Support » Plugin: Wordfence Security - Firewall & Malware Scan » The last rules update for the Wordfence Web Application Firewall was unsuccessfu

  • Please help? I’m getting the following error:
    The last rules update for the Wordfence Web Application Firewall was unsuccessful. The last successful update check was November 11, 2020 3:11 pm, so this site may be missing new rules added since then. You may wait for the next automatic attempt at December 15, 2020 12:58 pm or try to Manually Update by clicking the “Manually Refresh Rules” button below the Rules list.

    When I try to manually refresh, I get the following error: “No rules were updated. Your website has reached the maximum number of rule update requests. Please try again later.” I waited until after the next update check and it is still failing.

    I have read through this entire thread and taken every action:
    https://wordpress.org/support/topic/the-last-rules-update-for-the-wordfence-web-application-firewall-was-unsuccessfu/

    * Confirmed user/group match diagnostics Process Owner
    * All Diagnostics have green checkmarks
    * Confirmed 664 on /var/www/html/wp-content/wflogs/rules.php
    * Confirmed 775 on /var/www/html/wp-content/wflogs/
    * Deactivated/reactivated the plugin
    * Deleted/re-enabled .htaccess
    * Ensured correct permissions on .htaccess
    * Disabled Apache ModSecurity
    * Disabled WordPress Sucuri plugin
    * Ensured I am at the latest version (7.4.14)
    * Deleted the rules.php file and allowed it to re-create. It only created a 0kb file with today’s date so I restored the November 11th version.
    * My web server can reach the WFWAF_API_URL_SEC server and page found in init.php. See output below.
    * No curl_exec setting in php.ini
    * Restored defaults (no good, so I reverted my saved options)
    * php-fpm not installed
    * Diagnostics connectivity is good, as is every other diagnostic green checkmark
    * Waited for the Dec 15th deadline to pass and tried again

    root@web01.prod.securecoop.com:/SecureCoop# grep WFWAF_API_URL_SEC /var/www/html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/init.php
    define(‘WFWAF_API_URL_SEC’, ‘https://noc4.wordfence.com/v1.9/’);
    root@web01.prod.securecoop.com:/SecureCoop# curl -o- https://noc4.wordfence.com/v1.9/
    {“success”:false,”errorMessage”:”Invalid action supplied.”}root@web01.prod.securecoop.com:/SecureCoop#

    The page I need help with: [log in to see the link]

Viewing 10 replies - 16 through 25 (of 25 total)
  • Plugin Support WFAdam

    (@wfadam)

    @edemir206 As per forum guidelines below, could you please open your own topic and we would be glad to assist you:
    “Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

    @cdevidal Do you have any error logs you could send us to review? wftest @ wordfence . com with subject ” cdevidal for WFADAM ”

    Thanks again!

    Thread Starter Better Automations

    (@cdevidal)

    @wfadam I’d love to send logs, which ones do you have in mind? Still zero KB.

    root@web01.prod.securecoop.com:/SecureCoop# ls -l /var/www/html/wp-content/wflogs/rules.php
    -rw-rw-r-- 1 www-data www-data 0 Feb 11 16:10 /var/www/html/wp-content/wflogs/rules.php
    root@web01.prod.securecoop.com:/SecureCoop#
    

    [ Please do not bump. ]

    Plugin Support WFAdam

    (@wfadam)

    Sorry @cdevidal but after some time without a reply, the thread will close on our end.

    If you could, enable WP Debug, then try to refresh the rules manually again in the Wordfence > All Options > Advanced Firewall Options > Manually Refresh Rules. This should generate the error on the log for us to review and see what exactly is happening.

    https://wordpress.org/support/article/debugging-in-wordpress/ can walk you through enabling the error logs on your site. Once you have this enabled, your site will generate error logs, which will help us figure out what might be causing your issue.

    Thanks again!

    Thread Starter Better Automations

    (@cdevidal)

    I setup debugging and tried an update: “No rules were updated. Your website has reached the maximum number of rule update requests. Please try again later.”

    Didn’t see anything in my logs. How soon before I can try again?

    Plugin Support WFAdam

    (@wfadam)

    Can you send that log to wftest @ wordfence . com with subject “cdevidal for WFADAM” I would like our QA team to review it. If you have access logs as well, we could review though.

    Can you also attach a diagnostic from your Wordfence > Tools > Diagnostic page using the “Export” feature into that email? The last one I had from you was from a few months ago.

