Hi @thewatchman3,
Please try the method explained in the following answer first.
I understand the frustration. Let’s get MarsEdit working.
The “500 Error” suggests that a security rule (likely the WAF) is intercepting the complex XML data sent by MarsEdit and blocking it, even if the XML-RPC setting itself is open.
The Solution (Global Exclusion):
To guarantee access for your app without lowering your overall security, please add the endpoint to the Global Exclusion list. This bypasses all checks (WAF, etc.) for that specific URL.
- Go to Security > Settings > General Settings.
- Find the “Global URL Exclusions” box.
- Add /xmlrpc.php on a new line.
- Click Save.
Check your XML-RPC Mode:
Go to Security > Settings > Login & User Protection.
Ensure “XML-RPC Protection Mode” is set to “Smart Protection” (recommended) or “Enabled” (if Smart blocks it). Do NOT set it to “Completely Disabled”.
This combination (Exclusion + Enabled) will allow MarsEdit to connect flawlessly.
One last check:
Please also go to Security > Blocking Rules > Honeypot URLs (& WAF) and ensure that /xmlrpc.php is NOT in that list. Sometimes it is added there by mistake, which would instantly block any app trying to use it.
Best regards,
Advanced Ip Blocker
-
This reply was modified 1 month, 4 weeks ago by
IniLerm.
Hi @thewatchman3,
I have reviewed the MarsEdit documentation, and this is a common issue with security plugins because MarsEdit’s behavior mimics automated bots.
We have a safer solution than opening up XML-RPC globally: Whitelist the App.
- Go to Security > Blocking Rules > User Agents.
- In the “Whitelisted User-Agents List” (the box on the right), add:
MarsEdit
- Click Save.
This tells the plugin: “If the visitor identifies as MarsEdit, let them through, even if they are hitting xmlrpc.php”.
If that doesn’t work immediately, then fallback to the “Global URL Exclusion” method I mentioned above, but the User-Agent whitelist is the preferred, more secure method.
https://help.redsweater.com/marsedit/whitelisting-marsedit/
Best regards,
Advanced IP Blocker
Thread Starter
Greg
(@thewatchman3)
Thank you very much for that. I set up the Advanced Method using a custom rule exactly as you described in the post above. So does that mean I can now re-enable xmlrpc.php blocking under Settings -> Advanced XML-RPC Protection and this rule will over-ride that?
Thread Starter
Greg
(@thewatchman3)
Nevermind, I just tried it and it didn’t work. So I will try disabling it again under Settings -> Advanced XML-RPC Protection and see if it works then
Thread Starter
Greg
(@thewatchman3)
Wow. I implemented all 3 of the things you suggested and none of them allowed me to refresh the posts/pages in MarsEdit. So I disabled the plugin again and it instantly worked. Hm. I don’t know what to do now. Could it be the 2FA I added to my user account that is the issue?
-
This reply was modified 1 month, 4 weeks ago by
Greg. Reason: Added 2fa question
Thread Starter
Greg
(@thewatchman3)
Could it be my 2FA I added to my account that could be causing the issue?
Hi @thewatchman3,
You nailed it! The 2FA is almost certainly the culprit here.
The Problem:
MarsEdit tries to log in with your username and password. Since you enabled 2FA, our plugin intercepts that login and asks for the 6-digit code. MarsEdit doesn’t know how to handle that request, so the connection fails (resulting in the error).
The Solution (Application Passwords):
WordPress has a built-in feature for exactly this situation called “Application Passwords”.
- Go to Users > Profile in your WordPress admin.
- Scroll down to “Application Passwords”.
- Name it “MarsEdit” and click “Add New Application Password”.
- Copy the long generated password (e.g., abcd efgh ijkl mnop).
- In MarsEdit, update your blog settings to use this new password instead of your main login password.
Why this works:
Application Passwords are designed to bypass 2FA because they are unique, revokable, and specific to one app.
Please try this and let me know if it solves the connection issue!
Thread Starter
Greg
(@thewatchman3)
I forgot to mention that I was already using an Application Password. Sorry, I forgot to mention that in my last post. I created the app password because that’s how I’ve been doing it on my other sites, but on those sites this plugin is not installed, so I have never had to troubleshoot this issue before.
Hi @thewatchman3,
Thank you for clarifying! That is the missing piece of the puzzle.
Confirmed Issue:
We have identified a bug where our 2FA module intercepts the login process even when a valid Application Password is used. It tries to redirect the API request to a visual 2FA form, which causes MarsEdit to fail with a 500 error.
Immediate Workaround:
Please disable 2FA for your user account temporarily. This will allow MarsEdit to connect immediately.
