Thanks again for the feedback and explanation especially, appreciate it! * > So, what’s happening is that the failed scans are running via Cron, and during > those scans, Solid Security picks up the host IP because of how it’s resolved > on the server and returns an error (which is the expected behavior) because > it thinks it’s a private site. * Yes, this is exactly what’s happening to me so far. If it’s triggered manually( via WordPress admin’s security dashboard), it would work fine with the public URL but failing with private IP when triggered via Cron. * > The scanner will use `get_home_url` to retrieve the URL to scan. You may be > experiencing an error if your home URL is set dynamically based on the request > URL. When running Cron, often times there is no site URL, and so the IP address > of the machine is being provided instead. You’ll need to update your server > configuration to ensure `get_home_url` returns valid values in all runtimes. * Would defining `WP_HOME` & `WP_SITEURL` beforehand help? I noticed they weren’t defined in my environment so far, so I did it subsequently but the results are still the same. The only other difference it made was it fixed `wp itsec site- scanner scan` for me. The CLI triggered scan would fail with `https://127.0.0.1` as URL prior to this. When Cron site scan happens, when `get_home_url` is triggered, does it replace/define `WP_HOME` & `WP_SITEURL` for me? * > Moving forward, can you please check into how your site’s URL is being configured > on your server? Please also check and let us know how Kubernetes handles DNS > resolutions because it could be causing inconsistencies in how URLs are resolved > on your site. * Besides the 2 aforementioned variables, are there any others I should check? In my WordPress General settings page, I could see `WordPress Address (URL)` &` Site Address (URL)` are defined correctly with my public facing URL though. Would appreciate it if you could share what other Kubernetes components I should check as well. E.g. pod container’s `/etc/hosts` file/DNS pods logs or configuration& etc. * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17979738) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), Any updates so far? * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17981209) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), thanks for waiting! * Can you try proceeding to define  `WP_HOME` & `WP_SITEURL` variables, then once done, send a copy of your Site Health Info to us? You may send it to us [here](https://solidwp.com/contact/) and reference this post. * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 8 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-17988834) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), Apologies for the late response as well, I have already reached out as per instructed.Looking forward to your/SolidWP’s support, thank you & appreciate it! * Thread Starter [jkzsjk](https://wordpress.org/support/users/jkzsjk/) * (@jkzsjk) * [1 year, 7 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-18023790) * Hi [@shanedelierrr](https://wordpress.org/support/users/shanedelierrr/), Any updates on the matter so far? * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [1 year, 5 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-18132531) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), I’m truly sorry for the slow turnaround here! * I’ve looked at our internal ticket system and could not find a submission related to this issue. Can you please contact us again along with the necessary information? You can mention both my name and this thread’s link so that it can be passed to our support team. * Thank you. * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [1 year, 4 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-18197481) * Hi [@jkzsjk](https://wordpress.org/support/users/jkzsjk/), just wanted to reach back out here to see if you had any updates on my previous suggestion. Viewing 14 replies - 1 through 14 (of 14 total) The topic ‘Site Scan Error After Enabling Basic Auth’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=2980272) * [Solid Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 15 replies * 2 participants * Last reply from: [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * Last activity: [1 year, 4 months ago](https://wordpress.org/support/topic/site-scan-error-after-enabling-basic-auth/#post-18197481) * Status: not resolved