    Thanks again!

    Thread Starter Better Automations

    (@cdevidal)

    There is absolutely no output in the PHP log so I won’t send that. It might be because of the error, “No rules were updated.” Was able to send the diagnostic report though.

    Thread Starter Better Automations

    (@cdevidal)

    Did you receive it?

    Plugin Support WFAdam

    (@wfadam)

    I got it! Thanks again!

    I have our QA team investigating the issue.

    Ill let you know what we find!

    Plugin Support WFAdam

    (@wfadam)

    We do see the site in our server logs attempting to get WAF rules multiple times per hour, so the connection to the server is ok. You’ll easily hit the rate limit that way, so only some of the attempts are getting a chance to try to write files.

    Usually, this would be a permissions issue, where the WAF files are stuck and can’t be overwritten, though you said you have already checked permissions. There could be something like selinux preventing writing files, despite the permissions, I’d check if you’re using that or any other security software on the server outside of WP that might block writing files.

    You checked the main error log, but I see diagnostics shows an error log at wp-content/debug.log with a nonzero size. Can you check that one for any errors. The drawback about using WP_DEBUG is that errors that occur during the WAF code before WP loads won’t be there if the WAF is optimized. You might need to set the error log path in php.ini to be sure those earlier errors are logged.

    It’s possible that an issue that’s preventing writing to the wflogs files may also be preventing the webserver from writing to the default log as well, which could leave it at 0 bytes permanently.

    If you can send the output of ls -l /var/www/html/wp-content/wflogs it would be good to see if any of the files have newer dates.

    It may be worth trying renaming the whole wflogs directory temporarily, this loses some WAF settings, but we can see if the files get re-created, and if they contain anything.

    phpinfo() must be disabled since it’s missing in Diagnostics, but I’m not sure if it will help in this case. You could temporarily enable it in php.ini, run Diagnostics once again, and then disable it again. I’d be looking for what’s in disable_functions, open_basedir, or possibly any missing or unexpected PHP extensions.

    Thanks again!

    Thread Starter Better Automations

    (@cdevidal)

    Usually, this would be a permissions issue, where the WAF files are stuck and can’t be overwritten, though you said you have already checked permissions. There could be something like selinux preventing writing files, despite the permissions, I’d check if you’re using that or any other security software on the server outside of WP that might block writing files.

    It perhaps is some security software but I can’t think what that might be. It’s not Ubuntu’s selinux equivalent, (AppArmor) there is an AppArmor rule but it is not enabled.

    root@web01.prod.securecoop.com:/SecureCoop# grep /var/www/html /etc/apparmor.d/abstractions/web-data
      /var/www/html/ r,
      /var/www/html/** r,
    root@web01.prod.securecoop.com:/SecureCoop# apparmor_status
    apparmor module is loaded.
    40 profiles are loaded.
    40 profiles are in enforce mode.
       /snap/core/11167/usr/lib/snapd/snap-confine
       /snap/core/11167/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
       /snap/snapd/11841/usr/lib/snapd/snap-confine
       /snap/snapd/11841/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
       /snap/snapd/12057/usr/lib/snapd/snap-confine
       /snap/snapd/12057/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
       /usr/bin/lxc-start
       /usr/bin/man
       /usr/lib/NetworkManager/nm-dhcp-client.action
       /usr/lib/NetworkManager/nm-dhcp-helper
       /usr/lib/connman/scripts/dhclient-script
       /usr/lib/snapd/snap-confine
       /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
       /usr/sbin/mysqld
       /usr/sbin/tcpdump
       /{,usr/}sbin/dhclient
       lsb_release
       lxc-container-default
       lxc-container-default-cgns
       lxc-container-default-with-mounting
       lxc-container-default-with-nesting
       man_filter
       man_groff
       nvidia_modprobe
       nvidia_modprobe//kmod
       snap-update-ns.core
       snap-update-ns.lxd
       snap.core.hook.configure
       snap.lxd.activate
       snap.lxd.benchmark
       snap.lxd.buginfo
       snap.lxd.check-kernel
       snap.lxd.daemon
       snap.lxd.hook.configure
       snap.lxd.hook.install
       snap.lxd.hook.remove
       snap.lxd.lxc
       snap.lxd.lxc-to-lxd
       snap.lxd.lxd
       snap.lxd.migrate
    0 profiles are in complain mode.
    1 processes have profiles defined.
    1 processes are in enforce mode.
       /usr/sbin/mysqld (916)
    0 processes are in complain mode.
    0 processes are unconfined but have a profile defined.
    root@web01.prod.securecoop.com:/SecureCoop#

    You checked the main error log, but I see diagnostics shows an error log at wp-content/debug.log with a nonzero size. Can you check that one for any errors. The drawback about using WP_DEBUG is that errors that occur during the WAF code before WP loads won’t be there if the WAF is optimized. You might need to set the error log path in php.ini to be sure those earlier errors are logged.

