Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence blocking me?

  • Resolved Jim

    (@jwmc)


    Lately I’ve noticed in the WF’s weekly report email that it has blocked my IP repeatedly (pasted below). The information in the details suggests it is associated with an academic reference plugin I’m using, Academic Blogger’s Toolkit (ABT). And lately I’ve been getting some odd behavior in that plugin.

    Strange thing is, I’m never actually blocked from logging in. In fact I don’t really know what WF means by “blocked” in this context. Much of WF is a mystery to me.

    Q: Why/what is it blocking? How can I get it to stop?

    From my last report. The first two are likely legitimate blocks (China); the rest are my IP address:

    Recently Blocked Attacks
    Time IP / Action
    May 25, 2019
    4:44am
    112.3.24.100 (China)
    Blocked for Directory Traversal in query string: template=tag_(){};@unlink(FILE);eval($_POST[qazw]);print(md5(999));{//../rss
    May 24, 2019
    7:38pm
    120.92.102.182 (China)
    Blocked for Directory Traversal in query string: template=tag_(){};@unlink(FILE);eval($_POST[qazw]);print(md5(999));{//../rss
    May 24, 2019
    9:51am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    May 24, 2019
    9:14am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“publisher”:”Wiley”,”DOI”:”10.2307/1940083″,”type”:”article-journal”,”page”:”1559-15\xea
    May 24, 2019
    9:14am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“publisher”:”Wiley”,”DOI”:”10.2307/1940083″,”type”:”article-journal”,”page”:”1559-15\xea
    May 24, 2019
    9:12am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    May 24, 2019
    9:10am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    May 24, 2019
    9:07am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    May 24, 2019
    9:07am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    May 24, 2019
    9:05am
    <*** my IP ***> (United States)
    Blocked for XSS: Cross Site Scripting in POST body: state={“references”:[{“type”:”article-journal”,”title”:”Treefall in a mixed oak-pine coastal plain forest:\xea
    and 20 additional attacks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support WFGerroald

    (@wfgerald)

    Hey @jwmc,

    I’ve spoken with the developer about this. It seems it’s likely getting caught in our XSS filter due to the \xea string at the end. And it should be just fine to whitelist it.

    1. Go to Wordfence -> All Options
    2. Scroll down until you find Whitelisted URLs
    3. Put / for the URL
    4. Select Param Type: POST Body for the dropdown
    5. Put state for the Param Name
    6. Click Add, and then Save Changes

    The reason your IP is listed is the request is coming from your site. The request was being blocked, but not your actual IP.

    Please try this and let me know how it goes. It may also clear up some of the oddities you were mentioning with the Academic Blogger’s Toolkit (ABT) plugin.

    Thanks,

    Gerroald

    Many thanks for looking into it deeply! Before I heard back from you, I reset the Wordfence settings. Then, with WF activated, testing showed no problem. Not sure if some setting did it or there was some corruption.

    But I fiddled with the settings a bit, then did the whitelist as you kindly described in detail. Still no problem!

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @jwmc,

    Thanks for the update, and happy to hear it!

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.