Support » Plugin: Cerber Security, Antispam & Malware Scan » Traffic Inspector blocks access via Facebook with URL parameter “?fbclid=”

  • Hi,

    I noticed that when people click the link to my website on facebook, Traffic Inspector blocks that request because it thinks that the URL parameter, which facebook automatically adds is suspicious.

    E.g. “/?fbclid=IwAR2FSQSN_neGNIAaZ7P4iZNl50tEpfxC6xKTy-8KCeEq-cnYmVsO2RtQmVE”

    I successfully added a regex in the request whitelist ({\/.fbclid.*}) and Traffic Inspector allows accessing my website. However, previous IP’s have been blocked because of this.

    How can I unblock specific IP’s again so my clients can see my website?

    Thanks in advance
    Sascha

Viewing 8 replies - 1 through 8 (of 8 total)
  • Also, I noticed that periodic requests by the monitoring tool “uptimerobot.com” that only open the root page of my website, without any parameters or requesting php files, are getting blocked by traffic inspector, too.

    How would I whiteliste those? 🙁

    This might be related to a similar issue we are experiencing with our custom clicktracks:

    We use an in-house click tracking system where URLs to a specific aspx page of any subdomain of our primary domain get redirected to new destinations. WordPress doesn’t support aspx, so for the sub-domains pointed at worpdress sites, we first use Apache re-writes to re-direct. For example:

    http://www.example.com/m/ct.aspx?ici=1227 redirects to http://redirect.example.com/m/ct.aspx?ici=1227 which uses the clicktrack to redirect to the destination https://www.example.com/ and appends the following querystring parameters:

    ?utm_source=Google&utm_medium=Search%20Engine&utm_campaign=Brand%20ESL%20PT%20Countries%20Core%20GAW

    Until we upgrade to version 7.9, this worked well. Since the upgrade, the final destination URLs have been blocked by WP Cerber, generating 403 Errors.

    We have identified a workaround by pre-pending an anchor tag (specifically we are using “#adw” in the final destination URL:

    Original redirected URL
    https://www.example.com/?utm_source=Google&utm_medium=Search%20Engine&utm_campaign=Brand%20ESL%20PT%20Countries%20Core%20GAW

    Modified redirected URL
    https://www.example.com/#adw?utm_source=Google&utm_medium=Search%20Engine&utm_campaign=Brand%20ESL%20PT%20Countries%20Core%20GAW

    Our theory is that WP-Cerber is using some regex to categorize the appending querystring parameters as spam/danger, but that the addition of the anchor tag allows the URL to pass the regex gate.

    Plugin Author Gioni

    (@gioni)

    Hi!

    1. I would recommend using more restrictive and safe pattern: {\/\?fbclid=[\d\w\-_]+}
    2. What do you mean by that: “How can I unblock specific IP’s again so my clients can see my website?”

    I will try the extended regex you suggested.

    However, despite the less restrictive regex, Traffic Inspector would consistently block requests coming from facebook on another website I’m running. Complaints kept piling in so I had to disable Traffic Inspector entirely.

    About the “unblocking specific IPs”: People (potential clients) who have been denied access because of the ?fbclid parameter are now blacklisted IPs. I presume that they cannot access the website in any way, anymore? Or what effect does the blacklist have?

    Traffic Inspector has put a series of IP addresses on the blocked list because of false positives. Such as “uptimerobot.com”, which I mentioned before, and a few others. If I put those on the whitelist, will they be deleted from the blacklist?

    Example:
    [url=https://abload.de/image.php?img=operamomentaufnahme_24nfpu.png][img]https://abload.de/thumb/operamomentaufnahme_24nfpu.png[/img][/url]
    (EDIT: inserting images here doesn’t seem to work. Try: https://abload.de/image.php?img=operamomentaufnahme_24nfpu.png)

    Uptime Robot simply requests the home page of my website, without any additional parameters. It’s a plain and simple HTTP request (I would think), like any browser would see it. But still it got blocked. I don’t understand the mechanism and the reason for that.

    Cheers,
    Sascha

    fjordkommission

    (@fjordkommission)

    I’m having trouble with Traffic Inspector again, blocking access to my contact form with custom subject lines as URL parameter and clicks from Facebook with the fbclid URL parameter.

    I copied and pasted the regex “{\/\?fbclid=[\d\w\-_]+}” as you suggested above, but cannot save this to the settings as Traffic Inspector says ‘You may not specify the query string with a question mark: {\/\?fbclid=[\d\w\-_]+}’

    How can I express a regex that makes Traffic Inspector allow requests in the shape of

    <my-domain>/?fbclid=IwAR0sivnz5goCqNIcnP5andRf3YOOcWTtrwFqvo6CUQEkD3GQx-NleWB47LE
    or
    <my-domain>/contact/?my-subject=Please%20help

    I had to disable Traffic Inspector entirely again, after seeing several blocked attempts to use my contact form, and potentially losing customers by that. 🙁

    Cheers,
    Sascha

    @gioni Has there been a recent change to Traffic Inspector making it not accept the regex like described above?

    Plugin Author Gioni

    (@gioni)

    I think there is a misunderstanding. If you’re talking about forms, you have to enter your REGEX expression into the “Query whitelist” field. See more: https://wpcerber.com/antispam-exception-for-specific-http-request/

    OK, I entered a RegEx and a plain path in the AntiSpam settings. Like this:
    /kontakt/?my-subject
    {\/kontakt\/.my-subject=[\w\D]*}

    In Traffic Inspector I have whitelisted the following two RegEx’s:
    {\/.fbclid=[\d\w\-_]+}
    {\/kontakt\/.my-subject=[\w\D]*}

    I tested the RegEx with https://regex101.com and the expression covers the entire string, so I presume I wrote it correctly.

    However, still the request to my contact form with the subject as URL parameter is being blocked.

    How can I achieve this to get working?

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Traffic Inspector blocks access via Facebook with URL parameter “?fbclid=”’ is closed to new replies.