    That log file might have existed at one time, but it has since been removed. I believe it belonged to a debug plugin which I have removed.

    root@web01.prod.securecoop.com:/SecureCoop# ls -l /var/www/html/wp-content/debug.log
    ls: cannot access '/var/www/html/wp-content/debug.log': No such file or directory
    root@web01.prod.securecoop.com:/SecureCoop#
    It’s possible that an issue that’s preventing writing to the wflogs files may also be preventing the webserver from writing to the default log as well, which could leave it at 0 bytes permanently.
    
    If you can send the output of ls -l /var/www/html/wp-content/wflogs it would be good to see if any of the files have newer dates.

    Interestingly, attack-data.php and ips.php are being updated, which clues to me that it’s probably not some other security software. If that were the case I would not expect anything in this directory to update.

    root@web01.prod.securecoop.com:/SecureCoop# ls -l /var/www/html/wp-content/wflogs
    total 5584
    -rw-r----- 1 www-data www-data 3890328 Mar 24 18:02 GeoLite2-Country.mmdb
    -rw-rw---- 1 www-data www-data  181249 Jun  5 16:14 attack-data.php
    -rw-rw---- 1 www-data www-data     601 Mar 29 02:17 config-livewaf.php
    -rw-rw---- 1 www-data www-data   13868 Mar 29 02:17 config-synced.php
    -rw-rw---- 1 www-data www-data 1201202 Mar 29 02:17 config-transient.php
    -rw-rw---- 1 www-data www-data     560 Mar 29 02:17 config.php
    -rw-rw---- 1 www-data www-data      51 Jun 11 10:21 ips.php
    -rw-rw-r-- 1 www-data www-data  403981 Mar 29 02:17 rules.php
    root@web01.prod.securecoop.com:/SecureCoop#

    It may be worth trying renaming the whole wflogs directory temporarily, this loses some WAF settings, but we can see if the files get re-created, and if they contain anything.

    root@web01.prod.securecoop.com:/SecureCoop# mv /var/www/html/wp-content/wflogs /var/www/html/wp-content/wflogs.disabled
    
    # Refreshed Wordfence options in the WordPress GUI
    
    root@web01.prod.securecoop.com:/SecureCoop# ls -l /var/www/html/wp-content/wflogs
    total 3860
    -rw-r--r-- 1 www-data www-data 3890328 Jun 11 10:24 GeoLite2-Country.mmdb
    -rw-rw---- 1 www-data www-data   40083 Jun 11 10:24 attack-data.php
    -rw-rw---- 1 www-data www-data     325 Jun 11 10:24 config-livewaf.php
    -rw-rw---- 1 www-data www-data     325 Jun 11 10:24 config-synced.php
    -rw-rw---- 1 www-data www-data     325 Jun 11 10:24 config-transient.php
    -rw-rw---- 1 www-data www-data     534 Jun 11 10:24 config.php
    -rw-rw---- 1 www-data www-data      51 Jun 11 10:25 ips.php
    -rw-rw-r-- 1 www-data www-data       0 Jun 11 10:24 rules.php
    root@web01.prod.securecoop.com:/SecureCoop#

    So, yes they were all rebuilt, except rules.php. I put the old directory back.

    What I noticed about this is that rules.php had indeed updated on last time I messed with it on March 29th. It probably came from plugin installation though.

    phpinfo() must be disabled since it’s missing in Diagnostics, but I’m not sure if it will help in this case. You could temporarily enable it in php.ini, run Diagnostics once again, and then disable it again. I’d be looking for what’s in disable_functions, open_basedir, or possibly any missing or unexpected PHP extensions.

    I have enabled phpinfo() and re-uploaded Diagnostics, please check.

    Is it possible to just download rules.php manually and scp it into place? I can do that periodically, or by script.

Viewing 10 replies - 16 through 25 (of 25 total)
  • You must be logged in to reply to this topic.