The Fix:
We have already coded a patch to respect Application Passwords correctly. This will be released in version 8.8.0 (likely within 24-48 hours). Once you update, you can re-enable 2FA, and MarsEdit will continue to work seamlessly.
Thank you for your patience and for helping us find this edge case!
Best regards,
Advanced IP Blocker Team
Thread Starter
Greg
(@thewatchman3)
If I disable 2FA and re-enable it later, will I lose my existing token and have to scan another one? If so, I’d rather just wait until the update hits so I don’t lose my existing token. My authenticator app is difficult to deal with and I’d rather not have to delete the token and re-do it if I can avoid it.
Hi @thewatchman3,
That makes total sense. Re-scanning codes is a hassle.
Good news:
If you disable 2FA using the “Deactivate 2FA” button in Settings -> Login Protection -> 2FA, the plugin preserves your secret key in the database. It just turns off the requirement.
When you click “Activate” again later, it should pick up the existing configuration immediately without needing a new scan.
However, if you want to be 100% safe and avoid any risk of needing to re-scan, you can just wait for the update. Since MarsEdit isn’t working right now anyway, waiting 24/48 hours for the patch (v8.8.0) is the safest path to keep your authenticator app happy.
We are finalizing the fix right now!
Best regards,
Advanced IP Blocker
Hi @thewatchman3,
Good news! We have just released version 8.8.0, which includes the fix for Application Passwords and XML-RPC compatibility.
Steps to fix your MarsEdit connection safely:
- Update the plugin to version 8.8.0.
- Re-enable 2FA for your user account (Security > Settings > Login & User Protection).
- Test MarsEdit: It should now connect perfectly using your Application Password without being intercepted by the 2FA screen.
Important Security Note:
If you added /xmlrpc.php to the “Global URL Exclusions” list as a temporary workaround, please remove it now. With this update, you don’t need that exclusion anymore, and removing it ensures your site stays fully protected against brute-force attacks on that endpoint.
One more thing:
This update (v8.8.0) includes a major architectural upgrade for better performance and stability. After updating, we recommend clearing your browser cache (Ctrl+F5) and any server-side caches (like Redis/Object Cache) to ensure the new interface loads correctly.
Let me know if everything works as expected!
Best regards,
Advanced IP Blocker Team
Thread Starter
Greg
(@thewatchman3)
Hello,
Thank you for the guide.
I logged in and found that my disabled plugin had already updated to 8.8.0 since I had auto updates turned on. So I re-enabled it and then removed xmlrpc.php from Global URL Exclusions. My profile was already using 2FA since I had never disabled it (I just disabled the plugin without disabling 2FA first)
Then I went to MarsEdit and still got the following error when trying to refresh the content (same error as before)
“Refresh Blog Error
Can’t refresh blog for [my blog name] because the server reported an error: <p>There has been a critical error on this website.</p><p><а href=”https:// wordpress.org/documentation/article/ faq-troubleshooting/”>Learn more about troubleshooting WordPress.</p>.”
So then I disabled the plugin again and then the MarsEdit refresh worked. So I don’t know what the issue may be now 🙁
Hi Greg,
I am sorry to hear that the issue persists. Since you are seeing a “Critical Error” message (Error 500) instead of a “Forbidden” message (Error 403), this means the plugin is encountering a PHP conflict or crash when MarsEdit tries to connect, rather than just blocking it.
To fix this, we need to know exactly what is crashing.
How to get the error log (Safely):
Please access your site files (via FTP or your Hosting File Manager) and edit the wp-config.php file in the root directory.
Look for define( ‘WP_DEBUG’, false ); and replace it with this block of code. This will enable logging to a file without showing errors to your visitors:
// =============================================================
// SAFE DEBUGGING (LOG ONLY, NO DISPLAY)
// =============================================================
// 1. Enable debug mode
define( 'WP_DEBUG', true );
// 2. Save errors to /wp-content/debug.log
define( 'WP_DEBUG_LOG', true );
// 3. DO NOT show errors on screen (Critical for live sites)
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', '0' );
// =============================================================
Next Steps:
- Save the file.
- Enable the plugin.
- Trigger the error with MarsEdit again.
- Go back to your files and look for a new file called debug.log inside the /wp-content/ folder.
- Open it and verify the last lines. You will see a “Fatal Error” message pointing to a specific file and line number.
If you can paste that error message here (removing any sensitive paths), I can likely provide a fix immediately.
Thank you for your patience!
Best regards,
IniLerm
-
This reply was modified 1 month, 3 weeks ago by IniLerm.
